Email File Attachments You Should Not Open

The best advice concerning email attachments I could ever give is to simply never open them. But that’s unreasonable considering so many people trade files in email these days, be it documents, video clips or the like.

There are certain file types I absolutely will not open, or will use an alternative method to open them with.

And here they are:

.EXE

Fortunately, most email servers outright ban the use of sending .EXE files and I think that’s a good judgment. This is an executable file in Windows. You have no idea what it will do. And it may not be something your anti-virus/spyware/malware scanner can detect. You never know.

On the extreme rare occasion I get one of these, I will only open it in a virtual machine environment. And if it blows that up, no big deal because I can just kill the session and create another.

.ZIP

When one cannot send an .EXE, they archive it with ZIP and send it that way. Well, it’s just as bad.

.PDF, .DOC, .XLS

DOCs and XLSes can contain anything from simple macro viruses (relatively harmless but just annoys the crap out of you) to full-blown malicious code.

I do not open these locally. Instead I bring them into Google Docs.

Funny, true and somewhat sad story:

Years ago at a help desk job, the manager walks in and tells us all that there’s a particular applicant (we needed a position filled) who absolutely won’t be getting the job. Why? Because he sent his resume as a Word DOC, and it had a macro virus in it.

See the irony here. The guy was applying for a tech-help position yet sent his resume with a virus in it. Just plain sad.

.WMV, .ASF, .ASX, .MOV

WMV is Windows MediaVideo. ASF is Advanced Systems Format. ASX as Advanced Stream Redirector (yet has an X and I don’t know why, nor do I care). MOV is the Apple Quicktime Movie format.

All of these are video formats. And all routinely contain malware in them. I won’t open any sent to me.

Workaround: If it’s something I have to view, I’ll upload it to YouTube as a private video and watch it that way. Yes, that’s a real long runaround just to watch a vid, but it guarantees no malware code will be launched on my local system.

Is there a safe video format? Yes. MPEG or just MPG. But nobody uses that anymore unfortunately. Not when trading files in email anyway.

File formats I have no problem opening

Any image (BMP, GIF, JPG/JPEG, TIF/TIFF)

To the best of my knowledge there is no malicious code that can be executed from a static image format. With project files (such as Adobe Photoshop projects) I’m not sure.

HTML formatted email

I used to be very anti-HTML when it comes to email but not so much these days. Both local email clients and web-based ones have become "smart" enough not to load images or any other "bad" stuff automatically like they used to.

Audio files (MP3, WAV)

I have never received a virus or been infected with malware from a static audio file.

Unknowns?

If I receive an email with an attachment that has a format I’ve never seen before, I’ll Google it first to see what it is and decide whether to open it or not.

Example: I received a file from a friend once that was a 3G2, and had no clue what that was. I Google’d it and found it was a video file. In particular, 3GP format. When someone sends a video to you from their cell phone, chances are it will be this file type. You can use Quicktime to view it or just upload to YouTube privately to check it out.

Being it was sent to my email from a cell phone, I knew there was no virus or malware within it and it was safe to open.

I recommend this to anyone who receives files where you just don’t know what it is. Google it first and make your call from there.

Are there attachments you absolutely won’t open?

Let us know in the comments.

Comments

  1. Rich, being a bit anal aren’t you? I mean, not opening a Word doc?!?! Com’n.

    If you want to protect yourself even better, I would suggest not using the world wide web. In fact, you might want to consider disconnecting the ethernet cable from the back of your computer.

    Or, you could simply install anti-virus software and not be so paranoid.

    • That was a seriously lame attempt to be funny if that’s what you were going for.

      You’ve obviously never worked a help desk. Or if you have, the help desk you work must suck of biblical proportions.

      You don’t open attached Word DOCs locally in a non-enterprise environment, period. It is absolutely foolish to put blind faith into a file format that can carry viruses so easily – especially a Microsoft format.

  2. Yeah, it was a seriously lame attempt at humor. I have worked a help desk, and no, it did not suck. I would also propose that the help desk calls would increase by blocking these attachments. “How come I can’t open a *^$&*%$* PDF file?!?!?!”

    I understand your point, but balancing productivity versus risk is something that some network nazis fail at. I just think that blocking opening of most of these file attachments crosses the line.

    I hereby agree to disagree with you. :)

  3. You know you can turn off Macro functionality, right?

    Suggesting no-one opens a word doc is completely OTT.

    Discretion is the the name of the game. Simple common sense. A MOV file is FINE as long as you know you’re expecting it.

    Your suggestions above would add so much time to day-to-day computing that you could actually open anything, get a virus, clean it up and still break even time-wise.

    I oversee about 45 Windows based machines and the *only* virus ever encountered was from good-ol java exploitations. Even then Avast! blocked the download…

    Why is this? Because you will save 10x the time and hassle by educating the users on common sense computing. DOC = BAD does not instil common sense, it instils black and white thinking. I have to deal with other companies every day who say “I can’t open PDF files anymore .. I.T. don’t allow it.” It is a f**king nightmare.

    “Attachment you are expecting from a known sender = good” should be the method taught, exempting of course the EXE scare story.

    Also, you missed:

    VBS – still widely used virus carrier and often unknown.
    SCR – the ol’ file that looks like a screensaver
    To be vigilent for any file named “report.exe.doc” or similar.
    Finally, more and more are using phishing tactics, linking to an external site for the download (where an EXE flies well)

    What file extension is being used is almost completely irrelevant, it’s all about the sender and the content (i.e. expected)

    Please name me a virus that can do the voodoo of injecting itself into every MOV, AVI and DOC out there? Computer viruses have been treated like this since about 1999, but really they are highly targeted and replicate themselves, rather than infecting *everything.*

    • What’s more time consuming, cleaning out an infected virus, which can take up to an hour depending on how nasty it is – assuming your anti-virus catches it, or simply not opening suspect files or opening them using alternative methods?

      Attachments from known senders does not auto-qualify as “good”; these should still be scanned or opened using alternative methods regardless. The only exception to the rule is enterprise environments because you have someone else (like yourself) to take care of the problem should a virus occur.

      Name you a virus that can “do the voodoo” as you say? No problem. Just about every video downloaded on P2P as a “funny clip”. Supervisor’s wife forwards the infected attachment from outside the environment to in-production (his email inbox), he opens it, anti-virus doesn’t catch it, infects his computer, then forwards that to all the PCs you oversee after that. Hope you enjoy cleaning out all those 45 PCs, even though you *told* the guy “DON’T DO THAT”.

      You, especially as someone who works in the environment, knows this happens.

      Education and common sense with email begins with knowing what *not* to open.

      • I will be diplomatic here, and state that your PC environment is clearly different to the one I am referring to.

        If you suggest that any workplace shouldn’t be opening DOC / ZIP / PDF or XLS files then I worry, I do. Even if you do open it in Google docs first then the macro virus (if present) will not be detected, leaving that doc in badly supported purgatory. The vastly preferable option is just to disable macro! Then your DOC and XLS files are safe to open.

        Now, here is where the problem lies. I openly accept that P2P videos are dodgy .. but the voodoo I refer to is one of these videos magically infecting another, safe, video.

        Telling users to accept email attachments that are EXPECTED+From a trusted source is the only way to go.

        Take this scenario:

        Jane records a video of his daughter to send to Bob, who is working overseas. Their camera makes a MOV file. She speaks to him on the phone, and tells him that she is sending it. Bob, on receiving this, should NEVER consider this a virus .. because the chance of it being so is so close to zero it’s silly.

        Take this scenario:

        Bob is at work. He receives a video file that is apparently in an email from Jane. The email certainly doesn’t look like her usual style… where is the love? This, is where caution should be exercised.

        Now, I’m not suggesting people open anything, but telling people to tip toe around their online lives for fear of virus attack is silly, and takes the joy out of computing. This is what leads people to be too scared to do anything because it might break.

        Ironically, you suggest that HTML email and JPEG images are fine. What!? You know that a JPEG header was a very famous virus exploit, right? And you know most malicious redirects and tracking is done in HTML, yes? Other than EXE files these two are the most dangerous.

