In what ways can an E-Mail compromise my system?
 

Hello and thanks for overlooking and deleting my recent panic-post here. I still would like to inquire about it one more time.

I tried to make myself familiar with linux systems for serveral years, but never managed to get truly into the issue, so for the past serveral years i've just been happy to be able to use a stable desktop-system with good support for free.

Recent uncanny encounters like e-mail addresses indicated on www.haveibeenpwned.com, 2FA-notifications on my cellphone without me trying to log in anywhere and a drastic increase of scam e-mails that become more and more 'acurate' and difficult to recognize as scam raised my alert level.

Recently i received another questionable e-mail. The sender was the full name of a familiar and trusted person, a business owner using the services of a respectable onlinebusiness for his arrangements, and the sender address was a noreply-email from said service provider. There was no obvious occasion for this e-mail being sent and upon inquiry, the supposed sender did not arrange to send it in any way. It contained HTML-code with 2 external references. Unfortunately i was in a hurry and lightheadedly clicked on 'toggle to HTML-Mode' in my E-Mail-Client in the belief that it's trustworthy. It showed a form with bank account information of the sender, and a reminder to pay a fee. It all looked real congruent and nonchalant, but the sender-address (the noreply@...) and the missing occasion made me suspicious, not to say a little nervous after allowing html-depiction.

I am currently in correspondence with the service-provider of my friend, the supposed sender and they are investigating based on the mail itself and its technical headers.

My question to LQ would be: What are the factual risks when switching to HTML-Mode in my email Client? I'm using Debian 12, i dare to say that it's halfway well maintained, with KDE, KMail being the email client.
If you need any further information feel free to ask, i hesitate to post the html-code or the external references here, scince they contain sensitive data of a familiar person.

Thanks in advance.

The first thing I would say is that if you use webmail, the compromise doesn't have to be on your system :D.

I ran a mail server for a while. At the time, I needed to be on a mailing list to allow me to get data on Electronic hardware, which I absolutely needed for work. The mailing list was a handy target for spammers. It's spam control was poor/nonexistent. Spam at the time mainly consisted of

1. Nigerian Royalty "looking to dump their ill gotten millions in your account."
2. Chinese businesses who knew my manhood was too short for any job I might assign it and offering 'essential' pharmaceuticals to stretch it.

I installed and tuned a chain of spam filters and removed 102% of the issues. Oh yes, my brother's email ended up in the spam as well, but that was the right place for it. I would check twice a week for false positives. Meanwhile the occasional short ad might get through and the occasional legit mail would look slimy and get spammed.

I had to keep a trove of spam emails to train the filters and as spam kept evolving, I found it simply wasn't worth the effort as the mail volume didn't justify it, so I moved to web mail. Stay off the familiar names - protonmail looks good ATM.

The principal hack through email at the time (early 2000s) was buffer overflow attacks on inetd, xinetd or sendmail giving privileged access. Since then, gcc, mail clients, kernels, servers like sendmail & inetd and even email clients have been patched to close that off those avenues pretty completely. Any time an exploit is found, the door is rapidly closed on it.

You now have to click your way into trouble yourself.

Your first line of defense is referred to as the "Principle of Least Privilege." This means that "the user-id you use every day" is not "an Administrator." (In Linux parlance, this means: "a member of the wheel group.") The first user that is set up on any new operating system install (on any system ...) necessarily is "an Administrator," so you must use it to set up one or more new "limited accounts" for yourself ... then, use the Admin account only for "administrative tasks."

In this way, any rogue software "running as you" that sneaks into a phone booth will find that the only thing it is authorized to do is to make a phone call ...

This fundamental principle applies to every operating system. Computers are terrible at knowing when to say "yes," but they are terrific at saying "no."

Main clients were once designed to the IEEE standard definition of Email, and only resolved text. From text there was no threat other than it prompting you to do something stupid or risky.

HTML and MIME enabled email can carry a payload, local or remote, and the HTML or MIME interpreters and rendering can execute on your local machine under your authority. At that point a threat engine can take control of your processing to the extent that the authority allows, and use that to seek vulnerabilities that might allow it to control or corrupt the entire system.

