Reporting spam on a Mac

[Rapakiwi]

Here are the very simple instructions on SpamCop for copying & pasting spam using Apple Mail on a Mac.

How do I get my email program to reveal the full, unmodified email? :

http://www.spamcop.net/fom-serve/cache/19.html

These instructions, however, assume your spam labeled 'Junk' by Apple, usually deposited (when you choose) in a folder created by Apple Mail, named Junk. No images are displayed from mail labeled Junk. This is the usual way of setting up a new Apple Mail account. One has all mail placed in the 'Inbox', but labeled Junk, unless the sender is in your address book or is a previous recipient. If you click the 'Not Junk' button, further mail from that person won't be labeled Junk.

Not everyone does this. In this case, step one above, 'Select a spam message', could prove hazardous to your computer's health. Apple lets you mark a letter in your Inbox as Junk before or even without opening it. Note that, if you have your Junk mail moved to a Junk folder that Apple creates for you, marking a letter in your Inbox as Junk (spam) will move it and open the letter above it for view. If this, too, is spam, you can be surprised.

Here are some long-winded suggestions on how safely to report spam in Apple Mail to SpamCop. (Start with the latest message.)

1. If the spam message is not already labeled 'Junk', DON'T select it.

Selecting the letter will normally open it. Opening (viewing) the letter may log you into a website that legally collects information about your browser and installs tracking cookies. If you have activated 'java scri_pt', 'Java', or 'Plug-ins' in your browser, code for these will be executed automatically, and may exploit a vulnerability to install malware or extract personal information directly.

2. Mark all spam as 'Junk'. If this moves it from your Inbox to your 'Junk' folder, start with the latest spam. Do this by first pressing the key labeled 'Control', then selecting the message. A small menu will pop-up. You may now remove your finger from the Control key. From the menu, select 'Mark', then 'As Junk Mail'. The unopened letter may immediately be moved to your 'Junk' folder. (See Preferences.)

3. View your letter in your junk folder. Here, only images the do not log you into a website will be visible. However, these images may log you in if you select them. (If you wish to check, choose View > Message > Plain Text Alternative. If the image hides a hyperlink, you will see it here.)

Note, however, that 'java scri_pt', 'Java', and browser 'Plug-ins' will still run. Keep these patched and activate only those you need. Browser plug-ins that did not come with your computer will not be patched by Apple's 'Software Update' alone.

4. To help you check that this is spam, you can let your pointer linger over links. Unless you are viewing the genuine hyperlink, a little yellow box will appear with the genuine one displayed. Further, View > Customize Toolbar ... will let you place an icon (above the date column) that will toggle the full display of the letter's envelope. (The lowermost non-forged line normally contains the ip address of the sender.)

5. View your spam in a new windows by clicking twice on the line listing your letters (once to select it, again to open it in a new window). Choose View > Message > Raw Source, then Edit > Select All, then Edit > Copy.

6. After registering, open

http://members.spamcop.net/

paste your spam in the window, and follow the instructions.

7. Forwarding letters using Apple Mail will strip the letter of all information usable to SpamCop or other reporting agency. There are other browsers & mailers, such as Firefox & Thunderbird.

Transform you Mac into a spam Reporting Machine

http://www.cybertopcops.com/tips_tricks-sp...orting-tips.php

Rapakiwi

[rconner]

These instructions, however, assume your spam labeled 'Junk' by Apple

They do? The instructions given at the SC link (for Mac OS X / Apple Mail) work just fine for me, even on messages not tagged as "junk." I personally do not use Mail's junk feature (i.e., I've never bothered to "feed" it, and don't use it to flag or segregate messages), but I have successfully reported hundreds upon hundreds of spam messages using the instructions given at the SC link.

This is the usual way of setting up a new Apple Mail account. One has all mail placed in the 'Inbox', but labeled Junk, unless the sender is in your address book or is a previous recipient. If you click the 'Not Junk' button, further mail from that person won't be labeled Junk.

Are you saying that all mail is junk unless the sender is previously whitelisted? This doesn't match my experience with OS X and Apple Mail (tho' I admit I am a major version behind).

Not everyone does this. In this case, step one above, 'Select a spam message', could prove hazardous to your computer's health.

Um, how? I mean, I'm as paranoid as the next man, and I know that displaying spams is not the best practice, but do you have info about specific threats in the OS X world that would prompt such Draconian advice?

Actually, if you would rather not see the preview pane (so that messages aren't automatically displayed when you just select them), you can double-click on the line separating the message list and the preview pane, and the preview pane will go away. I think this may address the issue of inadvertently tripping web bugs & the like.

Opening (viewing) the letter may log you into a website that legally collects information about your browser and installs tracking cookies.

I must say that I have NEVER seen Apple Mail automatically pop open a browser window when a spam message (or indeed any other kind of message) is opened. Have you?

In the interests of science, and to forestall the possibility of making an ass of myself, I tried to send myself two e-mails that would redirect to a new page: one using a META REFRESH tag, and the other using a java scri_pt to rewrite the location property of the document.

In the former case, I loaded a page (of my own creation) on the public web in Safari, then used the "send as mail" command to send them via AppleMail. It didn't work. While the META REFRESH did appear in the source of the message, Apple Mail did not follow it and did not load the new page.

In the latter case, I created the page and saved it as a local file, then loaded it into Safari and used the "send as mail" command. This didn't work either; my scri_pt tag was apparently stripped out completely, and the message was converted to plain text.

I don't know of any way to force Apple Mail to open a browser (or any other application) other than perhaps by putting in a link and then requiring the recipient to activate the link.

If you have activated 'java scri_pt', 'Java', or 'Plug-ins' in your browser, code for these will be executed automatically, and may exploit a vulnerability to install malware or extract personal information directly.

I'm on less solid ground here, but I can't remember ever seeing Apple Mail automatically run a scri_pt or applet, or a browser plugin, contained in (or referenced from) an e-mail message. Perhaps you have.

My apologies, I take back the statement above. I sent myself a web page containing a small and harmless java scri_pt, and it did execute. This does tend to open the door to XSS or other more sinister uses of scripting, so your advice here is well taken.

Forwarding letters using Apple Mail will strip the letter of all information usable to SpamCop or other reporting agency.

True enough. However, if you follow the SC instructions, you will not have this problem (i.e., you will be exposing the raw SMTP packet and pasting it into the SpamCop web form). If you need to forward to SpamCop from AppleMail (which might be the case if you have lots of individual spams to report) you can also find AppleScripts on this forum that will provide further help. I have used the one whose source is here, you can select multiple messages in Mail, run the scri_pt, and have each of the selected messages turned into a valid MIME attachment and appended to a fresh outgoing message to your SC reporting address. If you turn off your preview pane (as I describe above), then selecting the messages shouldn't trigger any bad stuff in them.

-- rick

[Wazoo]

Here are the very simple instructions on SpamCop for copying & pasting spam using Apple Mail on a Mac.

How do I get my email program to reveal the full, unmodified email? :

http://www.spamcop.net/fom-serve/cache/19.html

These instructions, however, assume your spam labeled 'Junk' by Apple, usually deposited (when you choose) in a folder created by Apple Mail, named Junk. No images are displayed from mail labeled Junk. This is the usual way of setting up a new Apple Mail account. One has all mail placed in the 'Inbox', but labeled Junk, unless the sender is in your address book or is a previous recipient. If you click the 'Not Junk' button, further mail from that person won't be labeled Junk.

You are talking about the Original/Official FAQ which has not really been updated in years and years. This is a very old and oft repeated story.

Have you checked the other Forum sections for Mac related stuff? The How to use ... section (which is where I'd really think this post/Topic belongs) for instance. As rconner notes, other folks have offered up some scripts to help handle/automate some things. I will note that the stuff I offered up was for running under OS-X 10.2.xx .... things seem to change, break, flip at every upgrade though.

[Rapakiwi]

Here are the very simple instructions on SpamCop for copying & pasting spam using Apple Mail on a Mac.

How do I get my email program to reveal the full, unmodified email? :

http://www.spamcop.net/fom-serve/cache/19.html

These instructions, however, assume your spam labeled 'Junk' by Apple... .

Rapakiwi

Mssrs Conner & Wazoo,

Clearly I'm miss-communicating again. Rats!

The only point I was drawing attention to was SpamCop's forgetting to tell their users (of all OSes) to first select and open only spam marked as 'junk' by their mailer. When mail is classified as junk, the mailer will not open images off a server (the web bugs Mr Conner mentions) nor execute certain plug-ins such as Java or (I assume) some java scri_pt that connects remotely.

Because of the dangers of not doing this, yes: essentially all mail should first be stored in one's Inboxes and marked as junk. After a while, the little junk mail that comes can be routed directly to one's junk folder. This will be principally spam, waiting to be reported. After reporting it, I drag it to a mail folder called 'spam'. (Many use their Junk Folder for letters of temporary value; but that's not what it was designed for. It was designed for spam.)

HTML MAILERS

An HTML letter is just a web page pushed into your Inbox rather than pulled from a web server by your browser. Apple Mail offers a safe subset of its browser's operators: it will not open Java applets, but it will run a subset of java scri_pt (which 'cascading style sheets' generally makes unnecessary). Most importantly, it will fetch images, including web bugs, from servers around the World.

SO WHAT?

Opening spam generally assures you will get more spam than before. Included in each pretty spam letter may be a 1x1-pixel, transparent GIF image (a web bug) which is obtained from a web server in the southern Sudan by the typical, anonymous login done when a browser executes a URL. Note this is not a cookie: web bugs sent from a million different (zombie) domains could all report to a single computer.

The spammer can append to each URL a unique number which he previously associated with your email address, or even append your email address itself. Opening such a letter tells him your email address is valid, you read spam, and it gives him when & where you read the spam (my email domain is in New Hampshire, but I read it in California). Opening spam give him your operating system, your browser and version, and whatever else is routinely logged by web servers: nice stuff for exploiting vulnerabilities.

WHAT CAN I DO? MARK spam AS JUNK BEFORE SELECTING IT.

For these reasons, Apple Mail (as well as SpamCop's webmail) offer the option of disabling all images drawn off a web site. Marking a letter 'Junk' in Apple Mail tells the mailer to impose these security precautions.

WHAT, ME WORRY? I GET MY CODECS FROM ARCHIVES.

It's true that Macs don't execute self-decompressing images (and the malware preceding it) just to view an image. However, future spam letters could contain hyperlinks to images that serve you a Trojan horse, one designed to exploit your particular release of Apple Mail or QuickTime (which handles plug-ins) or MacOSX itself. In this way, it can install itself by bypassing the '... wants to install ...' permission window.

Let's look at some present & past vulnerabilities:

http://secunia.com/product/96/?task=advisories

http://secunia.com/product/17989/?task=advisories

http://secunia.com/product/5090/?task=advisories

Or, you may install it when you click "OK" on an informative windows telling you your internet connection was dropped; or click a photo to enlarge it:

https://forums.symantec.com/syment/blog/art...sage.uid=305966

One good 'drive-by-download' for the Mac would be the free, VNC-protocol server 'Apple Remote Desktop' (called a client by Apple). Windows already comes with one:

http://www.infiltrated.net/?p=91

Because the code executed by Apple Mail is restricted, it is advantageous to persuade you to open a hyper-link with your browser instead. Naturally, we don't permit 'pop-up' windows in Safari, and I use my speakers for informative messages. (A letter deposited into 'Junk' plays the Dalik's chant 'Exterminate! Exterminate!' from an old Dr Who; and, if the letter fails ClamXav Sentry's scan, an old Bomb Shelter siren wails.) Some may claim this excessive, and I deserve an 'avatar' of a Zombie with his arms outstretched and waving; but I don't think Apple users should be too complacent in their habits, for these are hard to break.

AFTER YOU'VE CUT, WHERE CAN YOU PASTE?

So, opening only spam marked as 'Junk' by any mailer would seem good 'safe computing practice': a concept that I have never had any luck in explaining.

It should be mentioned that, after you have pasted your spam to SpamCop,

http://members.spamcop.net/

you can do the same at

http://www.castlecops.com/sirt

Note that one can't forward Apple Mail to KunjOn (or anyone): it won't contain any useful tracking information. However, you can make one of SpamCop's report recipients

nonregistered[at]coldrain.net

PHISHING BASKETS

Or, in the case of phish, you can paste it a second time to

http://www.castlecops.com/pirt

One can also send an empty message with an (RFC 822) mail attachment. I've created on my desktop an empty text file (using TextEdit), and marked it as a 'Stationery Pad' (Ctrl-Click > Get Info). Selecting & opening this creates a file called 'spam copy.txt' or 'phish copy.txt'. In one of these I paste the source letter a third time, then save to the desktop.

Now I send a blank letter to a 'Group' of addresses I call 'Phish Reporting Services'. It contains cards for

reportphishing[at]antiphishing.org

spoof[at]millersmiles.co.uk

(address given me upon free registration)[at]dslreports.com

nonregistered[at]coldrain.net

I'm having some trouble getting past PIRT's own spam filter and possibly with the space in the file name, or using unicode, so I currently try everything I can with Phish, since moments count (to me). Soon I'll ask for help elsewhere.

To Wazoo, either what I'm writing or SpamCop's instruction is 'old stuff', and I should look further for help. However, my point was simply that the documentation for Mac users that I found, for lack of a phrase involving the word 'junk', would seem (IMO) to increase their spam unnecessarily, by way of web bugs. The post was just a subtle suggestion that the link (given) be attended to someday. Mr Conner offered a nice example of why:

'I have successfully reported hundreds upon hundreds of spam messages using the instructions given at the SC link.'

However, I'm suggesting nothing to SpamCop. I do learn. :-)

Rapakiwi

[Miss Betsy]

One thing that has bothered me in a number of Rapawiki's posts is that he seems to open and read the spam. I don't use a Mac so that is maybe one thing you have to do, but I am with Mike Easter in that there is never any reason to read a spam email. It goes back to the concept that the problem is not with the content, but with the recipient's consent. Any unsolicited email is spam - unless, of course, you decide you want it. I do, occasionally, check via Message Source on OE (does Mac have such a thing?) emails that might be unsolicited from someone I want to hear from. Usually, they are spam. I don't use a preview screen.

So, just in case others get the same impression of opening and reading spam from his posts, IMHO, there is rarely a reason for opening or reading a spam. It definitely should not be a routine part of reporting.

Miss Betsy

[Rapakiwi]

One thing that has bothered me in a number of Rapawiki's posts is that he seems to open and read the spam.

It's a letter to me. In fact, I'm often on the subject line. :-)

Rapakiwi

[rconner]

One thing that has bothered me in a number of Rapawiki's posts is that he seems to open and read the spam. I don't use a Mac so that is maybe one thing you have to do, but I am with Mike Easter in that there is never any reason to read a spam email. It goes back to the concept that the problem is not with the content, but with the recipient's consent.

Me, I am just a nosy bastard. How else am I going to find out what these guys get up to if I don't open the messages?

-- rick

[Miss Betsy]

Why would you want to know? I admit that, occasionally, there are some funny ones. And, sometimes, there are problems such as no body where you need to find out what is going on. But, in general, one pitch for viagra or drugs or watches or millions of dollars in a bank is much like another.

Now, of course, I don't care about their websites - I don't have enough expertise to visit them and feel safe and I don't have enough time to do any effective reporting. AFAIAC, they can create a website every second and re-direct and do whatever they want as long as the source of unsolicited email about them is blocked so I don't see it in my inbox. I am not interested either, as Rapakiwi is, in being a nanny to gullible internet users. I would like to educate them to protect themselves.

I know what you mean about curiosity, however. I sometimes will even watch an infomercial or read an ad that is obviously aimed at the gullible - out of curiosity.

Miss Betsy

[DavidT]

So, just in case others get the same impression of opening and reading spam from his posts, IMHO, there is rarely a reason for opening or reading a spam. It definitely should not be a routine part of reporting.

This is a matter of opinion and personal preference. I open lots of the spam items that slip past my filtering. I have a mail client that doesn't automatically load remote images or send return receipts, so there's no danger whatsoever. I'm sometimes able to glean useful bits of information from the content, which is the case with series of messages I've been receiving from a "spam King" wannabe from North Carolina...more about him in my "outrageous" topic in the Lounge.

DT

[Rapakiwi]

Why would you want to know?

<SNIP>

I am not interested either, as Rapakiwi is, in being a nanny to gullible internet users.

Please, my granddaughter will be jealous.

Ironically, I didn't read Viagra spam before using SpamCop. However, I'm still working on my report to Miss Lil. spam may stop for a couple of days, then flicker on for a while. To get a grip on any statistical guess, one must (IMO) actually view the raw data for a while. It does take time to open, read, copy, & paste each. Once I find a good solution for each class of spam, I'll automate my reporting. Howver, because we differ on the dangers of spam stores, I wish to report each ASAP. (Otherwise, I'd just zip away my 'spam' mailbox to KunjOn each Sunday.)

Whether a junk letter is spam or a letter from an old colleague, I can't tell without opening the letter. (All mail from the internet passes though both a NIDS and malware filter before I open them, manually. Mail I open only in Apple's 'Junk' sandbox.) Why do 'enquiring minds' want to know a letter's content?

1. Many have vague subject lines, to urge us to open them. I oblige. (A rare one turns out to be from someone whom I corresponded with ages ago.)

2. The obvious spam, the Viagra mail, I have to open to see two things:

2.1 What is it's vector (no abstract pun intended)? Is it pure image (which goes to CastleCop's paste page and asks me for the URL, or to KnujOn, which tries to find it in the image); is there an image hiding a URL (which SpamCop can handle); is there an obfuscated URL (which KnujOn allows me to edit); or is there an clear URL (which SpamCop can parse and handle)?

Yes, you've made it very clear that SpamCop has no interest in URLs (and that you're an educator).

Courtesy of SIRT:

http://www.nationalreviewofmedicine.com/is...olitics_13.html

2.2 Exactly what does the letter state. I'm sure I misread somewhere that personal comments and clearing my name (:-) makes SpamCop's reports more effective. It's important that my personal comments don't presume something not in the message. This might reduce the spam in your mailbox.

2.3 Sadly, Apple Mail wasn't designed to forward spam: Apple Mail users may have to open, copy, & paste each letter (as SpamCop instructs). (However, I zipped all my [DOT] messages off to KnujOn, and these immediately stopped arriving for a week. Thanks for the reference!) Newer releases of Apple Mail do, however, have a 'redirect' command. Because this was not meant to handle spam, I don't yet know whether spam annihilators can handle the envelope it creates. (A redirected phish didn't make it past PIRT's own spam filter.)

It is reasonable, however, to assume that the 'Junk folders' offered by essentially all mailing agents were designed to be 'sandboxes', in which to safely open mystery messages, then delete those not wanted. (This assumes the message itself is marked 'Junk'.) However, as your query is implying (I sort of think), it is unwise to open unknown letters until they are labeled 'Junk'. Do we actually agree on something?

Firefox has security advantages (the Finjan extension, for example), and Thunderbird could eliminate my reading endless Viagra ads; but I'd rather have only one of each kind of internet application (for I use the internet for all kind of communication): it's safer and easier to use just a few, well-patched applications. However, if I had more than a half-dozen spam letters a day, I should stop opening the obvious ones and just zip off all spam SpamCop and KnujOn.

I trust I can continue to rely upon you for good references in the future?

Nanny Rapakiwi

[rconner]

Why would you want to know? I admit that, occasionally, there are some funny ones. And, sometimes, there are problems such as no body where you need to find out what is going on. But, in general, one pitch for viagra or drugs or watches or millions of dollars in a bank is much like another.

Not true! These guys are constantly re-engineering the message bodies to find ways to sneak past Bayesian filters and the like. They use weird encodings and encryptions, and perverted spelling, syntax, and punctuation. They sometimes use deliberately-broken image files that will load up OK in browsers but not in OCR programs (such as those that advanced spam content filters use to "read" text from the image). They exploit obscurities in HTML and CSS, and constantly come up with new methods for the ever-popular bum's rush of redirection. The spam bodies can often give you clues about the spam operation itself.

I will even "curl" the occasional spam website to find out what it's HTTP headers say, or to see what it might be doing with scripts or forms. At one time, I was tracking botnet-hosted websites by periodically "curling" them and matching headers.

I'll admit that this may be of less practical use in stopping spam than dealing with mail headers is, but it satisfies my curiosity.

I've published a lot of the information I've found about spam mail bodies, such as here and here.

In general, I'm pretty careful to avoid obvious web-bugs and the like, and make liberal use of curl and my own homebrew scripts for this work, rather than standard web browsers.

I don't recommend this sort of thing to viewers at home (unless they get educated first).

2.3 Sadly, Apple Mail wasn't designed to forward spam: Apple Mail users may have to open, copy, & paste each letter (as SpamCop instructs).

Or, as previously noted, they can (like I do) use one of the AppleScripts available here in this forum to automate the encoding, attachment, and forwarding of the spam messages to SpamCop. This is very useful when I get delay-bounce attacks from Russia every couple of months. I can bundle as many as 50kB or so of delayed bounces into one e-mail submission to my SC reporting address.

-- rick

[Rapakiwi]

Or, as previously noted, they can (like I do) use one of the AppleScripts available here in this forum to automate the encoding, attachment, and forwarding of the spam messages to SpamCop. This is very useful when I get delay-bounce attacks from Russia every couple of months. I can bundle as many as 50kB or so of delayed bounces into one e-mail submission to my SC reporting address.

Actually, Apple Mail on MacOSX 10.5 reportedly includes a 'Forward as Attachment' command. It's not well advertised. Perhaps you have that version? Any favorite scripts for the 'rest of us' you'd like to reference?

Some places that should know better, such as USC (which hosts ICANN), gives wrong instructions to forward spam using Apple Mail. There is no reason 'the rest of us' shouldn't have the ability to 'forward as attachment' from our contextual menu (with a free, little plug-in). Strange I haven't one anywhere.

Rapakiwi

[rconner]

Actually, Apple Mail on MacOSX 10.5 reportedly includes a 'Forward as Attachment' command. It's not well advertised. Perhaps you have that version? Any favorite scripts for the 'rest of us' you'd like to reference?

No, I don't use 10.5 as yet, haven't found a good reason to drop $100 (or whatever the going rate is right now).

Actually, I already linked the scri_pt I use (from forum user svv07) earlier in this thread, but I believe there are several others available; go to the top of this page and type "applescript" into the search box, and you should be able to find them. The attractive feature of svv07's scri_pt was that the scri_pt source was printed directly in the forum post, and did not require download of a possibly untrusted binary file. I found it necessary to make a small mod to the scri_pt because I have Mail set up with multiple outgoing addresses (the mod allows me to pick the one from which to mail the submission -- you might as easily simply hard-code the submit address into the scri_pt).

If you enable the AppleScript menu in your top menu bar, and get your scri_pt put in the right directory, it becomes very nearly as easy to use as a contextual menu. As for developing an actual contextual menu command, perhaps someone might like to step up to volunteer for this (assuming it hasn't already been done -- check the search results).

-- rick

[Miss Betsy]

<snip>Why do 'enquiring minds' want to know a letter's content?

1. Many have vague subject lines, to urge us to open them. I oblige. (A rare one turns out to be from someone whom I corresponded with ages ago.)

Yes, that is a reason to open them. If you can't open them in plain text and with images blocked, however, I don't think it is worth it. It seems to me that there is a way to do that if you don't use OE, but I don't remember it since I don't need it.

