Saturday, July 7, 2012

Should I open this email?

Should I open this email?

A client asks:
I received an email from someone I don’t recognize. The email had an attachment (document) he wanted me to evaluate. Do I dare open the attachment?  Is there any way I can do so and guarantee it is not a virus? 

Basically, no. You can’t guarantee it’s benign.

In this sort of circumstance, either as sender or recipient, I try to validate the legitimacy of the contact. In the text of the email I identify myself and the attachment by filename and size. Sometimes I will make non-email contact to alert the recipient or verify the sender. Unless you or the data on your system are particularly high value, it’s unlikely a random attack would take the effort to pass these tests.

If you can’t make this “out of band” contact and still want to open the message or its attachment, there are some unilateral assessments you should make first. Start with the anti-spam / anti-phishing / anti-virus triggers you apply to every subject line, message, and attachment.
In the preview, before you open the email:
•    Are you expecting this?
•    Do the From and To addresses look reasonable. For example, do names look random or made up, are there multiple similar addressees at the same domain, or is your exact address missing from the list? If it makes reference to an account, especially a financial account, and is not directly and exclusively addressed to you; it’s probably a phishing attack.
•    Is the subject line meaningful and relevant?
•    If it refers to an “issue with your account;” does it identify the account or describe the problem?
•    Does the content apply to you? (Immediately trash a notice from BigBank if you don’t do business with them.)
•    Do the grammar, writing style, and content ring true to the request? If it comes from someone you know, do the style and content match what they usually send?
•    Are there excessive links and do they connect to what you expect? Hover your mouse over the link and look at the entire URL. Work back from the first “/” after “http://.” A link of “” will actually take you to BadGuys’ site. While you’re looking at the links, pay attention to the top level domain (TLD). That is the letters left of the “/” until you hit a period – classically “.com” or “.org.” The “.ru” in the example above refers to Russia; along with China, a common starting point for malware. This is a minor indicator as bad guys can buy a .com and good things can come from unexpected countries such as (a useful URL-shrinking service), where the “.ly” stands for Libya. (
•    Are the attachment’s name and file type what they appear to be? It’s an old trick to name the attachment “CuteKitty.jpg” and then pad the name out with many spaces before giving the actual functional name of “…virus.exe” which falls off the edge of the page.
•    Is it delivered primarily as pictures? Your previewer should be set not to download pictures automatically, but only on your request. Downloading the pictures can deliver malware and return significant tracking information about you. If you can’t comprehend the gist of the message from the text it doesn’t deserve further analysis.
•    Look at the source of the message. In Microsoft Office (retail) Outlook, right-click on the message and choose View Source. This is very geeky and includes a lot of garbage; but, with experience, you may be able to spot something suspicious. Backtracking the internet headers is even more obscure, but can reveal that the sender is not who he appears to be.
•    Did it pass your up-to-date virus and spam checker? Antivirus programs often remove the malware attachments and deliver a message that contains very little text. There’s usually a good reason for it to be labeled spam.
•    Right-click the attachment and save it to a temporary folder on your computer or sacrificial thumb drive. Run an on-demand virus check on it.
•    Be sure all your viewing software is up-to-date. There is often a “check for updates” option under the Help or Tools menu or you can go to the publisher’s website. Especially visit,, and at least monthly to check for updates for Adobe Reader, Flash Player (hopefully, you’ve never installed Shockwave Player), Java, and Windows.
•    Open the attachment in less common programs. For example, use foxit ( for .PDFs rather than Adobe Reader or send office documents to Google Documents (
•    Open the attachment on a Linux or Apple computer as malware is often (but not necessarily) Windows-specific. You can get a CD to boot your PC directly into Linux. Everything runs in memory and when you reboot there’s no record (and hopefully, no residual evil) from what you just did.
•    If this were a legitimate email and you trashed it without opening would it really cause any problems?

Surf - and email - safe!

Read more:
An example of a "good" email from your bank. 

 Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at
(c) 2011 Bill Barnes - Disclaimer - Home Page - Blogs Home

No comments: