Mozilla Thunderbird still doesn’t “get” anti-virus protection

by Michael Alderete on 8/14/2007 · 8 comments

Two and a half years ago, I wrote a post describing a problem I had been having when Rochelle migrated to Mozilla Thunderbird for email, and Norton Anti-Virus was corrupting her Inbox. The gist of the post was that there didn’t seem to be a good anti-virus solution that worked well with Thunderbird.

A couple weeks ago a comment defending Thunderbird came in on the post. I started to respond in another comment, but because the attitude expressed by the commentor is so prevalent in software, I wanted to respond more publicly.

Here’s the meat of the comment (or read in full):

The problem with virus checking in Thunderbird is actually not Thunderbird. It the strategy you are using to scan for email viruses. […] If your antivirus program doesn’t have a function to scan email as it’s downloaded and prior to hitting your inbox, get a real antivirus solution that does. Let’s not be bad mouthing Thunderbird for something you are not doing appropriately in the situation you have.

Well, at the simplest level, this is correct, it’s really just a matter of configuration. But on other levels this philosophy — that the features are there to solve the problem, the user just needs to find and configure them — is not a very customer-friendly one. You could argue that it’s the opposite. There are very few people out there looking to buy “anti-virus software with an email proxy or plug-in to scan incoming emails.” They just want “safe, virus-free email.” By itself, Thunderbird still does not provide this.

And, in spite of 2½ years passing since I wrote the original post, the software and the web site still do not provide any useful information about how to achieve “safe email.” The only official information about anti-virus protection I found today is the FAQ Is Thunderbird susceptible to e-mail viruses?, which still has the same essentially useless information I noted 2½ years ago. On a very real level, the level at which most people will experience the product, getting “safe email” with Thunderbird is a challenge that most people will not be able to meet.

A person can say “don’t bad mouth Thunderbird,” but what they’re really saying is “people who aren’t smart enough to figure out this Thunderbird + anti-virus stuff for themselves should use something else.” I wonder what the response would be if the Thunderbird project posted those words on their web site, instead of the useless words in the FAQ?

Final note: Rochelle’s solution to the dilemma was to switch to Gmail. Works great, and virus-free.

Joe Lewis August 14, 2007 at 8:22 pm

I have switched to Gmail over the past few months as well, mostly because Yingwen has hijacked my PowerBook and I’m too lazy/cheap/swamped to go buy a new machine. ;-)

Matt Gillies August 22, 2007 at 4:05 pm

I must say, the premise of your postings on this issue strike me as so fundamentally flawed that I must comment. Your argument seems to be that Mozilla should provide the end user with direction on how to configure whatever anti-virus software they choose to maximize security. That burden rightly ought to fall on the shoulders of the AV provider. Their documentation should let the end user know how to keep their software in compliance with computing standards. To be sure, Thunderbird is an email client, not an anti-virus system.

Would you say there is a problem with your car, and it is the manufacturers fault, if it does not answer your home telephone?

Secondly, your follow up post clearly exposes your belligerence on the matter. You say Thunderbird says no more on the issue than what was stated two years ago. You reveal your ignorance of the accommodation Mozilla has in fact already provided for incompatible AV systems. Since version 1.5, Thunderbird has under the privacy options a setting expressly for AV optimization. For more information, read the Knowledge Base article at mozillazine.org (http://kb.mozillazine.org/Antivirus_software).

Finally, to be frank, the vast majority of internet users are people for whom the concept of computer security is a mystery at best, and a nuisance at worst. I cannot count the number of time I have had to rescue some poor sod who has crashed her computer by having it so overloaded with spyware and viruses. My conversation with the user invariable includes phrases like, “It’s been like this for months.” “I keep getting these pop-up things… I just minimize them and ignore it.” “The only reason I called you this time is I can’t get into my AOL anymore.”

Each time I help the user get their AV updated, in a matter of a week they will not check to ensure they are getting current definitions, in a matter of a year their subscription will expire and they will not update it. I know that in at least 18 months I will have to again clean this machine. Hopefully, in the span of those first 12 months the user will not make a drone out of that machine and be a problem to us all on the internet.

To argue that any given user is the “exception” is laughable. To such an argument I already have a response: When was the last time you clicked Help?

Thunderbird -> Help -> Mozilla Thunderbird Help -> Search for Anti-virus -> click the FIRST standard search response: Antivirus software - MozillaZine Knowledge Base

Cyrus Farivar September 11, 2007 at 7:41 am

I’d say her solution should be: get a Mac. :-)

Sandy September 13, 2007 at 3:01 pm

well I found a video that explains the best anti virus solution and seems its really true! :) http://www.metacafe.com/watch/816706/anti_virus_protection/

Jonathan Wise October 18, 2007 at 4:42 am

Poor Thunderbird, its in a solid third place behind Outlook and Mail.app, but so many of the, what most would consider basic, features have been a work-in-progress for those 2.5 (or more) years. Its like its almost ready for prime-time, but not quite. And now with so much restructuring and the loss of two key project leaders, I fear the worst for Thunderbird.

And don’t get me started on Sunbird…

be4truth December 22, 2007 at 7:36 pm

I had the same problem on a Linux system with ClamAV. IT found something in Thunderbirds Inbox and on removing it destroyed the inbox completely. Good that this was only a test setup. But if I want to use Thunderbird in non-profit organizations this is not an acceptable solution as it is from the point of the service person too risky to scan Thunderbird. What to do?

Alderete January 8, 2008 at 10:02 am

@Matt Gillies: I would note that MozillaZine’s about page says this: “MozillaZine is not run by the Mozilla Foundation and is not an official part of the Mozilla project.”:http://www.mozillazine.org/about/

I would also argue that the page you recommend for “Thunderbird anti-virus information”:http://kb.mozillazine.org/Antivirus_software is poorly written, virtually incomprehensible to non-technical users, and significantly out of date in many places (referring to Thunderbird version 0.9 is a dead giveaway there).

But mostly I would argue that your comment boils down to exactly what I wrote before: “People who aren’t smart enough to figure out this Thunderbird + anti-virus thing should use something else.” Indeed, I get the impression you think they should get off the Internet entirely. You blame the user, when it wouldn’t be that hard for the tool to be easier to use (if anyone working on Thunderbird actually cared about solving normal people’s problems).

I would finally note that “the main Thunderbird web page”:http://www.mozilla.com/en-US/thunderbird/ no longer has anything to say about viruses or malware, suggesting that there is at least some awareness that Thunderbird doesn’t help very much here.

LikesGadgets April 22, 2008 at 12:21 pm

I’ve got to pipe in here. About two years ago I started to make efforts to get off Microsoft products for new computers. For various reasons, I still need to base some of my PCs (and I have a dozen or so) on Windows (XP of course, nothanks to Vista).

I did a test-import of nearly 10 years of accumulated mail from Outlook into Thunderbird 1.5, and it was successful, turning a 900MB PST into a 1.2GB profile folder. Space is cheap. I cleaned up my multi-account set-up a bit, and have since upgraded to Thunderbird 2.x and then switched to Portable Thunderbird. I recently added the Lightning extensions and synchronize my contacts and calendar using scheduleworld.

I am, as such, a “power-user” of Thunderbird. I’m also a programmer by profession and know my way around various OSs.

My AV of choice is ClamWin for Windows and ClamAV for Linux.

And no, I don’t have any virus protection for my Thunderbird. To be fair, I really don’t receive more than one or two attachments a month, and I can’t even remember when I last received an executable of any type in the mail.

However, I also use Firefox and have it configured to scan downloaded files using ClamWin. If there was a reasonable way to scan incoming messages in TB, I would configure it to do that. However, there is not, and I think that is Michael’s point. Matt seems to misunderstand this.

The Mozilla folks are doing a bang-up job on Firefox and Thunderbird, but to not have a single configuration example for TB+AV for any AV program is a gross omission that borders on negligence. And it’s even more so for the fact that beyond a number of “free” AV solution, there’s a very solid open-source program available. And — Hello Matt — ClamAV even updates virus definitions automatically!

All that aside, I think the best solution for email virus protection is to scan at the server level. My ISP uses an installation of ASSP which not only scrutinizes the headers, but also greylists senders (thus delaying or rejection mail from “drones”) and scans attachments. Local POP3/SMTP proxies were fine and well a couple of years ago, but who uses unencrypted POP3 anymore?

So, Michael — yes, it’s a shame Mozilla doesn’t even document a simple antivirus configuration. It’ll hurt Thunderbird adoption in the long run.

Matt — yes, “security” is unknown to the average computer user these days. Even to some of the “above average” users, it’s difficult. I recall a programmer of mine who got his development machine infected and was about to roll out an infected exe to a few hundred users. That’s exactly the reason why it security has to be made available to those users… and that was the point this blog post is making.

Comments on this entry are closed.

Previous post:

Next post: