How to secure Eudora against viruses and other malware

The Eudora software developed by Qualcomm is a popular alternative email client to the Microsoft Outlook and Outlook Express software used by many home and business users around the world.

While not nearly as susceptible to viruses as its Microsoft counterparts, thanks to the decision by the developers to make the scripting code very different to that for Microsoft clients, as well as the ability to switch off scripting and MAPI.
A number of articles have detailed how to lock down Microsoft clients, but neglect to mention the equivalent in Eudora. In an attempt to rectify this imbalance, this document details how to do it. I am using version 4.3.2 on a Win32 platform for the details of what to do here.

Automation
Automation is the ability of one application to control another through the OLE interface. This is typically used by Microsoft office applications to use functionality available from another application. Go to Tools -> Options and choose Automation from the drop down list on the left. Make sure ôAutomation enabled from this machineö is unticked, and ôWarn on automation auto-send of messagesö is ticked.

Viewing Mail
Go to Tools -> Options and scroll to Viewing Mail. There is a lot in this section to do to lock down our Eudora settings. First is to ensure that ôUse Microsoft Viewerö is unticked. This is because if HTML email arrives, this will be rendered using the HTML rendering engine used by Internet Explorer if it is installed on your computer, and thus will be subject to the same security holes.
Also on here untick ôShow message preview paneö. This will turn off the preview window at the bottom of each folder. It is the equivalent of this that will stop the BubbleBoy virus û the one that doesnÆt need to be opened, only highlighted in the list û running in Microsoft email clients.
Finally on here, ensure ôAllow executables in HTML contentö is off. This will stop any Java, Javascript and ActiveX controls running when in an HTML email.

MAPI
Mapi is the Messaging API (Application Programming Interface) and is used by Windows applications to send email. Eudora includes its own MAPI server, for applications to connect to. You can switch this off by going to Tools -> Options and scrolling to the MAPI item, and ensuring ôNeverö is selected under the ôUse Eudora MAPI Serverö option.

Adverts
One area where the Microsoft clients have an advantage over Eudora is in the adware department. Eudora uses the Cydoor system to display its adverts, when used in Sponsored mode. The use of such a system is justified as it is made very clear during installation that this is done, and users are given the option of removing it by upgrading to Paid mode.
What I have found, however, is that although you can remove Cydoor when in paid mode using tools such as Ad-Aware, the next time you click Send/Receive it will reinstate itself afterwards, which is unforgivable. Yes, the adverts arenÆt displayed on screen but the fact that it stays there is the major weak point I have found in Eudora security. My firewall records connections to port 80 on an IP address owned by Qualcomm, which is obviously this doing its job as there is no legitimate technical need for an email client to connect to a web server.

Attachments
EudoraÆs handling of email attachments is very sensible. It puts them by default in an Attach directory, which is under the main program (or mailbox if you move it elsewhere). As the files are stored as received, they will be subject to the same scrutiny of any other file stored locally, and as such any dodgy content should be picked up with a good up to date virus checker.

Overall
The Eudora email client is inherently much more secure than its Microsoft counterparts, but a few minutes taken to check its settings can reduce the security risk to almost negligible levels.