|
![]() |
|
Due to the proliferation of Microsoft Outlook based viruses, I no longer accept messages from Microsoft Outlook which contain attachments of any type. This includes messages which have HTML or Rich Text.
If you need to get an attachment to me, please send it via some other email software or write to me (without attachment of any type) to ask about alternatives.
If you did not intend to send an attachment, please read the instructions on how to configure your email packages to send plain text email.
Please avoid sending me Microsoft Office file attachments. If you must send me word-processor or presentation files, please convert to an open vendor-neutral royalty-free file format such as the one used by OpenOffice.org.
If you are unaware of the OASIS open office XML file format, I can make a presentation to your organization such as the one I prepared for Real World Linux 2003.
While it is possible for me to open and save-as Microsoft Office file formats using OpenOffice.org, as you will note in the documents from the Free Software Foundation discussing Palladium or some other "treacherous computing", this may not apply to future versions of these file formats. It is best for all computer users if we work together to migrate entirely away from file formats that are controlled by single vendors and instead switch to open vendor-neutral royalty-free file formats.
Note: Sometimes I make exceptions and accept Microsoft Office files, import them to OpenOffice.org, make changes, and send back in the OASIS open office XML standard format. If the recipient can't read this open vendor-neutral royalty-free file format then it is obviously a deficiency of their inferior office productivity software. Unlike Microsoft Office files which only work well with specific versions of specific brands of tools, the OASIS open office XML format is well documented and you can even download the reference implementation (OpenOffice.org) for free!
What not to email
Email is safe unless it contains programs. (Data and documents are fine, programs are not). If you send me a program, I will not run it, as it could damage my system and could be a virus.
- Note: Documents for Microsoft word, Excel, and possibly other Office programs tend to execute programs (scripts) in what you would expect to be harmless documents. These can expose my machine to viruses, because these programs do not (it seems) prevent scripts from running within a document when it received by email. Please do not send me Microsoft Office documents.
- If you are sending text, please send it as plain text or HTML. If you use your favorite word process, slide tool, etc, and send it in that program's format, then you are forcing me install proprietary software on whatever machine I read them on.
- If your email is sent from Microsoft Outlook, and contains an attachment, I will be more likely to discard it as I understand that a famous series of viruses in 2001 resulted from Outlook's tendency to execute scripts in email, and used up a huge amount of my and my colleague's time.
It needs to be remembered that the viruses that attack various email packages, primarily those from Microsoft, are not the result of accidents. They are the result of deliberate design flaws, where adequate security warnings were provided by the standards bodies that documented the Email standards.
Nor should the blame be put only onto the authors of the malware who make use of these design flaws. If someone put a sign on their own unlocked door saying "please walk in and steal from me", would you put all the blame for this crime on the person that commits the theft? For more on this idea, please read: Opinion: Idiocy Imperils the Web by Jim Rapoza of e-Week.
The relevant standards document that Microsoft needed to read in order to implement file attachments are as follows:
RFC 1341 , dated June 1992. This was was updated by RFC 1521, dated September 1993. This was further updated by Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types RFC 2046 , dated November 1996.
See: 4.5.2. PostScript Subtype
Postscript is given as a popular file format at the time which contained a rich enough language to contain scriptability. The same security warnings apply to HTML, PDF and especially Microsoft Office files which also contain scripting feature. These file types were not mentioned as they were not yet popular to be transmitted by email at the time the documents were authored.
Pretty much all the high profile (those that are bad enough that they show up in the mainstream media) viruses make use of this design flaw where Microsoft Outlook will automatically view an attachment, and the attachment viewer automatically executes scripts that are contained in the attachment.
Microsoft Outlook was first released as part of Microsoft Office 97, released late 1996. Outlook replaces Microsoft Exchange client, which replaced Microsoft Mail in 1996.
To the question "Does Microsoft Mail support MIME?", the comp.mail.mime FAQ said "almost--maybe".
The important part to remember is that Microsoft was warned before they wrote or released the relevant software, and they deliberately ignored the security warnings contained in the standards documents. These critical security related design flaws have still not been fixed almost a decade later.
Some members of the Internet Engineering Task Force (IETF), the body that defines standards for the Internet, believe that Microsoft should be held accountable as criminally negligent for the proliferation of these viruses. Keith Moore, author or co-author of many RFC's, posted a message to the ietf@ietf.org mailing list (local copy) about this issue.
This decision has cost the network billions of dollars, including significant costs to people who do not use that company's software products (and who therefore aren't bound by its EULAs).Words that come to mind to describe this include: Willful, Criminal, and Negligence. Another word that comes to mind: Prison. As in "some people need to spend a lot of time there".