2. The obvious spam, the Viagra mail, I have to open to see two things:

My warning was for those who are not techies. If you know what you are doing, as you and rconner and DavidT do, then if you want to satisfy your curiosity, do research, or extend your reporting, it is harmless.<snip>

Yes, you've made it very clear that SpamCop has no interest in URLs (and that you're an educator).

Thank you! I am not always the clearest person, but I try.

However, as your query is implying (I sort of think), it is unwise to open unknown letters until they are labeled 'Junk'. Do we actually agree on something?

Sort of. I don't think junk folders are any safer than other folders. IMHO, service providers are not nanny-oriented. IMHO, They do filtering for their own reasons and because they can't believe that non-techs could do it properly.

However, if I had more than a half-dozen spam letters a day, I should stop opening the obvious ones and just zip off all spam SpamCop and KnujOn.

That explains a lot. Until hotmail started filtering, I got dozens every day. Even with spam filtering turned off, I get maybe one every couple of days - there are almost none to my Junk mail folder. That makes me suspect that they use whatever list it is that lists zombies. The same is true with another account where all spam is routed to a junk mail folder now. The number of total spam has dropped dramatically. It is forwarded to a hotmail account where almost none of the spam arrives - just the ones that get directed to the inbox. I have had to whitelist some email addresses that are regular correspondents because every once in a while for no discernible reason they are shunted to junk.

I don't really have a problem with chasing down spam sites except I disagree with the ideas that one can protect the gullible or with retaliation. However, like picking up litter, if one has time and the means, it is a good idea to go after those who are blatantly up to no good. In another topic, there is a discussion about proxy/anonymizing for businesses. IMHO, businesses should have public addresses and contacts and there should be no deception on their websites - and as Steve T pointed out with his reference to free speech, that is not censorship. Unfortunately, most people do not have the time and do not know how to do it properly.

I trust I can continue to rely upon you for good references in the future?

If someone wants a nanny, sure!

Miss Betsy

[Rapakiwi]

I don't think junk folders are any safer than other folders. IMHO, service providers are not nanny-oriented. IMHO, They do filtering for their own reasons and because they can't believe that non-techs could do it properly.

My explanation wasn't clear, I'm sorry. Junk folders hold mail that has been labeled 'questionable'. When you open a letter that has been placed in one (by being labeled Junk), no messages (such as web bugs) are returned to the spammer, and executable files don't execute. Junk folders were designed to protect the user when opening a questionable letter.

My letters end in Junk for three reasons: (1) the sender was not in my address book, (2) the sender was not a recipient of a letter from me, and (3) the sender was in my address book or was a previous recipient, but a spam filter in New Hampshire or one in California marked it suspicious. If I see a suspicious letter in my Inbox, I can move it to the Junk folder without opening it. Opening mail that is in a Junk filter should be safe, for safeguards are imposed by the operating system. This was Apple's design and Apple's recommend use. Yes, relying upon even 'nanny-oriented' ISPs alone to place mail in a Junk folder is hazardous, and it is not recommended.

Each letter passes through my own little NIDS (snort) before going to the Junk filter, and a comprehensive malware checker (clamXav sentry) examines it before it can be opened by any other application. (Both these are professional, and free.) If one letter fails, a little alarm wails and a sticky, yellow warning pops up (thanks to the free 'growl'). It's interesting that a phish made it through, which I reported immediately; but when I opened it (in the Junk folder) two days later, the alarm wailed. (One shouldn't rely solely upon malware checkers either.)

I disagree with the ideas that one can protect the gullible or with retaliation.

'The gullible' include people in the U.S. who can't afford medicine to keep them alive. (This includes me.) They wish to buy medicines from Canada, but don't know how. Then a slick, professional spam letter pops in their box, claiming to be sent in response to their allowing Microsoft to send them information. (One of these I received today: it even sold on a Microsoft store.)

Because you're responding to my letter, people might thing I advocate 'retaliation'. I'm incapable of retaliation or vengeance, and would never propose it. I do propose letting higher administrators know what is selling on their networks, so they can check whether they want the store there or not. (I suspect fake TRUSTe or Better Business Bureau links are illegal.) As I claimed before, (IMOO) once the cost of moving illicit sites exceed the profits gained (if that ever occurs), illicit spam will stop. Others won't take their place. Legal spam doesn't bother me yet, because I've never received one.

It's the illicit spam entering my Junk mailbox that concerns me. I don't think informing officials about it is a bad thing.

Nanny Rapakiwi

[Rapakiwi]

Then a slick, professional spam letter pops in their box, claiming to be sent in response to their allowing Microsoft to send them information. (One of these I received today: it even sold on a Microsoft store.)

Another one of these just arrived, moments after I posted the above message.

Rapakiwi

[Rapakiwi]

Why would you want to know?

