Back in the good 'ol days, people just sent each other plain e-mail. As an analogy, you can think of this as writing a letter with only a black pen. Just the ink on the 8.5x11 white paper and that's it.

At some point, e-mail clients started featuring the ability to write and view HTML-formatted mail, which is basically an e-mail message written in the form of a web page. Of course, the sender of HTML mail doesn't actually "create a website" when writing the message, but rather that the more complicated formatting is automatically handled by the e-mail application. This allows someone to insert pictures, choose a specific font, make colorful text, etc. in their message. Referring back to our analogy, this is like being able to put cute stickers and attaching a Polaroid onto the letter. It's more colorful ... but it can also be more annoying depending on the content and style.

The problem with this new-found flexibility is that a website can contain all kinds of externalities separate from the actual text message itself. An HTML-formatted message can provide links to sites on the Internet, referencing anything from pictures to sounds to virus code. If your mail client automatically renders this within the message display window or a preview pane, you've potentially downloaded and ran that malicious code without your approval. HTML mail can be intrusive to the recipient.

The easiest way to stop this is to disable the viewing of HTML mail, period, and have those messages automatically translated into a simple text format. In Mozilla Thunderbird, this can be accomplished by going to View » Message Body As » Plain Text.

Another benefit to this is that spam links are easily exposed. Ever get an urgent e-mail from "PayPal" saying that someone got your account's credit card number? They usually post a link that you can click on. In HTML mail form, you have to know where to look in order to make sure you're being linked to www.paypal.com ... or a more malicious entity like paypal.badguy.com. Plain text formatting reveals the original link source address much more clearly.

Many times spam messages which are meant to be read in HTML form may contain hidden links to transparent images which for all intents and purposes are invisible. If the message is rendered in the way the spammer intended, your e-mail client (acting as a pseudo-browser) sends a request to the server hosting that image file. The spammer, naturally, runs this server. The image itself is tagged to your e-mail address, so if your mail client makes a request for it, the spammer knows that your address is a good one.

It's nice to be able to know if someone received your e-mail. It's not like you get a confirmation from the recipient's e-mail server saying that it got the message. However, e-mail clients typically support the function of return receipts where automatic notifications are sent back to the sender once the recipient opens the message.

Spammers would like to know if you got their message too. They use a lot of automation and send out random messages to random e-mail addresses, hoping to find a real one used by a real person. This is one way of harvesting legitimate addresses.

To globally disable return receipts in Thunderbird, go to Tools » Options, then click on Advanced option in the top-right corner, then the Return Receipts button on the right-hand side.

Be sure the Never send a return receipt option is checked.

There are also settings specific to each e-mail address account that Thunderbird is configured to use. However, by default these will use the global setting.

When your POP mail client contacts your mail server and downloads messages, it goes through a user authentication process. Unfortunately, your password is sent in the clear and anyone observing your connection traffic will instantly see it.

Although not supported by every service provider, SSL or TLS can be used to encrypt the transport of sensitive data between you and the ISP, just like using SSL when shopping at a website and sending your credit card information. While it doesn't defend against spam, it does help to ensure that your personal account information (username and password) cannot be compromised by dropping a listening device somewhere in the path to your mail server.

Check with your ISP regarding the availability and configuration specifics, such as the port used.

Virtually all e-mail sent over the Internet is in cleartext. In other words, sending e-mail is like sending postcards to your friends through the Post Office. Anyone handling the mail, including the carrier, the processing staff at the postal hub, etc., can see the contents if they have physical access to it. You can use sophisticated math to scramble / descramble your messages so no one but your recipients can read them. Fortunately, the sophisticated math (used for encrypting and decrypting e-mail) comes in the form of software that automatically makes all the magic happen for you. One of the most common methods is to use a framework called PGP (Pretty Good Privacy). It's available as add-on software for your stand-alone e-mail client. For Thunderbird, I use a compatible variation called GPG (GnuPG, or Gnu Privacy Guard).

Although the concepts pertaining to public / private key pairs and digital signatures are out of the scope of this article, I recommend reading through How PGP Works for an excellent introduction. Well worth the read, even if you have to read it a few times over. Check out Enigmail for integrating GPG with Thunderbird.

I saved this for last because it's a tired rhetoric, but I thought I should drive this point home anyway because people attach files to those simple e-mails all the time, and we're all used to it. So your friend sends something to you, and you open your inbox, and the message has something attached to it. You trust her. She's a good person. She's smart. You hover your mouse around the attachment icon.

THIS IS WHERE YOU STOP AND THINK CAREFULLY FOR A MINUTE.

Is this really from your friend and not a spoofed e-mail? Are you sure your friend's computer wasn't hijacked and isn't sending you spam? Is your smart friend really, really security-savvy about computers and networks? Is your anti-virus signature updated? Do you realize that there are plenty of viruses out there that can't be detected by anti-virus software? Is your computer configured to display the entire filename, extension and all? Are you sure there isn't an additional file hidden with the metadata of the original? Are steganographic trojans still only a theoretical concept?

Lots to think about, eh.

Opening that attachment is like saying, "I do" on your wedding day. It might be fun and thrills now, but you might be letting an invasive bug into your life until death do you part. And a divorce might mean one way out - format.

Are you feelin' lucky?