Wednesday, June 28, 2017
  Login
  Our sponsors
  Safe Handling of Email Messages
Location: BlogsWizard Wisdom    
Posted by: David Gray 1/26/2007
Recent press coverage and personal correspondence suggest to me that the social engineering tactics being used by the bad guys is greatly improved, and now is a good time to share my method of filtering email messages with others.

Recent news such as “Storm Worm Hits Computers Around the World,” published January 19, 2007 in eWeek, and “CA Predicts More Attacks on Experienced Users,” also published in eWeek, on January 25, 2007, along with recent correspondence with long time VirusWarn subscribers and my wife, Janet, suggest that others might like to know how I evaluate incoming email messages.

In the McAfee AVERT Labs security blog, on January 23, 2007, Allysa Myers wrote Musings on internet “Common Sense”. Although I didn't see this article until after I posted this article on 28 January, her remarks are closely related. This article is about applying some common sense to evaluating new email messages.

Assume New Email Is Hostile!

Unfortunately, the only safe way to handle incoming email is to assume it’s all hostile until proven otherwise. So how do I handle the hundreds of new messages that arrive in my Inbox each day?

I have devised a simple strategy that works well for me. Evaluation is divided into the following four phases.

  1. Evaluate the Sender and Subject.
  2. Evaluate the Message Body.
  3. Evaluate the Links.
  4. Evaluate the Attachments.

Since not all messages contain links and attachments, phases 3 and 4 apply to only some of your messages. Besides, most messages never make it past phases 1 and 2.

Evaluate the Sender and Subject

Phase 1 of the evaluation happens in the index view of your mail reader. (Microsoft Outlook or Outlook Express, Eudora, Pegasus, Netscape, Seamonkey, or whatever email program you use, its generic name is “mail reader.”) Regardless of which program you use, the index typically contains the following headings, and, perhaps, others.

  • From. This column shows the “friendly name” of the sender, such as “Lee A. Drake.”
  • Flags. This column contains flags for such things as messages that the sender marked as urgent.
  • Attachments. This column is blank, unless the message has one or more attachments. Messages with attachments usually display an icon that looks like a paper clip.
  • Subject. This is the subject assigned by the sender.
  • Received. This is the time that the message arrived at your mail server.

These are the labels used by Microsoft Outlook and Outlook Express. Other programs may use different names, but you should be able to figure that out for your email program, so that you can follow the remainder of this section. The next few sections briefly summarize the role that each column plays in this phase of message evaluation.

From

Be very wary of this field, as it is easily spoofed!

You may be surprised to learn that anybody can configure their email program to send mail that appears, on the surface, to come from someone else. For instance, I can configure may mail program to send mail that appears to be from Lee Drake, or even George W. Bush, the President of the United States!

I don’t even need a separate email address in order to spoof the sender name, nor great technical skill, although I won’t explain how in this article.

Besides, there are other ways to spoof an email address, most of which are best suited to robot programs and worms, which have been spoofing sender fields for at least a decade.

Flags

This plays almost no role in my evaluation of messages, except for determining the order in which they progress to the second phase.

Attachments

This plays no role in this phase. Later phases offer more detail that is necessary to effectively carry them out.

Subject

I evaluate the subject along with the sender name, as explained next.

Received

Beyond helping me decide the order in which to evaluate messages in phase 2, this column plays no role.

Ok, enough explanation, let’s get on with Phase 1!

Unless I’m expecting a message from a particular sender, I sort the messages by subject, and scan the subject. This eliminates scores of messages, because, for example, I’m not interested in bigger breasts or “Stock UpTicks.” All those go away, even if they appear to be from someone that I know, such as Lee A. Drake.

If the subject appears relevant, I check the Sender column, and ask myself whether this sender would be likely to send me a message about this subject. For example, I wouldn’t expect a message from Office Depot about having the muffler on my car checked. I’m exaggerating, but you get the idea.

Messages with certain subjects from certain senders are a special case. For example, a message from a bank or other organization about a security breach in their on-line system go straight to the trash, unless I happen to have an account with the organization; though they will reach Phase 2, they get special treatment.

If the sender and subject look OK, the message makes it to Phase 2; otherwise, it’s headed for the bit bucket.

Evaluate the Message Body

Messages that survive Phase 1 get opened, in an order determined by the sender, subject, and, occasionally, other criteria. Although most of the following applies to messages from vendors, it applies, with a bit more leeway, to all incoming mail, even from my best friends.

Each message is opened and scanned. Especially if it’s from a stranger, or appears to be promotional in nature, I evaluate whether the person or organization whose name appears in the Sender field actually sent this message.

  • A message from the Kimball Art Museum that says it’s about an upcoming exhibit of the work of Van Gogh should contain such things as exhibit dates and hours, ticket prices, and a phone number that I can call for more information or to order tickets.
  • A message from the Sears Portrait Studio about a special on Valentine’s Day portraits should give details about the offer, include a phone number to call for an appointment or more information, and, hopefully, explain how they got my name, and how I can stop receiving future offers.
  • A message from the Microsoft Security Response Center or the US-CERT Coordinating Center that says it’s about the release of a security bulletin had better discuss that bulletin, be in plain text, and have a PGP signature embedded in it.