Found another reason today. One, possibly two, strange phish appeared today. One was obvious, asking me to confirm my order at NewEgg.com; except that I didn't place one, and examining the header showed it sent from Polish Telecom. This one I reported immediately to phish agencies. (I always scan my Junk folder for phish first.)

A second one I'm so unsure about that I had to mail the full header and link URL to the actual store. I'll let them determine whether it's a phish or not.

In any case, phish of popular internet stores have been plopping in my Junk folder. The first was labeled spam by 'spamassassin', but the second passed all four filters, and has pointed out a problem with Apple's Junk filter.

Apple's recipient list is based upon the 'From' line, which the second letter failed only because the sending computer's name differed by a single number from the name of the computer that had previously sent newsletters, newsletters verified legitimate. This line is too easily forged. Either a unique computer name is assigned for each person's account (which would be impossible to guess by a phisher), or Apple should base its filtering on information less easy to forge. I should imagine the former is the case, because it is simple & reasonable. Anyone know?

In any case, I shall wait to hear from the store before deciding upon a course of action. So, I guess this is a good reason for opening some Junk letters; and for being cautious of newsletters not labeled 'Junk'. In any case, these would cause small damage if we cultivate the habit of using our browsers to go to a bookmarked store before ordering, never, ever, click on an HTML link. This is actually a difficult habit to cultivate: it takes discipline.

Rapakiwi

PS. I don't keep my name or email address secret; and I've noticed after my name became associated with a Chase phish, published on a popular phish reporting site, I've been getting spam to my report address in that name exactly. This new spam allows a possible identification of who sent the original phish. Mildly interesting to those who use unique 'handles' on each web site.

[Miss Betsy]

My explanation wasn't clear, I'm sorry. Junk folders hold mail that has been labeled 'questionable'. When you open a letter that has been placed in one (by being labeled Junk), no messages (such as web bugs) are returned to the spammer, and executable files don't execute. Junk folders were designed to protect the user when opening a questionable letter.<snip>

Each letter passes through my own little NIDS (snort) before going to the Junk filter, and a comprehensive malware checker (clamXav sentry) examines it before it can be opened by any other application. (Both these are professional, and free.) If one letter fails, a little alarm wails and a sticky, yellow warning pops up (thanks to the free 'growl'). It's interesting that a phish made it through, which I reported immediately; but when I opened it (in the Junk folder) two days later, the alarm wailed. (One shouldn't rely solely upon malware checkers either.)

Apparently, this special design of the Junk folder is an Apple innovation. It may apply to some non-Apple email services - hotmail does prevent attached files from opening even in the inbox if it doesn't like the sender for some reason. However, it is still better for those who are not interested in pursuing spammers to their lairs to NOT open any spam email.

'The gullible' include people in the U.S. who can't afford medicine to keep them alive. (This includes me.) They wish to buy medicines from Canada, but don't know how. Then a slick, professional spam letter pops in their box, claiming to be sent in response to their allowing Microsoft to send them information. (One of these I received today: it even sold on a Microsoft store.)

gullible does not always equal ignorant, but they are certainly interrelated. However, even the ignorant do not have to be gullible.

Because you're responding to my letter, people might thing I advocate 'retaliation'. I'm incapable of retaliation or vengeance, and would never propose it. I do propose letting higher administrators know what is selling on their networks, so they can check whether they want the store there or not. (I suspect fake TRUSTe or Better Business Bureau links are illegal.) As I claimed before, (IMOO) once the cost of moving illicit sites exceed the profits gained (if that ever occurs), illicit spam will stop. Others won't take their place. Legal spam doesn't bother me yet, because I've never received one.

I wasn't referring to your anti-spam tactics as retailiation. It is often, however, another compelling reason to pursue spammers besides being protective of the 'innocent'. Although I used to report criminal spam because I thought those concerned would be interested, I have come to the conclusion that if they were interested, they can, and probably do, have spam traps and other methods to do so and prefer them to any unsolicited report.

If you understood why unsolicited email is not good, then you would be just as concerned about unsolicited email about legal products and services. You don't see any because all but the very ignorant know that to avoid being blocked by those who don't want to receive unsolicited email and losing their accounts by service providers who don't want to be blocked, best practices need to be followed for any mailing list. When spamcop first started, there were lots and lots of unsolicited email that advertised all sorts of legal goods and services from legitimate businesses. In fact, the problem of unsolicited email advertising via unsolicited email would be much greater than criminal spam because there are lots more legitimate businesses than criminals.

And, since there will always be the gullible and the greedy, there will be criminals who prey. The Post Office has not stopped the lottery and 419 type spam or even chain letters. You will not stop those who will find ways to entice the gullible and the greedy and you won't stop the gullible and greedy from responding.

However, start making the gullible and greedy pay for accepting all email that could harm them and blocking at the server level all email from reported IPs so any legitimate senders using those services would know that email was being blocked and there would soon be enough clean email servers that one could send and receive email without having it disappear in content filters. If enough consumers understood what reliable email service is and how it can be obtained, there would be a demand for reliable email services that just never accepted email from unreliable servers and prevented it from being sent from their networks.

