Recent news such as “Storm Worm Hits Computers Around the World,” published January 19, 2007 in eWeek, and “CA Predicts More Attacks on Experienced Users,” also published in eWeek, on January 25, 2007, along with recent correspondence with long time VirusWarn subscribers and my wife, Janet, suggest that others might like to know how I evaluate incoming email messages.
In the McAfee AVERT Labs security blog, on January 23, 2007, Allysa Myers wrote Musings on internet “Common Sense”. Although I didn't see this article until after I posted this article on 28 January, her remarks are closely related. This article is about applying some common sense to evaluating new email messages.
Assume New Email Is Hostile!
Unfortunately, the only safe way to handle incoming email is to assume it’s all hostile until proven otherwise. So how do I handle the hundreds of new messages that arrive in my Inbox each day?
I have devised a simple strategy that works well for me. Evaluation is divided into the following four phases.
- Evaluate the Sender and Subject.
- Evaluate the Message Body.
- Evaluate the Links.
- Evaluate the Attachments.
Since not all messages contain links and attachments, phases 3 and 4 apply to only some of your messages. Besides, most messages never make it past phases 1 and 2.
Evaluate the Sender and Subject
Phase 1 of the evaluation happens in the index view of your mail reader. (Microsoft Outlook or Outlook Express, Eudora, Pegasus, Netscape, Seamonkey, or whatever email program you use, its generic name is “mail reader.”) Regardless of which program you use, the index typically contains the following headings, and, perhaps, others.
- From. This column shows the “friendly name” of the sender, such as “Lee A. Drake.”
- Flags. This column contains flags for such things as messages that the sender marked as urgent.
- Attachments. This column is blank, unless the message has one or more attachments. Messages with attachments usually display an icon that looks like a paper clip.
- Subject. This is the subject assigned by the sender.
- Received. This is the time that the message arrived at your mail server.
These are the labels used by Microsoft Outlook and Outlook Express. Other programs may use different names, but you should be able to figure that out for your email program, so that you can follow the remainder of this section. The next few sections briefly summarize the role that each column plays in this phase of message evaluation.
Be very wary of this field, as it is easily spoofed!
You may be surprised to learn that anybody can configure their email program to send mail that appears, on the surface, to come from someone else. For instance, I can configure may mail program to send mail that appears to be from Lee Drake, or even George W. Bush, the President of the United States!
I don’t even need a separate email address in order to spoof the sender name, nor great technical skill, although I won’t explain how in this article.
Besides, there are other ways to spoof an email address, most of which are best suited to robot programs and worms, which have been spoofing sender fields for at least a decade.
This plays almost no role in my evaluation of messages, except for determining the order in which they progress to the second phase.
This plays no role in this phase. Later phases offer more detail that is necessary to effectively carry them out.
I evaluate the subject along with the sender name, as explained next.
Beyond helping me decide the order in which to evaluate messages in phase 2, this column plays no role.
Ok, enough explanation, let’s get on with Phase 1!
Unless I’m expecting a message from a particular sender, I sort the messages by subject, and scan the subject. This eliminates scores of messages, because, for example, I’m not interested in bigger breasts or “Stock UpTicks.” All those go away, even if they appear to be from someone that I know, such as Lee A. Drake.
If the subject appears relevant, I check the Sender column, and ask myself whether this sender would be likely to send me a message about this subject. For example, I wouldn’t expect a message from Office Depot about having the muffler on my car checked. I’m exaggerating, but you get the idea.
Messages with certain subjects from certain senders are a special case. For example, a message from a bank or other organization about a security breach in their on-line system go straight to the trash, unless I happen to have an account with the organization; though they will reach Phase 2, they get special treatment.
If the sender and subject look OK, the message makes it to Phase 2; otherwise, it’s headed for the bit bucket.
Evaluate the Message Body
Messages that survive Phase 1 get opened, in an order determined by the sender, subject, and, occasionally, other criteria. Although most of the following applies to messages from vendors, it applies, with a bit more leeway, to all incoming mail, even from my best friends.
Each message is opened and scanned. Especially if it’s from a stranger, or appears to be promotional in nature, I evaluate whether the person or organization whose name appears in the Sender field actually sent this message.
- A message from the Kimball Art Museum that says it’s about an upcoming exhibit of the work of Van Gogh should contain such things as exhibit dates and hours, ticket prices, and a phone number that I can call for more information or to order tickets.
- A message from the Sears Portrait Studio about a special on Valentine’s Day portraits should give details about the offer, include a phone number to call for an appointment or more information, and, hopefully, explain how they got my name, and how I can stop receiving future offers.
- A message from the Microsoft Security Response Center or the US-CERT Coordinating Center that says it’s about the release of a security bulletin had better discuss that bulletin, be in plain text, and have a PGP signature embedded in it.
Notices from Organizations with Whom I Have an Account
Notices that appear to be from a bank or other organization with whom I happen to have an account require special attention. Unless the message contains information about me that only that organization would know, such as the name under which I registered, and part (usually the last few digits) of my account number, it goes in the trash, unless I decide to report it to their security office.
Once in a while, I do forward messages to the security office of the organization whose name has been taken in vain. How I handle such messages is beyond the scope of this article.
We aren’t finished with the body. It plays an important role in Phases 3 and 4.
Evaluate the Links
The art of convincing you to open messages and follow the links is called social engineering, and the bad guys are getting a lot better at it.
A sender who wants me to follow a link must say something about the link in the body, and it must be something that was clearly written by that sender.
Usually, this means that the sender writes something that gives the link an appropriate context. For instance, if Lee Drake sent me a message containing a link to a clip about Star Trek, he might say something about our mutual interest in the television series, or about an episode that came to mind when he saw the clip.
Evaluate the Attachments
All attachments should be treated as hostile.
Because attachments open in the security context of the local machine, the My Computer Zone, they pose the greatest risk to you and your computer. Anything that opens or runs in the My Computer Zone can do anything that you can do, including run code. In some cases, code embedded in attachments runs without further warning.
If someone sends me a message that contains an attachment that I have not been told in advance to expect, the body of the message must clearly explain why I am receiving the attachment, and what the sender expects me to do with it.
I extend the same courtesy to my correspondents. Here is an example from a message that I sent to a client a few days ago.
Attached Microsoft Excel workbook Property_Tax_Proration_Calculator_Proofs.XLS contains manual calculations that I carried out, using mostly basic functions of Microsoft Excel.
The message informs its reader that the attachment opens in Microsoft Excel, and that it contains manual calculations that I carried out. The message said a good bit more about the workbook, but this fragment conveys how I establish that a message is really from me, and so is the document.
Really Risky Attachments
Many modern email programs, including recent versions of Microsoft Outlook and Outlook Express automatically strip certain types of attachments, because there is no legitimate reason to attach such files to email messages. Even programmers, who have legitimate reasons, from time to time, to send them, can do so by embedding them in a ZIP file, which most mail program will let pass.
This hasn’t stopped the social engineers who work with the bad guys from trying to convince you to open a Zip file containing such a file. Icons for Dangerous Email Message Attachments is a table of icons associated with this class of really dangerous attachments.
If you see one of these icons next to a file, either in an attachment or inside a Zip file, click it at your own risk.
You have been warned!
These many words describe a simple, fast, effective process for eliminating mail that you can, and should, discard.
I hope it helps others fight back against the increasingly sophisticated social engineering tactics being employed against you and me.