www.BlackViper.com: E-Mail Filtering Guide Page 1


Introduction to E-mail Filtering

Spam and virus's has been a problem for many years but only until recently has people started to become disgusted with it. Performance could also be a concern for many people. One of those people is me. I do not like to use an additional program to combat something that should not be there from the start. Some of these viruses in emails could potentially bring harmful consequences, even identity theft. That is why I have decided to take a stand against the spam in my inbox, and I will show you how.

This guide explains how I fight spam and gives a few pointers as to what you can do without downloading an additional program. I also have included information on how to spot an E-Mail virus without any additional software. Only thing it takes is a little knowledge and the ability to refrain from opening every E-Mail you get, regardless of where it came from. What people do not understand is that the user must do something to get a virus. It is not magic. That something, a very high percentage of the time, is click and open an infected E-Mail. DO NOT DO THIS!

Something to consider is the fact that the E-Mail filters and spam filtering do NOT work with HTTP E-Mail accounts, such as Hotmail and Yahoo. Most of those kind of services offer filtering of their own. Use it.

This guide also offers a sneak peek inside Black Viper's inbox.

As of this writing, I use Outlook Express 6, but most "newer" E-Mail clients have the same or similar type of features. In reality, the E-Mail client you chose could be much better than OE in many respects. I would love to use a more "feature rich" E-Mail client, but, sometimes I am rather hard set in my ways.

You also need to note two very important things:

  • I DO NOT EVER display the "Preview Pane." This is a HUGE security issue.
    • In OE 6, select View --> Layout --> Layout Tab --> uncheck Show preview pane.
    • In Outlook 2002, select View --> Preview Pane (toggle: select to disable, select to enable)
    • In Outlook 2003, select View --> Reading Pane --> select Off
  • I DO NOT view "HTML stationary" (or any other inlined images) as the sender intended. I view ALL E-Mail as "plain text." This also reduces the chance of executing "malicious" HTML spam and makes for easier reading of high volumes of E-Mail from many different people.
    • In OE 6, select Tools --> Options --> Read Tab --> check Read all messages in plain text. (Option available with IE6 SP1 installed).
    • In Outlook 2002, you must download the latest service pack and add a setting in the registry. Instructions on how to do this is here: http://support.microsoft.com/default.aspx?scid=kb;en-us;307594
      • Ensure you have the latest service pack already installed and you can download and apply this registry patch: Outlook2002PlainTextFix.zip ~ 330 bytes
    • In Outlook 2003, select Tools --> Options --> Preferences Tab --> E-mail options... button --> check Read all standard mail in plain text.
Black Viper's Inbox
Image 1.1: (24KB .gif)

1) Shall we begin? (Image 1.1)

After a small break away from the computer, I had quite a few E-Mails sitting around. Note: According to the screen shot, not one of them is in my "Inbox." What I have done is used filters to distribute them according to predefined rules. This screen shot was taken right after I opened OE. More on filters later, but first, a tour of the results of the filters.

Auto Deleted Email
Image 1.2: (49KB .gif)

2) Deleted Items. (Image 1.2)

Out of 275 E-Mails, 58 of them were automatically deleted without any actions by me. What this filter does is take ALL E-Mail not directly addressed to me and delete it. Absolutely no legitimate E-Mail sent by a "real" person or company will ever falsify where the E-Mail is going TO!

Initially, I had recommended in my E-Mail Filtering Guide to automatically forward to uce@ftc.gov and delete all E-Mails that did not pass my spam filters. This procedure was flawed with respect to how Outlook Express handles the action. What Outlook Express does is remove the spammers from address and replace it with the E-Mail account currently in use. After realizing this problem, I removed the recommendation. However, this step opened up a whole new can of worms.

For the E-Mails that actually are going to me, these are caught by my "Blocked Senders List" filter that automatically deletes E-Mails originating from a particular domain or person on a domain. Again, more on the actual filters later.

