Simple steps for avoiding malicious spam emails

This post covers some simple things, in addition to having anti-virus software, that you can do to help prevent accidentally getting tricked by malicious spam email. I’m assuming you already have a full fledged virus checker installed. It was inspired by several friends and family members that aren’t particularly technically savvy, and they got infected via email.

It’s a fact that there are some potentially important emails that look absolutely legitimate at first glance. And, criminals are getting better every day at copying the look-and-feel of legitimate and highly recognizable companies. Four to five years ago, security experts instructed us to simply delete any email that seemed fraudulent. However, flash forward to 2012 and there is a chance you may be deleting a legitimate email.

How could I get infected when I have a virus checker?

Having a virus checker simply minimizes the chances of being infected. And, even major online email services can be fooled. Sorry to break the news, but virus checkers aren’t 100% effective.

Here’s one example and there are many, many more. Let’s say you have set up your bank account to send you monthly statements via email. Sounds reasonable enough, right? Well, recently I’ve seen some very convincing looking spam emails that did a really decent job of mimicking legitimate emails from a bank. The good news is there were a few things in the email that made me suspicious and fortunately I followed my suspicions and didn’t click on any of the links. One particular well done email came under the guise that the password had been changed on an account, and in fact it had been changed. How’s that for coincidence?

Two easy steps.

Step 1 is to use an email client that allows you to turn off the message preview feature. There are infectious agents out there that can nail you through JavaScript and HTML code that is run when the email is viewed via preview mode. One recent example was dubbed “Drive-By spam” by security experts. Another option it to use “text-only” mode, but for most of us text only messages are really boring and ugly to look at, and you also lose all images and styling.

Step two is view the message source code and look for links where the domain name does not match the domain name of the company that sent you the email. If there is anything suspicious then use the phishing reporting feature in your email service. DO NOT open the email, dude.

Now, criminals can change malicious URLs faster than anti-virus software vendors can keep up. So, everything in an email may look legitimate with the sole exception being the link they ask you to click on that could lead to a harmful website.

Step three is if you want to dig even deeper you can verify if the senders IP address is legitimate using an IP address lookup service. The senders IP can be found in the header information of the email source. If the email is sent from a block of computers not registered with the correct company name then I’d be highly suspicious. All legitimate and important emails should always originate from a company’s domain name. If it didn’t then there’s a really good chance it’s marketing related and trying to sell you something, or its hostile.

A note about your spam folder. I have actually received legitimate emails from banks that ended up in the spam folder because I forgot to put let my email client know email from that domain was legit. It was human error and it happens. So, simply saying I shouldn’t have opened it because it was labeled as spam isn’t 100% true. But, it is an indication that you need to proceed with caution. I agree that in general all the emails that are placed in a spam folder by your email vendor are actually 100% certifiable spam. But, human nature makes us curious especially when it appears to come from a legitimate source. The good news is you can still be curious and protect yourself by following these three steps above.

What does hostile email source code look like? It can actually look very much like a real email in the source code. Looks for the code specifically related to things such as links for “Getting Started”, “Log in”, and “Click here for more information”. Hopefully you get the idea. It will be wrapped inside a tag called “<a href=”, and if you are a software developer you already knew this.

Hostile code can also be downloaded through JavaScript. It’s much, much harder to detect hostile JavaScript code because it may have already run when the email was viewed. One option that’s not appealing to most people is you can disable JavaScript in your browser when using browser based clients. The downside is this makes browsing the web an awful experience because much of the dynamic nature of modern websites is driven by JavaScript.

As I mentioned above, some criminals are getting better at re-using templates from legitimate emails. So I’ve received email where all the logos, banner images and help links pointed to real and legitimate sources. In fact, in a recent phishing email that seemingly came from a well-known bank, everything looked perfect except for the code tied to the getting started button. Even the “reply-to” email address was correct.

Here’s an example of an email supposedly from a major, name brand bank where I have obfuscated the URL for security:

<a href="https://--some other non-bank website name---.com/spa---/"><b>Click here to get started</b></a></p></font></td>

Here’s what the header of the email looked like, it’s also been obfuscated:

x-store-info:4r51+eLowCe79NzwdU2kR...
Authentication-Results: hotmail.com; sender-id=softfail (sender IP is 70.---.---.142)
header.from=AmericanExpress@---.com; dkim=none header.d=welcome.---.com; x-hmca=fail
X-SID-PRA: AmericanExpress@---.com
X-DKIM-Result: None
X-SID-Result: SoftFail
X-AUTH-Result: FAIL
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9...
X-Message-Info: uTMDiBlPf5+Op9WrkKVGnq8+zr4Yfrs3...
Received: from server.DRGARCIA.local ([70.---.---.142]) by ... with Microsoft SMTPSVC(6.0.3790.4900);
Wed, 17 Oct 2012 07:11:24 -0700
Received: from USER ([198.--.--.35]) by server.DRGARCIA.local with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 27 Sep 2012 12:20:10 -0500
Content-Type: text/html
SUBJECT: Important: Notification of Limited Account Access

FROM: American Express &lt;AmericanExpress@---.com&gt;

Bcc:

Return-Path: AmericanExpress@---.com

How to view an email source using Gmail or Outlook.com? In Outlook.com you can simply right click on any email and select “view message source”. In Gmail, you have to open the message and in the Reply options pull down list select “view original”.

I use Outlook.com (formerly Hotmail) because it lets you view a messages source code without having to first open or preview the email. On the other hand, Gmail forces you to open the email first, and then you can view its source code. Simply by opening or previewing a potentially hostile email can allow malicious code to be installed on your computer. This seems like a major security hole to me.

Conclusion. If you have an email in your inbox or spam folder that looks legit and you absolutely have to open it, then the two steps listed above should help protect you, your computer and your data. Criminals are getting better every day at creating the illusion that an email is totally real. And, if you know how to read the source code of the email you can potentially avoid an infected computer.

DISCLAIMER. Of course I have to have a disclaimer these days. The contents of this post do not 100% guarantee that you still won’t be tricked into doing something unintentional that causes personal trauma, data loss, catastrophic damage to your hard drive or even cause kittens to purr. If followed properly, these steps will significantly improve the safety of your computer and electronic data. But, hey…even experts can be tricked!

You should also have anti-virus software installed and up-to-date. Yes, some virus checkers offer email protection of sorts and that should also be enabled. I’m also here to tell you that some viruses can and will slip through that protection. Sometimes, when a virus, Trojan, worm etc. infects your computer it takes hours to remove it, or in drastic cases you have to completely rebuild your system.