Topic: Don't open links in email ? Pages that link to <a href="https://ozoneasylum.com/backlink?for=29921" title="Pages that link to Topic: Don&amp;#039;t open links in email ?" rel="nofollow" >Topic: Don&#039;t open links in email ?\

 
Author Thread
NoJive
Maniac (V) Inmate

From: The Land of one Headlight on.
Insane since: May 2001

IP logged posted posted 01-25-2008 20:46 Edit Quote

So, I must have missed this class in email 101. I've heard a couple of times recently on various talk shows that you should not open links contained in email. And in a post somewhere here not so very long the same was said.

Are we talking about opening a link in email from someone you know?

I don't open mail from anyone I don't know and I never open forwarded mail.

I have however back-doored emails to see what might be in there... properties/message source and so on... I was told a very long time ago this was a safe procedure. Is that still the case?

Old and slow seeks advice. -_Q

___________________________________________________________________________
?It is dangerous to be right when the government is wrong.? Voltaire

liorean
Paranoid (IV) Inmate

From: Umeå, Sweden
Insane since: Sep 2004

IP logged posted posted 01-25-2008 22:57 Edit Quote

Some guidelines for the wary, particularly if you're using Outlook.


There's a few reasons to be cautious. Most of them have to do with security.

- There's MANY small-scale webmail systems that have such bad security that clicking links can reveal private data, potentially user names and passwords, to the linked part.
- There's exploits in at least the troika of Eudora, Outlook, Thunderbird that can be used for privilege escalation.
- Some phishing links look entirely like the originals except for some letter being some like-looking Unicode glyph.
- There's a few social engineering viri, worms and trojans that can look like very realistic mail from friends. The most devious ones copy the content from earlier sent messages to others on your contact list, but insert the malicious attachements, images, scripts or links into them.


You should only trust your friends' mails if you think you can rely on them to keep their computer secure, or if you know them well enough to tell their mails are indeed authentic.

As for checking a mail source, that should be entirely safe as long as no images are rendered or scripts are run. (for example in a message preview pane when you mark the mail to chose to view source.)

--
var Liorean = {
abode: "http://web-graphics.com/",
profile: "http://codingforums.com/member.php?u=5798"};

argo navis
Paranoid (IV) Inmate

From: Switzerland
Insane since: Jul 2007

IP logged posted posted 01-26-2008 00:45 Edit Quote

Fwiw, I never use an email client - never, ever, EVER : I use my professional webmail, private (own server) webmail, or yahoo mail & hotmail -
all from the web browser.

This doesn't do magic but it limits the flaws I have to cope with to web flaws.

I think, in terms of security, that the safest web browser is also the most stable and ubber popular Firefox - I resort to IE often times,
but do prefer FF and think the security of IE is a joke - and an intrusive one at that.

With very few exceptions (job application, etc.) I only subscribe to online services using hotmail, so that's where the spam gets.
I never ever simply post my adress email (in a forum for instance) as a whole - and when I distribute it, I phrase it with whirls and twirls
and (twisted enough to be recognizable only by a human - hopefully).

Clicking a link in an untrusted email can, at the very least, disclose to a potential spammer that your adress is valid,
but a simple image inside the same untrusted email can do the same - if you see it, a request has already gone to a web server
informing them the mail adress is valid.

SleepingWolf
Paranoid (IV) Inmate

From:
Insane since: Jul 2006

IP logged posted posted 01-26-2008 01:55 Edit Quote
quote:

NoJive said:

Are we talking about opening a link in email from someone you know?



The effective worms/viruses/email trojans duplicate by concealing themselves. One tactic they use is to go through your address book and send emails to all your contacts.

So Bill gets an email from you and says "Oh, this is from Fred..Fred would never send me a virus". Wrong and Gotcha...you're screwed. Problem is Fred doesn't know he is infected, doesn't know the malware is using his PC as a mail server...yep a server contained within a few bytes of code..not bad.

I use outlook and my rules are very simple: any email sender not on my white list goes directly to junk. Any email in the junk folder I don't recognize gets deleted. I also never give my email to my bank etc...this way if I get an email from "my bank" I know its a phishing scheme. So know links, no attachments, not even a preview...click, delete.