        This, above, is the danger of your silly black and white policy. It’s never that simple. Danger is based on content and intent, and NOT form. You need to tell users to assess what they are looking at, not check it against a list that is in-exhaustive, and frankly inaccurate.

        The best policy, by leap years, is a good training on these basics and (frankly) regular disk imaging to wipe it back if it happens. As of yet, this has only been required for a major installation f**k up on a set of creative drivers.

        Viruses by email attachment are a dying threat. Ask Symantec. Take a look at the top 25 virus threats and count how many are arriving by email .. it insignificant. Where is your article on drive-by downloads and malware infested websites, the real threat?

        • Jumpin’ Hey-Zeus that comment was way too frickin’ long.. ugh. Fine, I’ll go long.

          I didn’t say enterprise shouldn’t be able to open standard office suite extensions. They can because they have a person like you to fix it; it’s part of your job. The rest of us don’t have I.T. employees at the ready.

          Trusted users cannot be trusted with attachments using file extensions known to harbor viruses and malicious code, period. To believe otherwise is to be a fool. Murphy’s Law will eat you for breakfast with that line of thinking.

          The JPEG exploit you mention was a problem 5 years ago and fixed: http://www.microsoft.com/technet/security/Bulletin/MS04-028.mspx You might want to try something a tad more recent. And BESIDES WHICH, all webmail providers *and* mail clients auto-block images even for all senders and detect malformed JPEG images automatically. HTML-based mail is also auto-filtered on arrival. Your example is old and was taken care of ages ago on all fronts.

          You trust the same guys that brought us the dreaded Norton Security Suite.. the same one that proved almost impossible to uninstall – so much so they had to release a removal tool. Symantec can go pound sand.

          Per your “drive-by download” point, phishing filters are in all major browsers now. I don’t have to write an article on it because the issue has already been addressed.

  4. Firstly – I want to clear something up, I do not “trust” Symantec. Their website however is a really good resource for current threat situation analysis. As are many, actually. Frankly, it was the first name I plucked out of the hat .. though apparently the new versions are much, much better.

    Anyhoo..

    There is a serious lack of logic in your argument. You state phishing attacks are irrelevant because there are filters? Shouldn’t that make viruses irrelevant because AV is a filter? AV screening is about 98-99% effective, whereas I have only had Google / firefox block a handful of the sites that I visited **that I knew were bad** to test the filter. It’s a seriously weak effort, blocking only the most virulent sites.

    I know the JPEG hole is fixed, I mentioned it to show how your black/white policy is flawed, exceptions to the rule wreak havok. You simply cant say “all this is always bad” and “all this is always ok” and leave it at that. The policy of actually saying WHY is how people learn. But then we wouldn’t need blogs like this, would we? ;)

    Email clients don’t block images from all senders .. not when almost everyone allows them from known senders (the kind hijacked). I use a HTML image tracker in bulk emails and somewhere between 70-80 of emails opened load HTML images. Even when there are no actual images to be “unblocking” I see upwards of 30%.

    You say “Trusted users cannot be trusted with attachments using file extensions known to harbor viruses and malicious code, period. To believe otherwise is to be a fool.”

    And you know what? I agree!! What we disagree on is your threat assessment of a DOC / XLS / MOV file, which, and I will say it again, CAN HAVE THE VULNERABILITY TURNED OFF! And the PDF virus, like the JPEG, is closed. Please, if you are going to swing that big hammer of damnation, do it fairly across the board. Where, pray tell, is the AVI? Much more vulnerable than a MOV.

    Finally, the vulnerabilities in the movie files, are forced redirects / links to infected websites for a good ol’ driveby. If your magical corbomite browser filter was any good, then movie files are also safe. Not to mention, that by the time they have propagated on P2P A/V signatures are more than a match.

    • Symantec is just a bad example all around. The “threat info/threat center” centers from McAfee or Trend Micro are (somewhat) more trustworthy.

      I never said phishing attacks were irrelevant.