Filtered Black Viper Email
Image 1.3: (47KB .gif)

3) blackviper.com Inbox. (Image 1.3)

After removing a few "important" E-Mails, I have taken the screen shot displayed as Image 1.3. Many people ask "Why do you automatically place a subject line in your E-Mails?" This is the reason. It is extremely easy to see that these people have visited my web site and actually clicked on the link located on my domain to contact me. I have little fear as to whether or not it is spam. Also, a VERY important note: Look at the "average" size of these E-Mails. Most are between 3KB and 6KB with none of them over 10KB. This will be important in the next screen shot of the "Filtered Spam."

Something else to understand. Even though I removed the "From" column for these screen shots, I always look to see "who" it came from. In the above screen shot, the From column is not removed and you can actually see the pathetic E-Mails addresses and names that these spams "seem to come from."

Filtered Spam
Image 1.4: (45KB .gif)

4) This is my Filtered Spam. (Image 1.4)

Some of these E-Mails are legitimate. Some are virus's. Others are spam. Can you spot each?

I have a filter to catch "common" subject matter and code it in Red. Very rarely (especially using a "default" subject line) does my filters ever tag a "real" message with Red.

I must thank all spammers that attempt to confuse E-Mail filters by adding random characters to the end of a subject line. When this pathetic attempt at getting through to E-Mail users started, it annoyed me. However, after it became a "wide spread practice," I expanded my subject line column way out and scan only the end of the line. If it contains gibberish, it is gone. It has reduced the time I take to filter E-Mails considerably. You will also notice that several E-Mails display "..." on even the short subject lines. This means that the full subject does not fit in the column and more information exists. This common practice just shows that spammers add many spaces to their messages and then place the random characters out of "normal" view. Expanding the column reveals the truth.

Also here, you see MANY messages that are well over 100KB. These are absolutely, positively a virus. Zero doubt. Why? Because any "real" person that would send any attachment would actually "attach" the file. Look on the far left column of the next shot.

Large attachments
Image 1.5: (44KB .gif)

5) Attachment reporting. (Image 1.5)

Not one of these E-Mails, sorted by size, reports having an attachment. Now, understand that an E-Mail that is 180KB is a rather large amount of typing. This should give you the first clue about the origin of these E-Mails and the destructive intent. However, some E-mail programs, if using "HTML" stationery and such, do not report attachments of .jpg and .gif's if they are part of the layout. For example, a background picture and a .jpg signature block. Take note: Out of 8400 E-Mails in the last year, only 16 of those have had "large" images (over 50KB worth) included with them as "normal" E-Mails. Please, for the love of dial-up users around the world... Do not send 295KB picture as a "normal" part of your E-Mail. For the sake of time, I now bounce all E-Mails that are larger than 50KB.

Can you confirm that this E-Mail is a virus without "opening" it? Yes, and I will show you how following this short disclaimer:

ABSOLUTELY, NEVER, EVER double click these files to open them! You WILL be infected.

This method is NOT intended to substitute a virus scanner with the eyes of an average user. However, my network has never been infected by a virus. Ever. What AV software do I run daily? None. I do not visit "questionable" web sites, I utilize a hardware firewall and never open an attachment sent via E-Mail. What is the best defense anyone can have? Common sense.

Update November 17, 2003:

This deals with yet another mass mailing worm with its purpose in life to steal PayPal account information.

This discovery was prompted by one E-Mail that fits the Symantec description perfectly:

The subject line contains "YOUR PAYPAL.COM ACCOUNT EXPIRES" and comes from the address of "Do_Not_Reply@paypal.com." It arrived at my inbox at 11:41 AM PST today.

This information was posted November 14, 2003 by Symantec and the virus signatures were updated that day:

http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.i@mm.html

However, just a few messages up (more recent), I received about the same message at 12:16 PM PST with a slightly different subject line. This one is "IMPORTANT <several spaces and then random characters>". It also comes from the address of "Do_Not_Reply@paypal.com."

This particular message, fitting the bill with another scam to steal PayPal account information, was posted on November 17, 2003. Yes, today:

http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.j@mm.html

This one tipped me off because it has the exact type of subject line of a previous virus that I am sent often (12 times yesterday, 3 today) for several months. That particular variant comes from the address of "admin@<what ever domain the email is sent to.com>" with the subject line of "your account <several spaces and then random characters>".

