Let's Go Phishing
Article by Rick Leinecker, February 27, 2006

Most jobs require employees to use email for communication with fellow workers and business associates. And most home users find email a convenient and easy way to communicate with friends and family. It's no wonder that email pervades our daily lives to the extent that it does.

But as with anything that's commonly used such as the telephone, marketers spend time thinking of ways to exploit it for their own commercial ends. Email falls into this category - third parties have clever ways to use email to sell services and products. But just like telemarketers, this annoyance can be more than irritating. This article talks about defensive strategies that Outlook Express provides. And while it's specific to Outlook Express, the strategies carry over to other email software such as Eudora.

Spam is the unsolicited junk email that we all get. Besides selling goods and services, spammers want information about you. They use the information to send you additional emails selling products, and they also sell their lists to other spammers who will also send you additional emails selling goods and services.

The first piece of useful information they gather is that your email address is valid. There's more to this than you might think. Somehow they have either harvested your email address or guessed it - they do both. Harvesting emails is done by examining web pages with email links, online articles with email addresses, and through those card-sending services. Just remember the next time you send a card to someone that your email and theirs is now part of a spam list. The defenses against having your email harvested are these: never put your email address on a web page as a link, and avoid using services that send out things such as greeting cards.

Guessing emails is almost as easy. The spammers get a list of common first and last names; and their software puts them together in every possible combination. They then send out emails based on these names to the common email sites such as yahoo and hotmail. For example, they might send an email to JoeSmith@yahoo.com or JoeSmith@hotmail.com. If the email comes back to them as undeliverable (is bounced), they know it's an invalid email. But if the email doesn't bounce, then they have an email for their list. The defense to this email guessing scheme is to create email addresses that defy an easy guessing methodology. For instance, instead of JoeSmith@yahoo.com you might try Joe123Smith456@yahoo.com.

Let me say a word about email attachments even though this subject doesn't fall into the category of information gathering. It's too important to not mention. Attachments are a great convenience when you send pictures to your friends. But when you receive executable files such as programs, screen savers, and scripts you can have big problems. When you open these files, they can do practically anything to your system including deleting and changing important system files. Never open an attachment unless you're absolutely sure of who sent it and what it is. And just because it came from a trusted source, doesn't mean it's 100 percent safe. The sender's computer may have been compromised by a Trojan that sent out bogus files to everyone in the address book. Picture (GIF, JPG, and PNG), text, and PDF files are safe. Programs, screen savers, and scripts are not.

Outlook Express has a safety feature that let's you mitigate the risk from email attachments. If you open the Outlook Express configuration dialog (Tools Menu, Options selection), click on the security tab, and select "Do not allow attachments to be saved or opened that could potentially be a virus" then it will be impossible to be exposed to email attachments. This may prevent you from getting attachments you need, but for those you can temporarily change the setting until you have gotten the attachment you want.

A very powerful method of retrieving information about you is through images that are displayed within emails. At the very least, the server which sends the image knows the time and date, the IP address (similar to you computer's phone number), and system information such as your computer's operating system. In the worst case an image has a query string that let's the server know which email address from their spam list opened the email. This information retrieval method is known as Phishing.

Phishing gives the spammers lots of information about you. They know your general habits - pretty much when you are prone to open emails. They know what part of the country you are in, and usually the exact city. They know about your system - things such as the operating system (Windows 2000, Windows XP, etc.) and the Internet software and version (for example Internet Explorer version 6.0). They might even be able to pair all of this with your exact email address.

With all of this valuable information, you're in for more spam. But this time they're targeted to your specifics. It's like the target marketing that TV advertisers strive for, but even better because it's more information than the most sophisticated TV advertisers can glean.

There is a defense against Phishing. From the Outlook Express options dialog, select the Security tab. Then, by selecting the checkbox that says "Block images and other external content in HTML e-mail" the images won't appear in emails. You will, however, get a prompt at the top of the email that lets you see the images if you decide it's safe.

Those are the basics of defensive Email.