5) Attachment reporting. (Image 1.5) Not one of these E-Mails, sorted by size, reports having an attachment. Now, understand that an E-Mail that is 180KB is a rather large amount of typing. This should give you the first clue about the origin of these E-Mails and the destructive intent. However, some E-mail programs, if using "HTML" stationery and such, do not report attachments of .jpg and .gif's if they are part of the layout. For example, a background picture and a .jpg signature block. Take note: Out of 8400 E-Mails in the last year, only 16 of those have had "large" images (over 50KB worth) included with them as "normal" E-Mails. Please, for the love of dial-up users around the world... Do not send 295KB picture as a "normal" part of your E-Mail. For the sake of time, I now bounce all E-Mails that are larger than 50KB. Can you confirm that this E-Mail is a virus without "opening" it? Yes, and I will show you how following this short disclaimer:
ABSOLUTELY, NEVER, EVER double click these files to open them! You WILL be infected.
This method is NOT intended to substitute a virus scanner with the eyes of an average user. However, my network has never been infected by a virus. Ever. What AV software do I run daily? None. I do not visit "questionable" web sites, I utilize a hardware firewall and never open an attachment sent via E-Mail. What is the best defense anyone can have? Common sense.
Update November 17, 2003:This deals with yet another mass mailing worm with its purpose in life to steal PayPal account information.
This discovery was prompted by one E-Mail that fits the Symantec description perfectly: The subject line contains "YOUR PAYPAL.COM ACCOUNT EXPIRES" and comes from the address of "Do_Not_Reply@paypal.com." It arrived at my inbox at 11:41 AM PST today.
This information was posted November 14, 2003 by Symantec and the virus signatures were updated that day:
However, just a few messages up (more recent), I received about the same message at 12:16 PM PST with a slightly different subject line. This one is "IMPORTANT <several spaces and then random characters>". It also comes from the address of "Do_Not_Reply@paypal.com."
This particular message, fitting the bill with another scam to steal PayPal account information, was posted on November 17, 2003. Yes, today:
This one tipped me off because it has the exact type of subject line of a previous virus that I am sent often (12 times yesterday, 3 today) for several months. That particular variant comes from the address of "admin@<what ever domain the email is sent to.com>" with the subject line of "your account <several spaces and then random characters>".
More information on that particular virus is here:
What I am trying to get across is that people could find viruses in their E-Mail box before virus signatures can be updated. I fail to remember the "default" amount of time or "how often" the automatic update service runs for Norton Anti-Virus, but 24 hours is not a guess far from the truth, I am sure.
What this means is that I could have been infected 3 times (by the amount of separate E-Mails) before the signatures could have been updated. Of course, by the time the automatic update is performed, it could be too late.
Knowledge is power. Period. I knew these E-Mails contain viruses without even thinking about it from past experience with known subject lines. I looked them up because my curiosity sometimes overwhelms me and discovered that "I could have received it before they fixed it."
Being careful with the "automatic" actions you perform daily by checking E-Mail and knowing "what is good and what could be bad" is much more powerful than any virus scanner available. Knowing an E-Mail's intent before even opening it has much more power then "assuming" a person is safe just because an Anti-Virus program is running.
Do I own AV software? Yes. When do I scan the network? Before anything major, like an OS install or massive hardware change. That way, I know that all of my backed up data has been scanned with the latest virus protection and clear of anything up to that date. I then install the OS clean and retrieve my safe data and continue as usual without AV software sucking up resources 24/7. Another reason I have avoided infection is I use a computer strictly for E-Mail. That's it. If anything should happen, such as unexplained memory, hard disk activity, network activity or many other ways to spot a malicious program, I can stop it before catastrophe hits. This also greatly reduces the chance of "important" files being infected across the network because the system that I use for "normal" activities has NO shared resources.
Most people cannot afford having a dedicated system taking care of such types of tasks. However, a pretty clever way of discovering a virus or worm that is scanning the always targeted Windows Address Book is to place a "unique" address that is never used for anything other than to seed.
Most providers have options of multiple E-Mail accounts. Have a disposable one that is used for all "sign up, place E-Mail address here" forms, one is used for "close friends and family" and another could be "black83648viper6253@mycoolisp.com." This extended garbage would "attempt" to ensure dictionary spammers would not easily hit it and, if you ever get an E-Mail to that address, it would be the first clue of possible malicious activity. Not a guarantee by no means, but at least it could prompt additional investigation. AGAIN: I will always recommend my readers use a virus scanner daily and keep it up to date. There is no reason not to. If you have a single system directly connected to the internet you WILL have virus and firewall protection installed. Security is no laughing matter. Enough said. |
6) Check the "real" contents of a suspicious email. (Image 1.6) Practice this technique on a REAL E-Mail and not a virus infected one.
This information pertains to Outlook and Outlook Express. Your E-Mail client may vary. Outlook:
- Right-click the E-Mail
- Select Options
- View the Internet Headers located at the bottom of the dialog box
Outlook Express:
- Right-click the E-Mail
- Select Properties
- Select the Details tab
|
7) Details Tab. (Image 1.7) The Details tab displays all kinds of geekie information. Where the E-Mail came from, who it was from and who it REALLY was from. Also, this tab contains information on what servers it passed through on the way to your computer.