Nature & Travel Photography
Main Entrance

(Edited by SleepingWolf on 01-26-2008 02:02)

Suho1004
Maniac (V) Mad Librarian

From: Seoul, Korea
Insane since: Apr 2002

IP logged posted posted 01-26-2008 02:14 Edit Quote

If someone I know sends me an attachment, I will often send an email to confirm that they actually sent this to me if there is no accompanying body text or if the body text looks generic ("Thought you might enjoy this," etc.). Most of the time, though, when someone I know legitimately sends me an attachment, it will be attached to a legitimate email message. I've sent enough confirmation requests that people know to be careful with this stuff.


___________________________
Suho: www.liminality.org | Cell 270 | Sig Rotator | the Fellowship of Sup

Jestah
Maniac (V) Mad Scientist

From: Long Island, NY
Insane since: Jun 2000

IP logged posted posted 01-26-2008 04:50 Edit Quote

I didn't think spam, attachments, or links were a problem anymore.

I used to use a bunch of free accounts to register for various web services but now I couldn't be bothered. I've since began using my .Mac account exclusively while maintaining a few different aliases and I've yet to have a problem with anything nefarious. Anything addressed to my main account that isn't in my address book is just deleted, all of my emails are scanned, and I set my client not to load images. It works well for me.

poi
Paranoid (IV) Inmate

From: Norway
Insane since: Jun 2002

IP logged posted posted 01-26-2008 12:32 Edit Quote

You want a safe mail client. Use a, or set your, mail client processing mails in plain/text only. And of course only click on links in apparently legitimate mails ( with a body and subject relevant to you and the person ) from people you know and trust, once you have glanced at the status bar to double check the target URL.

Personnaly I use ThunderBird. Show messages in HTML, without images. Mails whose FROM is in my address book are not marked as junk.

All bounced mail, with 3 domain names you get a lot of those, are marked as junk and moved to a specific folder for triage ... which 99.9% of the time consist in marking them as read and keep the junk flag. Now I use bounced address on one of my domains to register/purchase things. This way I don't pollute my real email addresses and can easily filter all traffic on say amazon.com@oneOfMyDomains.com


My work email address is seldomly spread, and I trust the people there. In fact there has been no virus infection or trojan since Outlook was officially banned a few years ago. As for my subscriptions to mailing lists and RSS/Atom feeds, it's mostly techy stuffs ( What WG & W3C mailing lists, tech sites + web comics ) so I guess it'd be easy to spot something fishy. Plus when my feeds mention a seemingly intersting article, I usually type the URL / click the favicon of the site myself in my browser.


Also, I use a pretty safe browser. And I know how the guys treat security and privacy.


[slightlyOffTopic]

quote:
I think, in terms of security, that the safest web browser is also the most stable and ubber popular Firefox - I resort to IE often times, but do prefer FF and think the security of IE is a joke - and an intrusive one at that.

Secunia and other security report sites tends to disagree with you

[/slightlyOffTopic]

argo navis
Paranoid (IV) Inmate

From: Switzerland
Insane since: Jul 2007

IP logged posted posted 01-26-2008 13:31 Edit Quote

[SlightlyOffTopic]
Now that's something very interesting : there have been major changes in that regard through 2007.
http://secunia.com/gfx/SECUNIA_2007_Report.pdf

Mac OS X second most vulnerable OS at it's core right behind Windows.
Very prone to security problems from third party software - more than Vista.
Red Hat, a third party exploits magnet.

Firefox is the most "attacked" browser of 2007, followed by IE!
- please note that one "Firefox issue" was due to the underlying Windows XP or Server 2003 system and IE6/7.

But the Firefox patching process seems relatively fast.

Opera and Safari are a lot safer apparently.
[/SlightlyOffTopic]

*Speechless*. This dispells a few assumptions of mine AND demonstrates a huge change through last year.
But : Safari is not 100% complying to web standards according to my tests,
it's a bit quirky in some occurenes - and Opera, my primary browser in 2005, has become very unfriendly to me -
is there a "customer feedback" way for me to point out things that bother me?

[Back on topic]
...Btw, the strict usage of webmails provides me with two additional security features : a robust backup system for email,
no need to make them central and risk losing anything, and spam filtering independent from my pc.

