|
-
March 4th, 2004, 07:00 PM
#1
 opening e-mails safely
Hi,
I want to get more information on reading or opening suspicious e-mails. It does not do any good to just delete an e-mail if I want to find out how they are engineered.
So far I have had no problems, or at least I think so. I have all relevant patches, OE is configured to remove attachments, and the virii scanning software is always enabled.
If I want to look at the message content and headers, I right click the e-mail in question, click properties and then message source. Finally I expand the window to read the content.
Amazing, the crap that's in some of these. I know some HTML, and its interesting to see apparently meaningless words between the delimiters.
Occasionally I have saved an attachment, scanned it, and only then opened it.
Are these safe practices, and are there some tips. I haven't seen a forum specifically on handling techniques of e-mails here.
g8way2u
-
March 4th, 2004, 08:03 PM
#2
I would not open suspicious items on your main computer. You might have noticed that your AV and all OS patches come AFTER the event?
Get an old machine to do this sort of thing on. If your main machine's AV lets you download or open malware then it is not protecting you against that malware?
Convert the file into a .txt file and open it in a program editing utility such as notepad or vi
Do not use Word, or similar high level text editors, as they can launch executables.
Just because an attachment passes you scan does not mean that it is safe..............or there wouldn't be any viruses?
Do be careful 
-
March 4th, 2004, 09:19 PM
#3
Thanks nihil,
I have a little networking set up so far, a Cisco 1600 and Cisco 2621 router, and a 2900 series
switch. When I'm practicing, I disconnect from the Internet. In the future I want to set up a seperate network, a blackhat and whitehat, completely isolated from all other boxes.
So in essence you suggest that if I want to look at some of the mal-code, I save it to a floppy or cd and then move it to the isolated box. Offcourse, the e-mail and attachment gets deleted from the main box and the media with the mal-code marked as such and stored safely away from other media.
Any suggestions on how to set up a safe lab environment?
g8way2u
-
March 4th, 2004, 10:00 PM
#4
-
March 4th, 2004, 10:28 PM
#5
Thanx again,
14 months I knew nothing, and now it's just an amazing journey.
I'll be posting as I learn.
g8way2u
-
March 5th, 2004, 01:17 AM
#6
for nihil mainly
to confirm, .txt is NOT a virus carrier ?
got 3 today, AV took them, and left a message with the V details as a .txt. attached to the mails
I opened them with notepad to see this.
edit:
Norton AntiVirus removed the attachment: mp3music.pif.
The W32.Netsky.D@mm threat was detected in the attachment.
this was the message left, just wanted to confirm that .txt is the safe way to check ???
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
-
March 5th, 2004, 01:38 AM
#7
If you are suspicious of the contens of an email, I say telnet it.
1. Open up a command prompt
2. run: telnet mail.mymailserver.com 110
3. once it connects: user yourusername
3. after the user name is in: pass yourpassword
4. after that: list
5. Then find the message you want to view: retr 3 (replace 3 with the message number)
Now you can view the actual contents in plaintext without worrying about the attachment or embedded virus'
-
March 5th, 2004, 01:50 AM
#8
Yes,
At present, or to the best of my knowledge and experience, there is nothing that will autostart in a .txt file read with a simple program text editor such as notepad or vi.
Hey, how could they write them without shooting themselves in the foot?..got to be a program text editor
Foxy........txt is what you write them in  Your AV found .pif files but sent you details in .txt?
hmmm.......seems like Norton agree with me , I am obviously wrong?
YES Foxy .txt is still safe, but keep your eyes and ears open, as things do change
Cheers
-
March 5th, 2004, 02:11 AM
#9
I make NO apologies for double posting, as my last reply was to a direct question.
Pooh:
If you are suspicious of the contens of an email, I say telnet it.
You then gave detailed instructions 
1. Open up a command prompt
2. run: telnet mail.mymailserver.com 110
3. once it connects: user yourusername
3. after the user name is in: pass yourpassword
5. Then find the message you want to view: retr 3 (replace 3 with the message number)
Now you can view the actual contents in plaintext without worrying about the attachment or embedded virus'
In the real world that does not happen old chap..........honest...errr have you read many of the posts here in the newbie section?
You are not WRONG....just inappropriate............."telnet it" ...when a lot of people I know couldn't even spell "trojan"
My point is that this is also a family forum, and we have a lot of guests?..that is way too over the top IMHO? By the way...........I downloaded about 1500 messages from a little attended mailserver of mine...I was just imagining doing what you suggested with them (OK 99% SPAM=delete immediately)
Horses for courses is what I say?
Anyone else care to comment?
Cheers
-
March 5th, 2004, 03:36 AM
#10
Well, like a pack of wolves, now I'm in the thick of it. I do have an inkling of what Telnet is.
It is some kinda terminal emulator for which you need a client and server, like secureCRT.
Having a router setup, I am familiar with the command prompt and hyper terminal, but haven't had much opportunity to play with telnet, which can open some holes on your system in itself.
I'll eventually get to that with some help and lots of reading. I don't get a lot of spam, 2-5 a week, so for me its not that much of a hassle, but rather a new way to learn how to view an e-mail. Yes, a lot of it is still above my head, but that's sometime a good way to learn.
Jump in the pool and swim. I trust that all of you will take me by the hand and support my first steps, and in return I'll ask before I do something stupid. Then one day I'll be able to pass on my knowledge.
I have nothing to show yet, but for a bit of hot air. Anyway, I've started laying the bricks for a solid foundation, I can throw a lot of acronyms around and even know what most of them mean, but somebody told me, that I'm starting at the top and working my way backwards to the beginning. Kinda quirky.
But thanks for taking such an interest in a newbie question.
Would it be permissable to copy and paste the content of an e-mail, sans attachment,
in this forum and have someone explain what exactly is going on? How to interpret the header
and all the goofy stuff in the body.
g8way2u
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
......OK you seem to have the idea, if you catch one........lift it carefully into your lab environment.
