Electronic Mail has become increasingly problematic!
Many of the recent scams have taken a new twist - their goal is to perform a
Compromise of Resources Attack in order to gain control of your
system and turn it into a SPAM mailer. Other attacks attempt to steal passwords
and account information. Some recent emails purport to be "News Updates" -
their titles suggest the latest news items - but the payload is a worm. Other
attacks attempt to get you to provide critical personal and financial
information - the "Phishing" expedition. Other email promotes outright frauds
and scams. Read on for some tips, commentary and general advice.
If you have arrived on this page from a link or a search engine,
then you may not have seen our General Computer
For a general look at good computer security and data
maintenance practices, review our Security Brochure in PDF format. If you need the Adobe
Acrobat Reader, download it at
Email Security Tips
- 419 Scam - Worlds Funniest Take: The lady at
Busted up Cowgirl
has the Nigerian Scam worked out pretty good. I do not reccomend that you try
her methods - unless you have a strong stomach, know how to hide behind a PO
box and all that stuff. But it sure is an interesting thought..
- Lottery Scam: It's silly
season for the lottery scammers. We have been innundated with Lottery Scam
emails - everything from the "European Union Lottery" to the "Even Bill Gates
Donated Lottery". The reason they ask you to "keep it confidential" is so that
you won't talk while they scam you with confirmation fees, entry fees
processing fees, legal fees and the like. Just say no!
- Phishing Scams: Royal
Bank, BOM or US Bank or Paypal want you to verify your account because some
dastardly person has been Phishing though your account? Yeah Right!!! Aside
from the fact that you probably don't have an account at the named institution
you should consider that the banks don't send these emails - ever. If you
respond you can kiss your money goodbye. Some of them actually take you to the
official site - to waylay your fears - then pop up a convenient form for you to
verify your account. Just say no to "Phishing Schemes"! You fell for one of
these? Get on the phone to your bank or your credit card company - NOW! No I am
not giving you the phone numbers. The only thing you should trust right now is
your friendly phone book or the information operator if you don't have the
proper phone numbers in your home filing system. Now visit a couple of sites
for more information. There is the
organization. You can also visit the friendly Royal Canadian Mounted Police
at the RCMP
web site - to lodge a complaint.
- Anti Phishing tool: Corestreet publishes a tool called
Spoofstick usable with the MS IE and Firefox browsers. It is quite simple - all
it does is intercept the URL and publish a tool bar showing the site that your
browser is really displaying. It is simple to use and install. It helps you
guard against sites that overwrite the code which displays the current URL
window. I believe that tip cam through
- 419 Scam: You have an email in your inbox that
promises untold riches - if only you will help smuggle money from Nigeria,
lower Slobovia or some other unlikely place. Oh! You already fell for it? Well
this news won't help -- will it? Yes - it is a SCAM. The Nigerian
SCAM has been well documented. Canadian Readers go
and US readers -just go
- and you can read all about it. Make sure you follow the directions to file
the information with the SCAM busting unit. If all the letters, emails and
faxes I have personally received had any basis in reality - then Nigeria would
have hundreds of billions of dollars in loose cash hanging about and even the
poorest street child should be able to have a chauffeur driven Rolls Royce.
Come to think of it there would be no street children - would there? If we
include your emails and faxes make that several hundred trillion dollars ($US
- Virus Scanner: Anti virus suites can assist you in
preventing Trojans and Spy ware from being installed on your systems. Even the
good systems do not detect equally well on certain Trojans, worms, viruses and
malware applications. We use three different suites on our network - each has
detected malware not seen by the others. If you have an anti-virus suite, keep
it up to date by enabling auto-update or by going to its downloads and updates
page on-line regularly! See our Security page for
- Transmission Security: Email is not secure on
a server or in a packet stream (on the wire). Email usually passes through many
routers and servers on its way to its destination. Communications routers and
email servers are not always physically secure - it would be easy to "tap"
these points. Recall the recent router thefts in New York City (Summer 2004) -
from a major distribution point no less? It was likely due to poor to
non-existent security and non-functional locks. Also note that most log in
names and passwords are sent as "clear text" - unencrypted. So if you gain
access to a major routing site then you have hit paydirt.