A mail client implies added complexity, added vulnerability, and local vulnerability - so for me, nonono thanks.

poi
Paranoid (IV) Inmate

From: Norway
Insane since: Jun 2002

IP logged posted posted 01-26-2008 13:54 Edit Quote

[offTopicSorry]

Try using Opera's bugs ( and I guess feature request ) report wizard or the My.opera forums. Alas the BTS is not public. We have people reading and checking the bug reports and forums. Some feature request are often brought up from there on our internal IRC channels and mailing lists.

[/offTopicSorry]

Arthurio
Paranoid (IV) Inmate

From: cell 3736
Insane since: Jul 2003

IP logged posted posted 01-26-2008 15:20 Edit Quote

I use Gmail and I'm happy The spam filter works. No need to be over-paranoid. I haven't encountered a virus in years. Of course I don't open strange attachments and I don't click on strange links that lead to who knows where. If I get an e-mail from my bank or any other service provider that I consider important (those that have to do with money, accounts, personal information) I'm more careful with the links and usually go to their website directly instead of following the links provided in the e-mail.

1) Anyone can send an e-mail from any address, I could send you one from nojive@gmail.com no problem at all.
2) Don't open executable attachments (.exe). If you open a .rar or .zip file then don't click on the .exe files it may contain.
3) Opening e-mails is fine as long as you use a secure email client such as the Gmail web client or Thunderbird.
4) Don't click on links that lead to strange addresses (check status bar) especially if using IE. If you receive an e-mail from important organizations then don't click on links, go to their website directly.

Remember those 4 things and you're golden. No need to be over-paranoid.

poi
Paranoid (IV) Inmate

From: Norway
Insane since: Jun 2002

IP logged posted posted 01-26-2008 16:09 Edit Quote

/!\ webmails are as secure as the browser you use them in. If they don't sanitize, seriously ( and NO a regexp to try and remove the SCRIPT tags is NOT enough ), the content of the mails the exact same exploits as in your browser are possible.

NoJive
Maniac (V) Inmate

From: The Land of one Headlight on.
Insane since: May 2001

IP logged posted posted 01-27-2008 12:16 Edit Quote

Thanks everyone.

Overall my email habits are quite good. Out-going subject lines are unique and if I've attached something that information is also in th subject line.

quote:

poi said:

Personally I use Thunderbird. Show messages in HTML, without images. Mails whose FROM is in my address book are not marked as junk.


I started using T-Bird 6-7 months ago but I find configuring it is less than straight forward. Some images don't show... others do.

Help me out please on the "Show messages in HTML..." I thought this was an absolute no no. I've been using plain text for both out and in. And which do you use, Original or Simple HTML ?

I've been trying Opera for a few days now but I confess that I've been using FF for so long now I've become rather attached to it... so-to-speak. =)

Again... thanks to all.

___________________________________________________________________________
?It is dangerous to be right when the government is wrong.? Voltaire

argo navis
Paranoid (IV) Inmate

From: Switzerland
Insane since: Jul 2007

IP logged posted posted 01-27-2008 12:32 Edit Quote

Plain text in and out is the top of email security : no dynamic content goes either ways, only attachments, easier to filter.
Good practices. *Hands noJive a cookie*.

poi
Paranoid (IV) Inmate

From: Norway
Insane since: Jun 2002

IP logged posted posted 01-27-2008 12:41 Edit Quote

I usually show the body of the mails in HTML. The images normaly don't show up. I have to click a button in the panel on top of the mail's headers to see them, if I REALLY want to ... which is quite rare. Haven't noticed any strange behavior/activity on my machines.

the discoverability and default GUI of Opera are "sub optimal", but it's a solid browser with some nice features. Once you tweaked the UI a bit and got used to some features it's difficult to look back ... except for the occasional time you need FireBug. Honestly if I didn't work for them and had people who know it in and out show me how to use it, I'd still be using FireFox. Maybe I should/could open a thread and talk about UI tweaks and rather unknown features.

NoJive
Maniac (V) Inmate

From: The Land of one Headlight on.
Insane since: May 2001

IP logged posted posted 01-27-2008 14:55 Edit Quote
quote:

poi said:

Maybe I should/could open a thread and talk about UI tweaks and rather unknown features.



Sounds good to me. =)

___________________________________________________________________________
?It is dangerous to be right when the government is wrong.? Voltaire



Post Reply
 
Your User Name:
Your Password:
Login Options:
 
Your Text:
Loading...
Options:


« BackwardsOnwards »

Show Forum Drop Down Menu