I get various emails, often bills from organizations that I have accounts
with in PDF. Some of them send them to me as application/octet-stream, with a
.PDF extension. When I double click on this attachment, it saves-to-disk.
When they send me text/pdf format, then I start acroread and/or gpdf, and I
can see their PDF. This is what I reply to them with:
In the past a number of popular mail programs have resorted to looking at the
file extensions to determine the file type. These same systems are very
vulnerable to trojans and virii, and the reliance of file extensions causes
confusion to users --- they wind up authorizing dangerous operations.
It's kind of like letting your toddler play with a loaded gun. Something bad
is going to happen. In this case, something bad happens to the tune of
nearly $6B/year. This is despite massive spending on mostly ineffective virus
scanners --- always keeping us safe from last years' attack, but never
defending against what might come tomorrow.
Internet standard email, as defined by RFC2822 and a great number of other
documents on MIME, does not use extensions. This means that it is not
possible to mis-represent file content to users --- if the file appears to be
a safe picture, it will always be displayed as a picture, not a trojan.
You have sent me files of type application/octet-stream. I may be able to
guess that they are safe, but I have no real assurance of what they really
contain.
