Unsolicited email messages containing attachments are sent
to unsuspecting recipients. They may contain a return
address, a
provocative envelope, or something else that encourages its
receiver
to open it. This technique is called social engineering. Because
we
are trusting and curious, social engineering is often effective.
The
widespread impact of these latest viruses, which rely on
human
intervention to spread, demonstrates the effectiveness of
social
engineering.
Well, they rely on a combination of human intervention -- in that they
require humans to actually "open" the attachment -- and violations of
the MIME specification by the recipient's MUA.
A big part of the problem is that when the message attachment is
opened, the MUA then executes the content, despite the admonition of
the MIME specifications that
(a) an MUA should not allow the sender of a message to specify what
action the recipient takes to display the attachment (which the sender
effectively does by specifying the filename suffix) and
(b) for types not known to be safe the MOST an MUA should do is to
offer to save the attachment in a file.