Infection Control

Protecting your system effectively against viruses that arrive on e-mail messages depends on adopting a range of different measures. It's worth looking at some of the most useful:

Virus Protection Software

Although, by definition, software will have problems protecting you against the most recent viruses, it's still worth having it and using it. Old viruses are still around. What this means is:

• Install the software on all the machines that receive e-mail messages (or that may receive material on floppy disk).
• Set it up so that it always runs in the background, checking files when you open them.
• Pay the annual subscription fee to keep the software and its virus database up to date.
• Scan your whole disk from time to time as an extra precaution.
• On a network, ensure either that each computer is individually protected or that you have protection covering the whole network.

The computer magazines survey virus protection software from time to time, without finding an obvious market leader. Some packages are slightly easier to use than others, while some have specific problems in an otherwise good package. (Norton Anti-Virus, for example, currently has a bug that messes up your internet connection if you try to check certain kinds of incoming e-mail attachments.)

Internet Security Settings

Internet Explorer and Outlook or Outlook Express, all allow you to specify your own security settings. You can access these through the Tools menu.

The key requirements for maximum security are to ensure that rogue scripts and Active-X controls cannot run automatically. These are small programs that can attach themselves to other files. They are commonly and legitimately used on Web sites to spice up the design, but can also be used to place a virus inside an e-mail if it is in HTML format (the format used on Web pages, but which Outlook and Outlook Express can use to provide fancy layout on e-mail messages).

This is what enabled my system to intercept the virus I received. When Outlook Express tried to display the e-mail in its Preview Window, this triggered the virus code. Because my security settings did not allow the code to run without my say-so, I saw a message on my screen, asking whether this was OK. I realized that no legitimate e-mail should generate such a message, said "No", and saved myself a lot of hassle.

The only problem is that setting the security in this way can make Web browsing less smooth. Every time you try to load a page with a script or Active-X program in it, Internet Explorer will ask you whether this is OK. It can be quite instructive to see how much use some sites make of these features, while others hardly do at all.

The alternative is to set your system so that scripts and Active-X controls just cannot run. However, this may prevent you using some Web sites: whenever a site gives you the option of searching the site, and often when there are online forms to fill in, a script is likely to be involved. Add-ins such as Adobe Acrobat Reader also depend on Active-X controls.

To set the security, using Internet Explorer go to Tools|Internet Options, then the Security tab. In Outlook and Outlook Express for all the suggestions here you need Tools | Options. From then on, the various versions of each program differ slightly. If you can't find out how to carry out the suggestions below by exploring in Tools|Options, try looking up Help.

In at least some versions of Outlook Express there is a slider which you can set to High Security. This is the simplest option. If it's not available, or if you want to go into more depth, click on Custom Level and check the relevant boxes in the sections for Active-X (near the top) and Scripts (further down). In most cases your choice is to Enable, Disable, or Prompt. In other words the option will automatically be allowed, automatically barred, or you will get a message box giving you the choice. You may also want to check that e-mail security is set to High if this is available.

E-mail Good Practice

There are other things you can do to make life easier and more secure, both for you and the people you send e-mail messages to. The two principles of good practice are to:

• Send e-mail messages and attached document which are inherently less likely to carry viruses.
• Make sure that people you e-mail can tell who you are and can assess the likely content and value of your message.

Among the ways to make your e-mail messages less likely to carry viruses, you might like to consider the following:

1. Ensure that your e-mail program only sends text e-mail messages, without any fancy HTML formatting. Set the mail sending format to Plain text, not HTML, (and ensure that there is no tick next to 'Reply to messages using the format in which they were sent' if available). Sending messages in plain text also makes them smaller (and therefore cheaper to send and receive).

2. Before you attach document files, save them in the RTF format (which all versions of Word and many other word processors can use). In Word, when you are saving the document select RTF from the list of formats. This format preserves virtually all the layout and formatting, but cannot carry Word macro viruses (like Melissa or I Love You). RTF documents are also usually smaller than their DOC equivalents - substantially smaller than most Word 97/2000 documents because these require two bytes per character to allow for international character sets.

   To make life easier for the recipients, adopt the following measures, and encourage others to do the same for you:

3. Ensure that you set up your system to identify you as the originator of the message. For example, in Outlook Express go to Tools | Accounts, select the account if there are more than one, then click Properties. Ensure that the Name field identifies you appropriately.
4. Whenever you send e-mail messages make the Subject line as informative as possible, so that the recipient can make their own decision about when (or, indeed, whether) to read it.
5. Put your proper name, the full name of your organisation and 'real world' contact details - a phone number at least - on all e-mail messages so that people both know who you are and have a choice of means to respond. You can set up a 'signature' in Outlook and Outlook Express to add the same information at the bottom of every message.
6. If you are attaching graphics or other files, try to save them in a compressed format (JPG rather than BMP, for example) or compress them using a program such as WinZip. If you have to send a file of more than a few hundred Kilobytes, you may want to warn the recipient and check that it is OK.
7. Remember that if you are sending e-mail messages to several people they can all see all the addresses that appear in the 'To' and ' Cc ' field. If there is any danger that recipients might misuse these addresses, or might inadvertently pass them on to inappropriate people, you are better off putting all your recipients in the 'Bcc' (blind carbon copy) field. This may not be visible when you start a new mail message, depending on how your system is set up.

If other people don't follow principles such as these, you would have good reason for treating their e-mail messages less seriously. In particular, you should not open an attachment unless you receive it from a person you know, with a plausible, informative Subject line (I Love You from your bank manager does not count as 'plausible') and in a 'safe' format. If it's in DOC, ZIP or EXE format you should certainly save it to disk and scan it for viruses before opening it. Don't be afraid to delete e-mail messages without reading them if they appear to be dodgy in any way, either because of their format, or who they are from, or if they are offering you anything that sounds too good to be true (it won't be true).

A final precautionary procedure may be relevant if you receive a lot of unsolicited e-mail messages from people you don't already know - as part of an advice service, perhaps. You could have them directed to a specific e-mail account and allocate a specific computer to collect them which is isolated from the rest of your network. Any damage from viruses you fail to intercept can then be kept to a minimum.