How To Avoid New HTML Email Viruses

A UK newspaper story today highlights the growing danger of emails which can infect your computer – even if you do not open an attachment or click on a website link: “This new generation of malware infection uses HTML emails which automatically download a virus when the email is opened. As the email itself is not infected, many antivirus programs will not flag up any alert”.

Although this is not actually a new type of threat, the report suggests it is on the increase so now is a good time to consider how to avoid being infected.

HTML Emails? Emails you receive can be in plain text format (no pretty pictures or links) or the nicer looking HTML format which can include multimedia content such as embedded pictures, adverts, logos and website links.

Two versions of exactly the same email are below – the left half shows part of the email in plain text format and the right half is in HTML format:

html-email

HTML is the same technology used to create websites – you can be infected by a virus just by visiting a malicious website (called a ‘drive by’ infection) even if you don’t download or click on anything. Likewise, a virus can infect your computer as soon as you start to read a malicious email created in HTML format – without you opening any file attachments or clicking on any website links in the email…

In the example above, the visible adverts and links in the HTML version have been stripped out of the plain text version – along with any hidden virus links or automated malicious downloads. For these reasons, it is safer to read emails in plain text format – and turn off HTML.

The following guides to switching to plain text format cover the most commonly used email programs.

Disable HTML In Outlook Express OR Disable HTML In Windows Mail

  • Open the email program and select ‘Tools’ from the menu bar
  • Select ‘Options’ then select the ‘Read’ tab
  • Select (tick) the ‘Read all messages in plain text’ checkbox and press OK

Now all emails you read will be in plain text. If you want to revert a particular email to HTML (e.g. it is from a trusted source and you must see pictures/links in it) click ‘View’ then ‘Message in HTML’ – the keyboard shortcut for this is Alt + Shift + H.

Disable HTML In Windows Live Mail

  • Open Live Mail and select ‘Options’ from the ‘Menu’ button (to bring up the Menu you can press Alt + M)
  • Select the ‘Read’ tab
  • Select (tick) the ‘Read all messages in plain text’ checkbox and press OK

Now all emails you read will be in plain text – if you want to revert a particular email to HTML (e.g. it is from a trusted source and you must see pictures/links in it) click ‘View’ then ‘Message in HTML’.

Disable HTML In Outlook 2003

  • Open Outlook and select ‘Tools’ from the menu bar
  • Select the ‘Preferences’ tab
  • Click the ‘E-mail Options’ button
  • Select (tick) the ‘Read all standard mail in plain text’ checkbox
  • Also select (tick) the ‘Read all digitally signed mail in plain text’ checkbox and press OK twice to close

Now all emails you read will be in plain text. If you want to revert a particular email to HTML (e.g. it is from a trusted source and you must see pictures/links in it) do the following:

  • Click the InfoBar at the top of the email which states ‘This message was converted to plain text’ then choose ‘Display as HTML’ – this is a per email setting.

Disable HTML In Outlook 2007

  • Open Outlook and select ‘Tools’ from the menu bar
  • Select ‘Trust Center’
  • Click ‘E-mail Security’
  • Under ‘Read as Plain Text’ select (tick) the ‘Read all standard mail in plain text’ checkbox
  • Also select (tick) the ‘Read all digitally signed mail in plain text’ checkbox and press OK twice to close

Now all emails you read will be in plain text.

If you want to revert a particular email to HTML (e.g. it is from a trusted source and you must see pictures/links in it) do the following:

  • Click the InfoBar at the top of the email which states ‘This message was converted to plain text’ then choose ‘Display as HTML’ – this is a per email setting.

Disable HTML In Outlook 2010

  • Open Outlook and select the ‘File’ tab in the Ribbon menu
  • Select ‘Options’ on the menu
  • Select ‘Trust Center’ on the Options menu
  • Select the ‘Trust Center Settings’ tab
  • Click ‘E-mail Security’
  • Under ‘Read as Plain Text’ select (tick) the ‘Read all standard mail in plain text’ checkbox
  • Also select (tick) the ‘Read all digitally signed mail in plain text’ checkbox and press OK twice to close

Now all emails you read will be in plain text. If you want to revert a particular email to HTML (e.g. it is from a trusted source and you must see pictures/links in it) do the following:

  • Click the InfoBar at the top of the email which states ‘This message was converted to plain text’ then choose ‘Display as HTML’ – this is a per email setting.

Conclusion

It is good security policy to disable HTML in email programs to avoid ‘drive by’ threats from virus infected HTML emails which your antivirus program may not pick up.

Remember that even an email from someone you know and trust may contain a virus infection e.g. if their email account was hacked or they have a virus that spams everyone in their address book – just ignoring the most obvious spam emails may not be enough protection.

Another way of dealing with malicious emails is to use a spam blocking utility like Mailwasher which I reviewed here – this blocks spam before it reaches your email program and only downloads the headers (author, subject, date and size) in plain text.

Therefore you can delete suspicious emails before they are downloaded to your computer – Mailwasher also learns which emails are spam and marks them as such to make it easier for you to pick out the bad ones.

3 Responses to: "How To Avoid New HTML Email Viruses"

  1. Ries says:

    Will my virusscanner not sound alarm when a virus wants to execute after downloading?

    • Roy says:

      Good question Ries. In theory it will – but only if it recognizes it as a virus… Even the very best antivirus programs are only 95-98% effective at detecting viruses and most of those detected will be easy/old ones.

      If the virus is a new/complex one it may pass through unnoticed – in my PC repair business most virus infected computers I see DID have up to date antivirus but still got infected. The more viruses you encounter, the more likely that one will slip through your antivirus undetected – safe surfing, not opening unknown attachments, reading emails in plain text etc all contribute to reducing the number of viruses that your antivirus has to deal with.

  2. Ries says:

    Thanks Roy, for the quick reply.