What we are interested in here is the Message Source button. |
8) Email Source. (Image 1.8) The contents of the E-Mail attachment is not readable by humans. However, what the file REALLY is and what it will do IS readable.
Highlighted, I have the actual MIME encoding format; it tells the E-Mail client what to do with the attachment. In this case, it is:
The funny thing is, the actual file name "height.pif" has nothing to do with "audio." PIF is a shortcut to a program. Like what you would find on your desktop. Again, a real person would NEVER send you an "audio" file saved as a "shortcut."
Why is the file a .pif? It is automatically executed by the E-Mail client and the OS regardless of what the MIME encoding says.
This is just one of the many examples I have in my inbox. |
How can you create filters to do the same as what I have displayed here? Easy. READ MORE...
How to filter your E-Mail using Outlook Express Spam and virus's do not have to get you down. Here, I take a look at the filters I use for the results you viewed on the previous page. It is not magic. With effective filters, a huge amount of spam can be dealt with behind the scenes with tools you already have at your disposal.
9) Creating Filters in Outlook Express. (Image 2.1) Creating filters in Outlook Express does not have to be difficult. In fact, it is a rather easy task! Select Tools, Message Rules, then Mail. |
10) Viewing Rules. (Image 2.2) Some important information to note: The rules are applied in the order they appear. Also, if you want the rule to stop after applying a particular filter property, select Stop Processing for more rules in the rule options.
This rule makes everything "not addressed directly to me in the TO: field automatically delete and stop processing any more rules."
With this same technique, you can add rules to "white list" peoples E-Mail address or domain and ALWAYS send them to your inbox (or another folder). This is to avoid possible "valid" news letters from slipping through and getting deleted if they use a technique to mask whom the news letter is going to. Ensure that the white listing filter is FIRST on the list. How can you add a rule? |
11) Adding New Rules. (Image 2.3)
Click the New button in the Mail Rules tab.
Here will be displayed a number of options that could be a complete topic in its self. However, you can experiment with what works best for you and your situation by thinking about the additional rules I describe later.
In order to create the "Not to me" list, select Where the to line contains people. Edit it by selecting the blue underline text in the lower portion of the window. Add your email address. Select options button. Modify the rule to say message does not contain the people below. After selecting enough OK's to get you back, ensure that you add an action to your rule in the mid-portion of the dialog. |
12) This is my "Default Subject Line" filter. (Image 2.4) Oddly enough, many people absolutely feel compelled either to not include my default subject line or must modify it. That is why I have a loose rule pertaining to my subject line.
The actual line is "A Question or Comment for Black Viper." However, if you include "comment" or "Black" or "Viper" in the subject line, it will still get through to me.
Update 18APR2003: Due to some spammers automatically including the E-Mail address in the subject line, I have modified my filter to say "Black Viper" and not just "Viper." Why? Because "Viper" is part of my E-Mail address (...@blkviper.com) and the spams that have been including it in the subject line have been slipping through. This rule also sends it to a particular folder that is viewed by me by default. In reality, a rapid reply will result if I have to do little action to reply to an E-Mail. Pass my filters and the information you desire is yours. :)
Absolutely zero spam's have got through from a robot. Why? The robots may include "bv" (since that is the information before the @ symbol in the E-Mail address) in the subject line, but never have they equated "Black Viper" to "bv." Actually, many spams will include the information before the @ symbol and then a comma, then some spam message. One of my filters detects "bv," and "bv@" in the subject line and delete it. |
13) This filter detects "Diet" spam key words in the subject line. (Image 2.5) Here I am looking for particular words in the subject line and highlighting the message Red, then moving it to the "SPAM" folder. This is a visual cue that the E-Mail used "bad" words and probably did not come from an actual person. |
14) This filter detects "General" spam words in the subject line. (Image 2.6) Here I am looking for particular words, like "mortgage, free, $," etc in the subject line and highlighting the message Red, then moving it to the "SPAM" folder.
To avoid hate mail, I will not show my "p0rn" filter publicly, but I am sure that you get the point as to the words I filter. |
15) This filter passes any other E-Mails that do not meet any previous rules to the SPAM folder. (Image 2.7) If this was not here, it would place those E-Mails in the "Inbox," but I really do not like that as I highly doubt that any "legit" E-Mail would pass through my filters and NOT be spam. |
16) Blocking Domains. (Image 2.8) If you find that your filters are catching lots of E-Mails from a particular domain, you can block it before it even gets to you.
The Blocked Senders tab is processed BEFORE any filters are applied. This kills particular E-Mail addresses, like "someone@domain.com" or whole domains, like "spamsender.com."
As a result of this, it would be very wise not to block E-Mails from "popular" domains, such as "hotmail.com" or "yahoo.com" because, even though many spammers fake the E-Mails addresses with these domains, many people use these services for their personal E-Mail. However, if you get an E-Mail from "bulkemail.org," I am sure that no legitimate person will be sending you an E-Mail with an account from that domain... and if they did, would you want to get it? |
I hope this offered some insight into the techniques I use to, not only fight spam, but identify the clever virus's out there attempting to suck up bandwidth from the rest of the internet. If this has helped you, feel free to Contact BV, but, remember, leave the default subject line intact... or your E-Mail could be tagged and automatically deleted as spam.
|