Do you like our spider?  Nature photography by Drake Environmental

Wednesday, June 28, 2017
  Our sponsors
  Top Forum Posts
Bogus Electronic Greeting Cards by DavidGray
What Is It? For almost a year, we ...
Router password vulnerability on most routers by LeeDrake
What it is Happy 2008!  And t...
Critical RealPlayer Update Available by DavidGray
What Is It? A remote code executio...
A Word of Caution About Social Networking Web Sites by DavidGray
What Is It? Social networking Web ...
Microsoft Releases Critical Updates for Office 2000 and Office 2004 for the Apple Macintosh by DavidGray
What Is It? Just as all the kids a...
Critical Vulnerabilities in Adobe (Macromedia ) Flash Player by DavidGray
What Is It? Adobe, which now owns ...
Trojan disguises itself as greeting card by LeeDrake
What it is You may have noticed gr...
Critical Updates for Apple Macintosh OS X by DavidGray
What Is It? Apple Computer, Inc.&n...
Critical Update for Animated Cursor Vulnerability in Microsoft Windows by DavidGray
What Is It? There is an unchecked...
DST Adjustments for All Windows Computers by DavidGray
DST Adjustments for All Windows Com...
Viruswarn banner
  The new improved

Welcome to the new, improved  While we're just starting to get the site back up and running, we have some exciting new capabilities.  For the first time the forums for Viruswarn will be integrated directly into the website, rather than hosted at  You will be able to interact with the authors and participate in online discussions.

In addition, we plan to syndicate our blogs, and all our forum content so that you can easily reproduce it on your own site, or add it to your site's main web page.  This syndication capability will make us your source for virus and security warning info.

Once you've registered and logged in you'll have access to exclusive members-only content.

  Infected? Dance the tango!
Dance the Security Tango
  Register or Login

Forgot Password ?
  Recent Viruswarn posts
  Sign up for Viruswarning   

If you don't already receive the viruswarning emails you may login and register for the site and send us a request.  Once you login you'll see the request form here on the home page.  You must register for the site (which gives you full access to the forums) AND also register for the viruswarn mailing list.  If you sign up for the site without signing up for the mailing list - you will not receive the viruswarning notices in your email.

You may always unsubscribe, or change your email from this page as well.

  CERT Alerts
  Safe Handling of Email Messages
Location: BlogsWizard Wisdom    
Posted by: David Gray 1/26/2007

Recent news such as “Storm Worm Hits Computers Around the World,” published January 19, 2007 in eWeek, and “CA Predicts More Attacks on Experienced Users,” also published in eWeek, on January 25, 2007, along with recent correspondence with long time VirusWarn subscribers and my wife, Janet, suggest that others might like to know how I evaluate incoming email messages.

In the McAfee AVERT Labs security blog, on January 23, 2007, Allysa Myers wrote Musings on internet “Common Sense”. Although I didn't see this article until after I posted this article on 28 January, her remarks are closely related. This article is about applying some common sense to evaluating new email messages.

Assume New Email Is Hostile!

Unfortunately, the only safe way to handle incoming email is to assume it’s all hostile until proven otherwise. So how do I handle the hundreds of new messages that arrive in my Inbox each day?

I have devised a simple strategy that works well for me. Evaluation is divided into the following four phases.

  1. Evaluate the Sender and Subject.
  2. Evaluate the Message Body.
  3. Evaluate the Links.
  4. Evaluate the Attachments.

Since not all messages contain links and attachments, phases 3 and 4 apply to only some of your messages. Besides, most messages never make it past phases 1 and 2.

Evaluate the Sender and Subject

Phase 1 of the evaluation happens in the index view of your mail reader. (Microsoft Outlook or Outlook Express, Eudora, Pegasus, Netscape, Seamonkey, or whatever email program you use, its generic name is “mail reader.”) Regardless of which program you use, the index typically contains the following headings, and, perhaps, others.

  • From. This column shows the “friendly name” of the sender, such as “Lee A. Drake.”
  • Flags. This column contains flags for such things as messages that the sender marked as urgent.
  • Attachments. This column is blank, unless the message has one or more attachments. Messages with attachments usually display an icon that looks like a paper clip.
  • Subject. This is the subject assigned by the sender.
  • Received. This is the time that the message arrived at your mail server.

These are the labels used by Microsoft Outlook and Outlook Express. Other programs may use different names, but you should be able to figure that out for your email program, so that you can follow the remainder of this section. The next few sections briefly summarize the role that each column plays in this phase of message evaluation.


Be very wary of this field, as it is easily spoofed!

You may be surprised to learn that anybody can configure their email program to send mail that appears, on the surface, to come from someone else. For instance, I can configure may mail program to send mail that appears to be from Lee Drake, or even George W. Bush, the President of the United States!

I don’t even need a separate email address in order to spoof the sender name, nor great technical skill, although I won’t explain how in this article.

Besides, there are other ways to spoof an email address, most of which are best suited to robot programs and worms, which have been spoofing sender fields for at least a decade.


This plays almost no role in my evaluation of messages, except for determining the order in which they progress to the second phase.


This plays no role in this phase. Later phases offer more detail that is necessary to effectively carry them out.


I evaluate the subject along with the sender name, as explained next.


Beyond helping me decide the order in which to evaluate messages in phase 2, this column plays no role.

Ok, enough explanation, let’s get on with Phase 1!