The earlier point was valid: don't make things easy for threat agents.

If you do not enable HTML or MIME on your emails they will be colorless and appear boring. That is a good thing, compared to reloading your system to eliminate a rootkit and six dozen viral agents.

How you want to run, and what risk you will take for color and convenience, is entirely your personal choice.

To build on what wpeckham said, the most common way to compromise a system via email is to get user to click on a dodgy link.

Sooooooo, don't click on dodgy links. When in doubt, view the email sources. If you look at the sources, the dodginess often becomes quite plain. How to view the sources depends on your mail client.

I'll give an example that happened just today.

My friend got an email that purported to be from Paypal. She was upset because she uses Paypal (as do I) and it referenced a charge that she had no memory of making.

After we figured out how to view the sender's address on her iPad (if you use an iPad, just touch the sender's address and the actual sending address will display in a drop-down window), we could see that the email did not come from Paypal, but from some dodgy gmail address. That's how we confirmed that it was phishy.

Is it safe to hover over links to see where they point? Istr reading somewhere that hovering can also be dangerous.

I cannot speak to ALL email clients, but often in Outlook you need not click on anything. Just rolling over a link, even a hidden link, can trigger an action. If that action is a threat action you may never know you have triggered an invasion.

I only use webmail and access it through FF. So can hovering over links hurt me?

There's a very handy way out of this in Ireland. To register an .ie domain name you need a registered company or trade name to match. Each of those pin you down pretty well.

Now Banks, Government departments here all use .ie domains. Spammers use stuff like .com, or bit.ly, so it's immediately obvious. There are browser extensions that limit what a spammer gets away with, and some browsers are better than others. Palemoon & Brave can be configured to run a tight ship, among others. But I'm hardly the expert there.

FF has some nice features, if you care to use them. One is running a tab or window in a "jail" to isolate threats to that specific cache. IT will not work for all things, but is WAY more secure than Chrome! Were I accessing email using FF I would set that up. (I use it for my banking sites, not for the added security that way but it warns me if the URL has changed or other indicators that the site might have been hacked.)

can emails contain 1x1 pixel tracking image on them?
they can see if you open the mail in html form and can send you more spam/malware e-mails, or am i wrong?

All email is plain text, although the plain text can be a rich-text markup or HTML markup. Anything that is in they way of the email (server or network device) has the option of skimming off the plain text so it is human readable, or so that data tracking your contents can be done easily. Encrypted traffic (GPG/PGP, Tunaota to Tutanota emails, or through a VPN using that encryption) is far more "interesting" to try to intercept. Because it is more difficult for governments to intercept you may need to question if a suppressive (or stupid) government has made such encryption illegal. Check your local resources about your local laws!

Thank you for the numerous replies, they are all quite helpful.

It seems to be safe to say that the principle of the least privilage works in my case, the user running the mail program was no admin, not in the wheel-group and even excluded from sudoers.
Like i said, i didn't click any links, i just switched to HTML-view for a brief moment before realizing that this all is a bit fishy. So on my local system there should be only a small residual chance of harm if i understand correctly.

Just to be sure: could the mail provider respectively my account have been compromised from HTML-view in a local e-mail client?

#1 Your mail server at the mail provider should not be at risk, or rather that is their sysadmin and security admin responsibility and not yours.

#2 Your machine may be at risk if rendering the email on your machine, or rolling over a hidden (or not hidden) link, or clicking on a link activates malware.

#3 If malware is engaged at either place your account COULD be compromised. If the compromise is on the server then ALL accounts on that server could be compromised.

If you (and those service providers) keep your OS and Applications current on security patches and practice safe user behaviors the odds of a successful technical compromise are not high, but the reason for all those security patches and those practices is that SOMEONE got bit by that in the past. New malware and delivery systems are being developed by foreign and domestic bad actors (and some government agents working for various governments) all the time. No security guy is going to tell you "do this and you will safe" about anything except going off grid and avoiding all electronics and trackable activities, and that is just nasty inconvenient and unrealistic.

SO: back up critical stuff, and be prepared to scrub systems and reload at need, and then be a smart user. That is all you can realistically do and still enjoy these great toys! ;-)