- Encryption and Security
Keys: If you are a sophisticated user, investigate the use of
encryption for your sensitive data and emails.
Thawte is one company that
offers some of these services. You can go directly to their email page by
link. Encryption by modern systems with "large" keys will allow you to
prevent all but the most resourceful of intruders from reading your email - but
only in the transmission and storage phases. If you have spyware running on
your system your email will be read before you encode and after you decode.
- Authentication and Security Keys: Most
Authentication systems will allow you to verify that that an item was sent from
(or received by) the computer of a individual. It will not verify that a
specific individual sent it. Also consider generating a public/private key pair
and using a digital signature to sign your email.
Thawte is one company that
offers some of these services
- BIO Identification
Systems: Bio-identification systems ensure only that an
individuals thumb, eyeball or other body part was presented to a security
device - not that it was attached to the individual. Maybe these systems should
be redesigned to look for blood flow and heart beats. They do not detect
coercion either.. yet!. Voice identification might be better - and better
suited to stress analysis.
The Nexus Group
offers a range of solutions for corporations. They produce Facial Recognition
Systems, incident tracking systems and other security related products.
- Passwords: The object of much of the network
hacking is to obtain your passwords, bank card numbers, credit card numbers SIN
numbers etc. The easiest way to do this is to "crack" your passwords and access
your accounts. A word to the wise: "secret", "kitty", "doggy", "topdog" etc.
are not passwords - they are minor annoyances to a good password thief. Most
thieves are aware that they can download a dictionary (in the language of their
choice - or yours) and try all the known words as well. A secure password is
something like "m1a3r5y7" or "johnny!6321" or better yet
"g3tur08pkkl". If the program you are protecting allows use of special
characters and the number isn't your birth year - or something easily guessable
- then set your passwords accordingly.
- Safe Browsing and Emailing: Are you using Microsoft
Internet Explorer or Microsoft Outlook? Consider changing your email and
browsing software. Your computer is at extreme risk for virus infection! Check
below for links to Mozilla and Mozilla Thunderbird.
- Anti Spyware Software: This is not virus checking
software, but rather is a utility that can check to see whether you have picked
up "tracking" baggage during your WEB browsing. Some of the packages can block
access to known malicious sites. All of them typically remove tracking cookies
installed by "banner advertising" and web pages that track and sell your
browsing habits. Almost all can remove the code and Registry entries that have
"stuck you" on a new home page that you don't want. We like
SpyBot - and it
also gets rid of Demon Dialers keystroke loggers, and other "crudware".
- Microsoft Ant-Spyware: Microsoft has purchased an
antispyware software and is offering a free trial in advance of the software
release. It can be found by visiting the Microsoft site.
- Anti Spam Research: IBM is doing some interesting
anti-SPAM research. If you want to read about their spoof detection, plagiarism
and pattern matching algorithms for detecting spam visit their
- Email Scripting: It is our opinion that EMAIL
SCRIPTING is a dumb idea whose time never came. Allowing
an email package to execute script code is the reason that we have so many
malicious viruses. MS Outlook permits attachments to run scripts. Script
kiddies and other malicious types just love this capability. Choose something
else - it would be difficult to find a more dangerous package - so make another
choice. Eudora, Netscape, Mozilla and Thunderbird can't be worse than MS
Outlook. Just say no to MS Outlook - in all its variations.
Newsgroups and mail packages. Save the scripts for web pages. In Netscape and
Mozilla - from the Mail package choose "edit -> Preferences -> Advanced "
You can turn off Java and Scripting for email, and turn off pop-ups and other
- Throw away (most) email with attachments - If you
can't recognize the person it came from Then throw it away -
unread - or quarantine it if you have a sophisticated mail reader. If you don't
know why you are getting an attachment from anyone - be leery of the email. If
you don't know the sender and can't get verification of the contents - then you
don't need the hassle of inadvertently spreading a virus. Just don't blame us
because you tossed a Million dollar Purchase Order...! All we are suggesting is
that you verify the email before you open an attachment. If you have the
resources, set up 'secret' email addresses to deal only with your trusted
clients who regularly send you attachments. Do not publish it, and do not give
the addresses to any other parties - that's all it takes to keep it
- Backup: Did we mention backup? We did? Just