Unless I’m expecting a message from a particular sender, I sort the messages by subject, and scan the subject. This eliminates scores of messages, because, for example, I’m not interested in bigger breasts or “Stock UpTicks.” All those go away, even if they appear to be from someone that I know, such as Lee A. Drake.

If the subject appears relevant, I check the Sender column, and ask myself whether this sender would be likely to send me a message about this subject. For example, I wouldn’t expect a message from Office Depot about having the muffler on my car checked. I’m exaggerating, but you get the idea.

Messages with certain subjects from certain senders are a special case. For example, a message from a bank or other organization about a security breach in their on-line system go straight to the trash, unless I happen to have an account with the organization; though they will reach Phase 2, they get special treatment.

If the sender and subject look OK, the message makes it to Phase 2; otherwise, it’s headed for the bit bucket.

Evaluate the Message Body

Messages that survive Phase 1 get opened, in an order determined by the sender, subject, and, occasionally, other criteria. Although most of the following applies to messages from vendors, it applies, with a bit more leeway, to all incoming mail, even from my best friends.

Each message is opened and scanned. Especially if it’s from a stranger, or appears to be promotional in nature, I evaluate whether the person or organization whose name appears in the Sender field actually sent this message.

  • A message from the Kimball Art Museum that says it’s about an upcoming exhibit of the work of Van Gogh should contain such things as exhibit dates and hours, ticket prices, and a phone number that I can call for more information or to order tickets.
  • A message from the Sears Portrait Studio about a special on Valentine’s Day portraits should give details about the offer, include a phone number to call for an appointment or more information, and, hopefully, explain how they got my name, and how I can stop receiving future offers.
  • A message from the Microsoft Security Response Center or the US-CERT Coordinating Center that says it’s about the release of a security bulletin had better discuss that bulletin, be in plain text, and have a PGP signature embedded in it.

Notices from Organizations with Whom I Have an Account

Notices that appear to be from a bank or other organization with whom I happen to have an account require special attention. Unless the message contains information about me that only that organization would know, such as the name under which I registered, and part (usually the last few digits) of my account number, it goes in the trash, unless I decide to report it to their security office.

Once in a while, I do forward messages to the security office of the organization whose name has been taken in vain. How I handle such messages is beyond the scope of this article.

We aren’t finished with the body. It plays an important role in Phases 3 and 4.

Evaluate the Links

Messages that contain embedded links, even if sent from trustworthy associates, require extra scrutiny, because robots can be programmed to send such messages, and because they can cause serious damage to your computer, its security, and your personal privacy and security. Although email messages formatted in HTML are fairly safe, because modern mail programs prevent embedded script from executing, you have virtually no safety net when you click a link. For instance, Microsoft Outlook opens HTML messages in the Restricted Zone, but links in email messages open in the Internet Zone. Depending on your Web browser settings, this may permit some scripts to execute. On my machine, JavaScript is enabled in the Internet Zone, because so many Web sites use it, and it is relatively safe.

The art of convincing you to open messages and follow the links is called social engineering, and the bad guys are getting a lot better at it.

A sender who wants me to follow a link must say something about the link in the body, and it must be something that was clearly written by that sender.

Usually, this means that the sender writes something that gives the link an appropriate context. For instance, if Lee Drake sent me a message containing a link to a clip about Star Trek, he might say something about our mutual interest in the television series, or about an episode that came to mind when he saw the clip.

Evaluate the Attachments

All attachments should be treated as hostile.

Because attachments open in the security context of the local machine, the My Computer Zone, they pose the greatest risk to you and your computer. Anything that opens or runs in the My Computer Zone can do anything that you can do, including run code. In some cases, code embedded in attachments runs without further warning.

If someone sends me a message that contains an attachment that I have not been told in advance to expect, the body of the message must clearly explain why I am receiving the attachment, and what the sender expects me to do with it.

I extend the same courtesy to my correspondents. Here is an example from a message that I sent to a client a few days ago.

Attached Microsoft Excel workbook Property_Tax_Proration_Calculator_Proofs.XLS contains manual calculations that I carried out, using mostly basic functions of Microsoft Excel.

The message informs its reader that the attachment opens in Microsoft Excel, and that it contains manual calculations that I carried out. The message said a good bit more about the workbook, but this fragment conveys how I establish that a message is really from me, and so is the document.

Really Risky Attachments

Many modern email programs, including recent versions of Microsoft Outlook and Outlook Express automatically strip certain types of attachments, because there is no legitimate reason to attach such files to email messages. Even programmers, who have legitimate reasons, from time to time, to send them, can do so by embedding them in a ZIP file, which most mail program will let pass.

This hasn’t stopped the social engineers who work with the bad guys from trying to convince you to open a Zip file containing such a file. Icons for Dangerous Email Message Attachments is a table of icons associated with this class of really dangerous attachments.

If you see one of these icons next to a file, either in an attachment or inside a Zip file, click it at your own risk.

You have been warned!


These many words describe a simple, fast, effective process for eliminating mail that you can, and should, discard.

I hope it helps others fight back against the increasingly sophisticated social engineering tactics being employed against you and me.

Copyright ©2007 David Gray
Permalink |  Trackback

Your name:
Add Comment   Cancel 
Copyright 2006 by OS-Cubed, Inc.   Terms Of Use  Privacy Statement