opening e-mails safely
Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: opening e-mails safely

  1. #1
    Senior Member
    Join Date
    Mar 2004
    Posts
    139

    Smile opening e-mails safely

    Hi,

    I want to get more information on reading or opening suspicious e-mails. It does not do any good to just delete an e-mail if I want to find out how they are engineered.

    So far I have had no problems, or at least I think so. I have all relevant patches, OE is configured to remove attachments, and the virii scanning software is always enabled.

    If I want to look at the message content and headers, I right click the e-mail in question, click properties and then message source. Finally I expand the window to read the content.
    Amazing, the crap that's in some of these. I know some HTML, and its interesting to see apparently meaningless words between the delimiters.
    Occasionally I have saved an attachment, scanned it, and only then opened it.

    Are these safe practices, and are there some tips. I haven't seen a forum specifically on handling techniques of e-mails here.

    g8way2u

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I would not open suspicious items on your main computer. You might have noticed that your AV and all OS patches come AFTER the event?

    Get an old machine to do this sort of thing on. If your main machine's AV lets you download or open malware then it is not protecting you against that malware?

    Convert the file into a .txt file and open it in a program editing utility such as notepad or vi

    Do not use Word, or similar high level text editors, as they can launch executables.

    Just because an attachment passes you scan does not mean that it is safe..............or there wouldn't be any viruses?

    Do be careful

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Posts
    139

    Thanks nihil,

    I have a little networking set up so far, a Cisco 1600 and Cisco 2621 router, and a 2900 series
    switch. When I'm practicing, I disconnect from the Internet. In the future I want to set up a seperate network, a blackhat and whitehat, completely isolated from all other boxes.
    So in essence you suggest that if I want to look at some of the mal-code, I save it to a floppy or cd and then move it to the isolated box. Offcourse, the e-mail and attachment gets deleted from the main box and the media with the mal-code marked as such and stored safely away from other media.
    Any suggestions on how to set up a safe lab environment?

    g8way2u

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Well:

    1. Pick up a couple of old boxes, maybe three, (PIs/PIIs) whatever is free or cheap. Hint: ex-corporate desktops are great because you can stack them in the same footprint, also they don't look "cool" so they have little street value?

    2. Have at least one as a "sheep dip".........a stand alone

    3. The other two you can network, even if only with a null modem cable

    4. Once you have had a look at the "subject" on the sheep dip, you can connect it to one or both of the others to test network awareness and so on.

    Just don't do this near any of your "real equipment" ......OK you seem to have the idea, if you catch one........lift it carefully into your lab environment.

    You will need to get yourself the usual compression/decompression tools like UPX.............and hex editor etc..........compilers and decompilers.

    Just take it at your own pace, and learn as you go

    Good luck

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Posts
    139
    Thanx again,
    14 months I knew nothing, and now it's just an amazing journey.
    I'll be posting as I learn.

    g8way2u

  6. #6
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    for nihil mainly

    to confirm, .txt is NOT a virus carrier ?
    got 3 today, AV took them, and left a message with the V details as a .txt. attached to the mails
    I opened them with notepad to see this.

    edit:
    Norton AntiVirus removed the attachment: mp3music.pif.
    The W32.Netsky.D@mm threat was detected in the attachment.

    this was the message left, just wanted to confirm that .txt is the safe way to check ???
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  7. #7
    If you are suspicious of the contens of an email, I say telnet it.

    1. Open up a command prompt
    2. run: telnet mail.mymailserver.com 110
    3. once it connects: user yourusername
    3. after the user name is in: pass yourpassword
    4. after that: list
    5. Then find the message you want to view: retr 3 (replace 3 with the message number)

    Now you can view the actual contents in plaintext without worrying about the attachment or embedded virus'

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Yes,

    At present, or to the best of my knowledge and experience, there is nothing that will autostart in a .txt file read with a simple program text editor such as notepad or vi.

    Hey, how could they write them without shooting themselves in the foot?..got to be a program text editor

    Foxy........txt is what you write them in Your AV found .pif files but sent you details in .txt?

    hmmm.......seems like Norton agree with me , I am obviously wrong?

    YES Foxy .txt is still safe, but keep your eyes and ears open, as things do change

    Cheers

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I make NO apologies for double posting, as my last reply was to a direct question.

    Pooh:

    If you are suspicious of the contens of an email, I say telnet it.
    You then gave detailed instructions

    1. Open up a command prompt
    2. run: telnet mail.mymailserver.com 110
    3. once it connects: user yourusername
    3. after the user name is in: pass yourpassword
    4. after that: list
    5. Then find the message you want to view: retr 3 (replace 3 with the message number)
    Now you can view the actual contents in plaintext without worrying about the attachment or embedded virus'
    In the real world that does not happen old chap..........honest...errr have you read many of the posts here in the newbie section?

    You are not WRONG....just inappropriate............."telnet it" ...when a lot of people I know couldn't even spell "trojan"

    My point is that this is also a family forum, and we have a lot of guests?..that is way too over the top IMHO? By the way...........I downloaded about 1500 messages from a little attended mailserver of mine...I was just imagining doing what you suggested with them (OK 99% SPAM=delete immediately)

    Horses for courses is what I say?

    Anyone else care to comment?

    Cheers

  10. #10
    Senior Member
    Join Date
    Mar 2004
    Posts
    139

    Well, like a pack of wolves, now I'm in the thick of it. I do have an inkling of what Telnet is.
    It is some kinda terminal emulator for which you need a client and server, like secureCRT.
    Having a router setup, I am familiar with the command prompt and hyper terminal, but haven't had much opportunity to play with telnet, which can open some holes on your system in itself.
    I'll eventually get to that with some help and lots of reading. I don't get a lot of spam, 2-5 a week, so for me its not that much of a hassle, but rather a new way to learn how to view an e-mail. Yes, a lot of it is still above my head, but that's sometime a good way to learn.
    Jump in the pool and swim. I trust that all of you will take me by the hand and support my first steps, and in return I'll ask before I do something stupid. Then one day I'll be able to pass on my knowledge.
    I have nothing to show yet, but for a bit of hot air. Anyway, I've started laying the bricks for a solid foundation, I can throw a lot of acronyms around and even know what most of them mean, but somebody told me, that I'm starting at the top and working my way backwards to the beginning. Kinda quirky.

    But thanks for taking such an interest in a newbie question.
    Would it be permissable to copy and paste the content of an e-mail, sans attachment,
    in this forum and have someone explain what exactly is going on? How to interpret the header
    and all the goofy stuff in the body.

    g8way2u

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •