Michael (LV) over at Terminal23 recently blogged about the DOD forbidding the use of HTML emails. I agree with Michael and the DOD. Purty emails can be dangerous emails.

On my laptop I often use Pine to check my Gmail account for the very reason that HTML-bourne spyware isn’t getting anywhere in my ugly but oh-so-sexy Pine client. Unfortunately, my users don’t feel the same affection for texted-based email and I easily loose the battle of HTML-based emails. So what’s a security curmudgeon to do in a case like this?

First and foremost a hybrid IPS is in order. You want to snipe the HTML-based nasties as far from your hosts as possible. Keep in mind though that a lot of IPS units have a hard time decoding MAPI so ideally you want the IPS unit between the Internet and your SMTP store-and-forward server. (you DO have a dumb SMTP server in front of your Exchange server, RIGHT?!)

Second you want to do a bit of hardening on your hosts by tweaking the Internet Properties to get your fingers around the throat of IE. You want to pay special attention to ActiveX, scripting (active scripting, java scripts, the whole lot), etc. Focus not only on the Security tab but also the Advanced tab of the Internet Properties applet. Once you’re done, disable the users’ ability to modify those settings because you’ll always have some chucklehead who knows enough to hurt himself.

Also, implement a system now that allows you to quickly disable selected ActiveX controls on all your hosts. I’ve used a simple registry key import in my login scripts. Have the script import a registry key that contains all of your blocked ActiveX controls (Microsoft has a how-to here). Many times the ISC publishes the CLSID of malicious hActiveX controls so you can just cut-and-paste.

You should also read my page about fighting spyware. Its a bit dated but still very relevant. Maybe I’ll update that page today, since I seem to be one of the few at work today.

Lastly, always take the opportunity to edumacate your users. Remind them not to open unsolicited attachments. Notify them of new, wide impact phishing scams. If you keep reminding them that the Internet is not as safe as they would like to think, you’ll be doing yourself a favor.