Notices from Organizations with Whom I Have an Account

Notices that appear to be from a bank or other organization with whom I happen to have an account require special attention. Unless the message contains information about me that only that organization would know, such as the name under which I registered, and part (usually the last few digits) of my account number, it goes in the trash, unless I decide to report it to their security office.

Once in a while, I do forward messages to the security office of the organization whose name has been taken in vain. How I handle such messages is beyond the scope of this article.

We aren’t finished with the body. It plays an important role in Phases 3 and 4.

Evaluate the Links

Messages that contain embedded links, even if sent from trustworthy associates, require extra scrutiny, because robots can be programmed to send such messages, and because they can cause serious damage to your computer, its security, and your personal privacy and security. Although email messages formatted in HTML are fairly safe, because modern mail programs prevent embedded script from executing, you have virtually no safety net when you click a link. For instance, Microsoft Outlook opens HTML messages in the Restricted Zone, but links in email messages open in the Internet Zone. Depending on your Web browser settings, this may permit some scripts to execute. On my machine, JavaScript is enabled in the Internet Zone, because so many Web sites use it, and it is relatively safe.

The art of convincing you to open messages and follow the links is called social engineering, and the bad guys are getting a lot better at it.

A sender who wants me to follow a link must say something about the link in the body, and it must be something that was clearly written by that sender.

Usually, this means that the sender writes something that gives the link an appropriate context. For instance, if Lee Drake sent me a message containing a link to a clip about Star Trek, he might say something about our mutual interest in the television series, or about an episode that came to mind when he saw the clip.

Evaluate the Attachments

All attachments should be treated as hostile.

Because attachments open in the security context of the local machine, the My Computer Zone, they pose the greatest risk to you and your computer. Anything that opens or runs in the My Computer Zone can do anything that you can do, including run code. In some cases, code embedded in attachments runs without further warning.

If someone sends me a message that contains an attachment that I have not been told in advance to expect, the body of the message must clearly explain why I am receiving the attachment, and what the sender expects me to do with it.

I extend the same courtesy to my correspondents. Here is an example from a message that I sent to a client a few days ago.

Attached Microsoft Excel workbook Property_Tax_Proration_Calculator_Proofs.XLS contains manual calculations that I carried out, using mostly basic functions of Microsoft Excel.

The message informs its reader that the attachment opens in Microsoft Excel, and that it contains manual calculations that I carried out. The message said a good bit more about the workbook, but this fragment conveys how I establish that a message is really from me, and so is the document.

Really Risky Attachments

Many modern email programs, including recent versions of Microsoft Outlook and Outlook Express automatically strip certain types of attachments, because there is no legitimate reason to attach such files to email messages. Even programmers, who have legitimate reasons, from time to time, to send them, can do so by embedding them in a ZIP file, which most mail program will let pass.

This hasn’t stopped the social engineers who work with the bad guys from trying to convince you to open a Zip file containing such a file. Icons for Dangerous Email Message Attachments is a table of icons associated with this class of really dangerous attachments.

If you see one of these icons next to a file, either in an attachment or inside a Zip file, click it at your own risk.

You have been warned!

Summary

These many words describe a simple, fast, effective process for eliminating mail that you can, and should, discard.

I hope it helps others fight back against the increasingly sophisticated social engineering tactics being employed against you and me.

Copyright ©2007 David Gray
Permalink |  Trackback

Your name:
Title:
Comment:
Add Comment   Cancel 
  David's Blog Archive   
  Search David's Blog   
Wizardwrx
Viruswarn banner
Click to visit WW.
  About David Gray   
David._100x94jpg.jpg

David Gray is Founder and Chief Wizard of WizardWrx. Beginning in 1985, David has created imaginative solutions to problems for businesses around the world. With numerous programming languages and technologies at his disposal, his applications stretch the limits of what many people think is possible.

David brings to his projects a wealth of experience in accounting, business and process management, system architecture, and programming.

David has led or founded a number of user groups over the last 21 years, including the Metroplex Access Developers, which he founded in 1995. He has spoken before user groups, both in the Dallas-Fort Worth area, and in other cities around the US, about numerous topics, ranging from the fundamentals of good report design to very esoteric topics, such as the design and programming of custom text parsers.

As a member of the Greater Irving-Las Colinas Chamber of Commerce, David was one of the founding members of its Ambassadors program, which helps welcome new businesses to the Irving, Texas area, and participates in other Chamber events, to help make visitors feel welcome and included.

Until serious illness forced him to curtail his activities in the last few years, David was also active in other community service organizations, including the Irving Sunrise Rotary Club, Irving Cares, Inc., the Irving Hospital Foundation, and the Irving Police Foundation. Now that his health has improved, David looks forward to finding new ways to resume some involvement in his community.

When he isn’t working, David and his wife, Janet, enjoy a variety of activities, including cooking, good music, both recorded and live, and chasing sunsets and rainbows. David enjoys reading good science fiction, by which he means stories that are more than just cowboys and Indians set in space or in the distant future.

  Browse Blogs   
There are no categories in this blog.
Copyright 2006 by OS-Cubed, Inc.   Terms Of Use  Privacy Statement