Why is it dangerous to open a suspicious email?

  • I would like to know why is it considered to be dangerous to open an email from an unknown source?

    I am using Gmail and I thought it's only unsafe to download an attachment and run it.

    The first thing that came into my mind was what if the email text contains XSS JavaScript code but I am sure that every email provider has protected their site from getting XSS-ed.

    What is going on behind the scenes when you get infected just by clicking on email and reading its content, for example on Gmail?

    In the case of HTML email, csrf could be also used. eg : ``

    One would also assume that opening an email increases the risk of a link being click or a file being downloaded since you cannot do these things without first opening the email.

    Even if the xss xavier mentioned does not work, the attacker could verify the email using and you could get into the focus of massive spamming + bruteforcing

    You should never open an email as HTML. Always read it as plaintext only first, to avoid all those kind of attacks. If it is an HTML email you can have a glance at the contents and check whether they could be safe...

    Better yet, just don't read your email at all. It's always full of distracting requests that take time. :P

    Back in the day, Eudora Pro would download and save to disk every attachment in every email one received (not even opened, just received). I once was hired by the defense team for a middle school principal accused of viewing inappropriate content at work. Every single image with nudity on his drive turned out to have been auto-downloaded by his email client.

    @Xavier59 if you use an online banking service that sends payment information over GET requests, you have bigger security issues in your life than weird emails.

    @JustinLardinois And without any kind of password or two-step authentication before sending money xD

    @Xavier59 does turning images off in GMail (not in the browser) not protect against that?

    @MauganRa Yes, it will protect you against this kind of attack in email. Howewer, you are still vulnerable on every sites you visit you can't trust (or website that has been compromised). See how it works : https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

    For the answer to this question, please check the attachment I included with my recent e-mail to you...

    Is it less dangerous to open an email that isn't suspicious?

  • mattdm

    mattdm Correct answer

    5 years ago

    There is a small risk of an unknown bug — or a known but unpatched one — in your mail client allowing an attack by just viewing a message.

    I think, though, that this very broad advice is also given as a defense against some types of phishing scams. Social engineering attacks are common and can lead to serious trouble. Making sure people are at least suspicious is a first line of defense. It is like telling an elderly grandparent to never give their credit card info over the phone — okay, sure, there are plenty of circumstances where doing that is relatively safe, but when they keep getting scammed over and over, it's easier to just say: don't do it.

    Likewise, not opening mail keeps you from reading about the plight of an orphan in a war-torn region who has unexpectedly found a cache of Nazi gold and just needs $500 to smuggle it out and they'll share half with you, and your heart just goes out, and also that money wouldn't hurt.... Or, while you know the rule about attachments, this one says that it's pictures of the cutest kittens ever, and how can that be harmful — I'll just click it and okay now there are these boxes saying do I want to allow it, which is annoying because of course I do because I want to see the kittens....

    Love the last paragraph!

    Oh, and BTW, you also need to upgrade your video codec before you can see that little doggy video.

    The last paragraph is just brilliant. Also, mattdm, where is your fedora t-shirt?

    Glad everyone likes it. @grochmal, the shirt is in the laundry. :)

    Well, if there are kittens, I'll gladly click your link.

    Just hop on over to the Personal Finance StackExchange site and gasp in awe at the "Is this a scam?" questions people ask about there. (And then imagine how many people *don't* ask that question.)

    @aslum there are no kittens, they are trojan horses letting bad stuff in to your computer.

    You might want to also mention that if viewing HTML mail your email client may invoke your browser or some other external program such as the Flash plug-in to show you the email (with all the security holes those programs have). Some emails may also embed web-bugs where pulling a picture embedded in the email tells the sender that you actually viewed the email (and when) because the unique URL the embedded picture was at was accessed then. Knowing someone looked at their email makes you an actual person and puts you on the prime list for future spamming.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used