More information on that particular virus is here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html

What I am trying to get across is that people could find viruses in their E-Mail box before virus signatures can be updated. I fail to remember the "default" amount of time or "how often" the automatic update service runs for Norton Anti-Virus, but 24 hours is not a guess far from the truth, I am sure.

What this means is that I could have been infected 3 times (by the amount of separate E-Mails) before the signatures could have been updated. Of course, by the time the automatic update is performed, it could be too late.

Knowledge is power. Period. I knew these E-Mails contain viruses without even thinking about it from past experience with known subject lines. I looked them up because my curiosity sometimes overwhelms me and discovered that "I could have received it before they fixed it."

Being careful with the "automatic" actions you perform daily by checking E-Mail and knowing "what is good and what could be bad" is much more powerful than any virus scanner available. Knowing an E-Mail's intent before even opening it has much more power then "assuming" a person is safe just because an Anti-Virus program is running.

Do I own AV software? Yes. When do I scan the network? Before anything major, like an OS install or massive hardware change. That way, I know that all of my backed up data has been scanned with the latest virus protection and clear of anything up to that date. I then install the OS clean and retrieve my safe data and continue as usual without AV software sucking up resources 24/7.

Another reason I have avoided infection is I use a computer strictly for E-Mail. That's it. If anything should happen, such as unexplained memory, hard disk activity, network activity or many other ways to spot a malicious program, I can stop it before catastrophe hits. This also greatly reduces the chance of "important" files being infected across the network because the system that I use for "normal" activities has NO shared resources.

Most people cannot afford having a dedicated system taking care of such types of tasks. However, a pretty clever way of discovering a virus or worm that is scanning the always targeted Windows Address Book is to place a "unique" address that is never used for anything other than to seed. Most providers have options of multiple E-Mail accounts. Have a disposable one that is used for all "sign up, place E-Mail address here" forms, one is used for "close friends and family" and another could be "black83648viper6253@mycoolisp.com." This extended garbage would "attempt" to ensure dictionary spammers would not easily hit it and, if you ever get an E-Mail to that address, it would be the first clue of possible malicious activity. Not a guarantee by no means, but at least it could prompt additional investigation.

AGAIN: I will always recommend my readers use a virus scanner daily and keep it up to date. There is no reason not to. If you have a single system directly connected to the internet you WILL have virus and firewall protection installed. Security is no laughing matter. Enough said.

How to view email source
Image 1.6: (47KB .gif)

6) Check the "real" contents of a suspicious email. (Image 1.6)

Practice this technique on a REAL E-Mail and not a virus infected one.

This information pertains to Outlook and Outlook Express. Your E-Mail client may vary.

Outlook:

  1. Right-click the E-Mail
  2. Select Options
  3. View the Internet Headers located at the bottom of the dialog box

Outlook Express:

  1. Right-click the E-Mail
  2. Select Properties
  3. Select the Details tab
Email details tab
Image 1.7: (47KB .gif)

7) Details Tab. (Image 1.7)

The Details tab displays all kinds of geekie information. Where the E-Mail came from, who it was from and who it REALLY was from. Also, this tab contains information on what servers it passed through on the way to your computer.

What we are interested in here is the Message Source button.

Actual contents of an email virus
Image 1.8: (44KB .gif)

8) Email Source. (Image 1.8)

The contents of the E-Mail attachment is not readable by humans. However, what the file REALLY is and what it will do IS readable.

Highlighted, I have the actual MIME encoding format; it tells the E-Mail client what to do with the attachment. In this case, it is:

audio/x-midi

The funny thing is, the actual file name "height.pif" has nothing to do with "audio." PIF is a shortcut to a program. Like what you would find on your desktop. Again, a real person would NEVER send you an "audio" file saved as a "shortcut."

Why is the file a .pif? It is automatically executed by the E-Mail client and the OS regardless of what the MIME encoding says.

This is just one of the many examples I have in my inbox.

How can you create filters to do the same as what I have displayed here? Easy. READ MORE...

Previous Page ~ Operating System Guide Index ~ Next Page

BV

"Have you tweaked your OS lately?"

Choose the look:

Most Content is converted. Please see http://www.blackviper.com for the lastest information.

General:

Support BV:

Features:

Windows Service Configurations!

Includes explanations of each service and advice on which services you can safely disable.

 

Follow BV: