Mac OS X Security Part Four: Email Setups For Security

Last week we looked at virus scanners for Mac OS X. This week we will work through specific settings and techniques for Mac OS X email client software with a view to security. The packages I'll be referring to are Apple Mail, Eudora, Pine, and Mozilla, all for OS X. Microsoft will have a version of Outlook or Entourage for OS X presently. Those will give us plenty to do. Of course there may be other packages as well, to which you can extrapolate the general principles we take up here.

In the beginning of internet mail as we know it today, I was using VMSmail, the VMS analog of PINE for unix, except that the former is integrated into the operating system, whereas the latter is a third-party addition. A mere detail right now. These are text-based email clients. We never knew anything different. When html-based mailers, notably Netscape, started appearing, we discovered an unexpected problem. VMSmail truncated lines longer than 255 characters. It had never been an issue before then, because up to that point we had never needed lines, which all ended with hard returns, longer than 80 characters, and usually less than that was about right. Someone suggested that email should be a rich graphical experience, much like web browsing. Our red lights came on blazing, as we had developed a mindset of not sending a single unnecessary extra line in our messages, lest we contribute to the internet bandwidth problem. We were trying to be good internet citizens. We knew that html ramped up the bandwidth use, not by a mere line or two, but by orders of magnitude. Our little efforts to clip a line here and there taken in total would pale against the digital rapids on the internet today. In retrospect, how quaint it all was.

We had underestimated the problem. Not only were html email messages more bandwidth-intensive, particularly with their graphical content (after all, why do html email if you aren't sending graphics?), they also opened up a Pandora's box of security problems. It turned out to be just as simple to program nasty things into html scripts as the now-familiar bouncing balls and other web animations. As well, attachments became routine, once you could drag and drop a file onto an email message. Attachments became the de facto favorite means to transmit viruses, relying on people's innate curiosity (the tabloid kind) to open every attachment, just to see what it is. Perhaps the ILOVEYOU virus did one good thing in bringing that issue to the fore. The Visual Basic script that was attached to a bogus email message caused enough damage to highlight the problem of scripting. I'd bet that the majority of you do not know how attachments were done in the early days of email. A pair of applications named uuencode and uudecode were compiled for unix and VMS early on, and later for DOS and Windows. (StuffIt for Mac has been around for quite a while too, but I can't give you a date there.) To make an attachment, you had to run uuencode on your to-be-attached file, then append the output to your text-based email. At the other end, you had to save your email message as a text file, edit out the header, then run uudecode on the remainder. It was enough of a pain that you'd think twice before using it. The very inconvenience of it precluded any severe abuse. Those were the days.

So you simply have to turn off those great html features in your mailer unfortunately. In Mail for OS X, open up Preferences, Viewing, and uncheck the Download all images box. Pity, but it's your Mac. Just because your sister sent you that fancy page doesn't mean it isn't ridden with problems. I related the story of my older sibling's response to a known email virus infection on her computer. It isn't the virus I'm worried about; it was the casual response. Attitude here, as in so many things, means a lot. Anyway, the other half of this html thing is preview mode, available in most mailers, but not in Mail for OS X. Thank goodness.

To accomplish the same thing in Eudora for OS X, open up Settings, Mailbox Display, and uncheck Show message previews. This is very important, as previewing a message, from the computer's point-of-view, is the same as opening it. Now go to Fonts & Display, and uncheck the three graphics boxes, particularly the Animate animated GIFs box. This is actually pretty fine-edge, because Eudora doesn't run embedded scripts in the first place. But if you keep email to text-only, there is no way for a virus to activate itself through email.

Netscape and Mozilla included a similar checkbox early on in their browsers. It's called Enable Javascript for Mail and News, under the Preferences, Advanced heading. Make sure it's unchecked. To switch off preview mode in Mozilla, simply click the divider that comes up when you start Mozilla Mail. The divider should snap to the bottom and stay there forever. I am certain that Netscape Communicator is not available for OS X at the moment. In case you're using the Mac OS version in a Classic session, look for a checkbox to switch off preview mode.

Microsoft has a track record of reasonably predictable and consistent upgrades within product lines. Based on their current implementations of Outlook Express and Entourage, it's fair to say that you may encounter the preview mode and scripting support features turned on. You need to turn these off. Pull down View, Preview Pane, and uncheck it. The setting will stick forever. Open Settings, Display, and uncheck Show attached pictures. There appears to be no explicit way to disable scripting support. Outlook Express for Windows has a security setting under Tools, Options. I cannot see its analog in the Mac version. Arguably it shouldn't be an option. I refer you to my earlier article on this subject if you plan to run these products under OS X.