      There is no video that is loaded exclusively by the browser alone and that’s why phishing filters don’t filter them out, genius. When the browser encounters a video file it will pass by known extension (.AVI, .WMV, .MOV, etc.) to the appropriate application be it embedded within as a plugin in-browser or as an app outside the browser. Once the file is opened by its respective app, that’s where the scripting/redirecting happens and not before and that’s why the phishing filter doesn’t pick it up first. If you knew anything about browsers you’d understand that.

      However, as I said in the article in very plain English, if you open these files using alternative means such as YouTube, never will you encounter any redirects or malicious code.

      If you want to continue to blab away about trusted users that still send infected files regardless, ancient holes that were patched 5 years ago, horrible anti-virus products that are near-impossible to uninstall and so on, go right ahead. If it makes you feel better to spout that crap out, whatever. I’m not the boss of you.

      I couldn’t care less how many people like you say it wastes time to open files using alternative means or not open them at all, because it’s more important to me to stay secure rather than open a file that compromises my system, period.

  5. You know, I’m now beyond caring. If you can’t accurately judge what files might be harmful, then please run around like that.

    But to clarify a couple of points:

    a) I know how browsers work .. I think we talked cross-purposes here. The video itself does not have malicious code in it, they can’t contain executable code. What they do is simply make reference to a fake codec, then ask you to visit blahblah.com to download and retrieve it. Of course, once you have landed on that site, you’re already hit with the nasty. My browser point is this, if your malware filter is any good then the best a dodgy video can do is send you to a website that is blocked.

    b) Oh just drop the Symantec bashing. It’s not 2002 anymore, they’re bleugh at worst, and their threat centre is pretty much the same.

    c) “opening video files via youtube” is not the same as opening the file you might want. It’s at least transcoded another time … and more than that you are adding an unnecessary workload (which might read visit site>subscribe>confirm>upload>wait processing>send …) to the person wanting to send you the video, all so you can sit behind your imaginary wall of solitude.

    You say I blab about ancient holes in software … well you know all the macro viruses that you cry about are essentially exploiting said holes? As with the PDF? And, for the most part, your video formats? Can you not see the hypocrisy? The viruses that you cower behind your elaborate workflows from are no more a threat to an updated system than the JPEG exploit. Bar, of course, the EXE / ZIP argument.

    “I couldn’t care less how many people like you say it wastes time to open files using alternative means or not open them at all, because it’s more important to me to stay secure rather than open a file that compromises my system…”

    You know, I can vaguely agree with you. But here is the point once more, there is no threat (at least no-more than can be had from day-to-day web browsing). The sad thing is, you don’t see it.

    Surely what you are doing here is trying to exercise best practise, and avoid any potentially unpatched holes, that a new virus might wander thru, via a DOC or whatever. But, that could quite frankly leave you with *any* vector of assault to cover (the JPEG hole was VASTLY effective because it was unexpected – there is nothing to stop the same happening to your “safe” file formats – in particular the MP3) .. and you’re back to just opening files from people you trust, with known content. Do you not see?

    Anyway .. if you want to live the life of a simpleton (this bad, this good) then go ahead. Hopefully anyone reading this is more keyed in to practicality and will actually perform a threat assessment, which is frankly both quick and easy.

  6. Martin Thomas says:

    Are you for real Rich?

    You’ve been completely schooled by more than one commenter and your reaction is to behave like a YouTube poster? With silly half relevant links?

    There is a huge difference in saying you “might be wrong” in an opinion piece to actually saying “I was wrong.”

    By the way, I watched an Mp4 earlier, so make sure you don’t open this post.

    Loved your trying to “tl;dr” yourself out of a lost cause argument, like a petulant teenager!

    Keep it up, you might attract more readers. But no respect, trust me.

    • Your comment is short and to the point – the kind I like (and readers like). You didn’t dilly-dally, dance around or do any of that nonsense. The other guy’s is 500 frickin’ words. As if I’d read that. That’s not a comment at that point, it’s a dissertation as far as I’m concerned.

      I literally lose interest over the 250-word mark. If that happens it is a for-real tl;dr from me and not a cop-out. I even annoyed MYSELF by going slightly over 250 with one of my own replies.

      Whether the commenter is correct or not doesn’t matter because any point made was totally lost for waffling.

      And it’s true, I get no respect.

Leave a Reply