If you run any mailer in Classic mode, you need to know that similar security risks exist there too. Switch off preview mode and scripting. Then consider moving over to a native OS X mailer. Eudora Mail works nicely between OS X and OS 9, so that could be an option if you need to boot between operating systems frequently. Eudora has a separate version for OS 9. Keep your real data in your OS X's Home/Documents/Eudora Folder, and place an OS 9 folder shortcut of it called Eudora Folder in your OS 9's /Documents folder. Beautiful.

To truly get that text-only experience, why not download the free Pine for OS X mailer? Pine is available on just about every platform known to man, with a consistent text-based interface across them all. As an added bonus, you can configure OS X for secure shell logins, and login to your Mac from anywhere to check your mail. My linux guy at work does this routinely. Visit the Pine home site for more information.

Once you feel comfortable tweaking your Mac mailer, you'd be doing your Windows users friends a huge favor by showing them how to button down theirs. Consider it.

So much for settings. Now let's look at some best practices for email. The most obvious one is to ignore junk mail, totally! We have elaborate spam filtering set up at my work, and in addition I have a flurry of filters set up on my own Macs. Yet not a day goes by where some junk doesn't get through. Now you know what the Delete button is for. Use it.

Curiosity killed the cat, as the saying goes. Resist that childish (as opposed to child-like) curiosity that wants to open an unknown attachment. While most email-borne viruses target Windows machines, Mac's time will come. Unless you are confident about an attachment, drop it on the floor! Do nothing!

With scripting turned off, there is no way that a raw email message can harm your system. It's just text. Quite a few early hoaxes threatened the end of the world if you didn't take certain steps, such as formatting your hard drive. By now most people recognize these for what they are. Still, resist the urge to act upon or respond to these messages. One current ruse is to get people to "unsubscribe" to a supposed email list. If you fall for this, you actually send a confirmation to the originator that you exist and that you're a sucker. Quite a few of these messages have legitimate-looking originators, so scrutinize carefully. You're only a phone call away from your system manager at work, and at home you are your own system manager. The decision is yours.

As you send out email, make a practice of using Bcc instead of To when you send to multiple recipients. If nothing else, it's good manners. From a security point-of-view, imagine that someone thinks your missive is worthy to be posted to a usenet news group. Along go all of the email addresses, and presently they appear on the 'Net for all to see. Malicious hackers run automated tools to scan these groups and pick off email address out of posted messages. Next thing you know, you too are listed in the Big List that gets resold over the 'Net for $99 time and time again. And it's forever. Your only recourse is to change your address, which is the internet analog of moving out of the neighborhood. Bcc stands for Blind Carbon Copy. Functionally, it works exactly like Cc, without listing the recipient addresses anywhere in the message. Very clever. Conversely, you may indeed want your primary recipient to know that you've carbon-copied to your boss, in which case you know what to do.

My mailer appends the text of a signature file to every one of my outbound emails. Its little message implores recipients to use Bcc instead of Cc whenever there are multiple recipients involved. My good friend with whom I can speak freely told me in the beginning that I was being too insistent. So I forwarded a couple of messages I'd received that very day, messages that each contained a page-full of email addresses. Slam-dunk. Case closed. I've written personal requests to individuals that continued to use Cc anyway. Apparently they don't get it. My only option in the end was to request they don't send me stuff anymore. Sometimes it takes tough love, even on the Net.

Last time I mentioned how I felt that the legalese of one manufacturer's antivirus software might have precluded me from even telling you whether or not I got it running successfully. A supportive individual wrote me and pointed out that most of this stuff is boilerplate, and probably unenforceable. Its purpose is to wield apparent muscle, the way a bully does. Not being a lawyer myself, I prefer to take a diffident attitude and move on - with my wallet - to someone else's product, someone whom I deem to be more reasonable. But this person did make an important point, that I do set an example when I write in public. So I would like to clarify that position by saying, read the legalese, yes, but remember your First Amendment rights too. These guys have no right to weld shut any potentially bad press. It's your call. By the way, rights are spelled out in the Constitution because they are fundamental of themselves, not because they're in the Constitution. Think about that.

Let's recap today's subject. Email is a communication tool. Like any very functional tool, it is open to abuse. The tool itself is neither good nor bad. Disable preview mode and scripting, ignore unknown attachments and junk mail, and use Bcc for multiple recipients. With a little bit of software tweaking and some best practices thrown in, email can serve you very well. Next time, we take up email encryption. Ciao.

Contact the author