If it is an either/or proposition, shutting off the source of spam is much more effective, easier and quicker. However, since nothing is perfect, it probably is a good idea to attempt to shut down illicit websites. However, to be really effective, one must be much more sophisticated and knowledgeable about the internet and how to lodge complaints. Informing officials by email about a spamvertized website is, IMHO, probably useless. Knowing how to trace ownership and informing higher-ups by phone or snail mail is probably much more effective - and also, by knowing how to use public media to advertise the facts.

Miss Betsy

[Rapakiwi]

Apparently, this special design of the Junk folder is an Apple innovation. It may apply to some non-Apple email services - hotmail does prevent attached files from opening even in the inbox if it doesn't like the sender for some reason. However, it is still better for those who are not interested in pursuing spammers to their lairs to NOT open any spam email.

Perhaps it's good I gave up teaching. Still, mail is not something I know much about, so please correct me (again). I didn't think anyone would question the use of Junk folders for opening questionable mail. The single they all have in common is not informing spammers that you opened their mail.

It's my impression that essentially all mailing agents have Junk folders: places to store mail that has not been yet 'whitelisted' by the user. When you open a letter (not an attached file!), to read it, in such a Junk folder, each will refuse to open 'remote images' that tell the sender you read your spam (and can do worse), and each will execute only some of the inline code written in java scri_pt, or any in Java that must be downloaded: that which it considers 'safe' code: in particular, code that will not send information back to the spammer. (Note that Microsoft's notorious Active-X controls will not be executed from any mailbox on a Mac, at least on a Mac that does not run Windows as an application.)

Hotmail

'Junk' comes built in with the IMAP protocol, you can add it to your computer's mailing application for POP protocol, and Hotmail (using neither, for they are standards and it is Microsoft) has its own Junk filter (if you pay enough money, probably). Hotmail, however, doesn't support email security: that is, you can't send 'signed letters', as I can, and you can't encrypt your letters. IMAP supports both (with a little effort). The purpose of a Junk folder is to safely open letters you suspect may be spam. It has nothing to do with Apple or 'Apple email service', by which you must mean the expensive .Mac services, which few buy (though they're great for beginners to use and learn all sorts of popular things).

IMAP

IMAP protocol creates a duplicate set of mailboxes on your mail server. In particular, it keeps a copy of your list of who's been naughty and who's been nice, so it filters spam on the server: you need never download spam, just trash it (or send it to SpamCop). Nice for brief DoS attacks, perhaps. Apple Mail 'syncs' my mailboxes, including my whitelist, continuously. Other mailers, such as Thunderbird, give you the option of shutting off synchronization. My Junk folder is emptied daily by me, and my Trash is emptied automatically every week (lest I want to check the detail of a spam letter I reported). Here, my ISP's webmail uses the same mailboxes as Apple Mail: this is an IMAP service, not an Apple service.

POP

POP protocol mail requires you to move (now copy) all your mail to your computer before you can use an adjunct program to separate the good from the bad, examine the bad in a Junk filter that tries to keep you safe in the same was as above. Because I have but one $300 computer, I prefer POP3. Apple Mail is an autonomous mailing agent (it is not connected to .Mac in the way that Microsoft applications are to MSN), that appears to filter both IMAP & POP the same. (The filtering is done on the server with IMAP.) Many Linux & Microsoft mailing programs are probably the same.

There is a problem if you want to use webmail in POP3 protocol: either you rely upon your ISP to filter your mail (as you suggest is standard in Hotmail), or you have a shell account on the server that runs the same POP filter you run at home (Linux users only, I suspect), or everything is placed in your Junk box for copying to your home computer. The latter doesn't seem unreasonable, so long as uncopied mail is labeled for you to read.

Attachments

Attached files really aren't part of a spam discussion, except that certain attachments, considered 'safe', are opened in your inbox, but not in your Junk box; and some, considered very safe, are opened in both. I sent some audio-video files by mail, some inline and some as attached files. (MIME doesn't distinguish, really.) Java applets, either inline or attached, were not permitted into the Junk folder: though generally safe to run, these needed to be downloaded.

Attachments in the Inbox and in Junk

Movies and and sound clips are not part of an HTML letter: they are executed by plug-ins. These were treated differently. Some, requiring an external application to execute, were displayed as icons. A contextual menu allowed them to be displayed as a little VCR-like applet 'in place', but this was greyed in the Junk folder. Those, such as 'aiff' sound files, that the OS executed natively, were displayed as little VCRs in the Inbox mail, but changed to icons in the Junk filter, where displaying them 'in place' was greyed again. However, GIF, JPEG, & PNG images displayed as usual in the Junk filter (though HTML mail could be turned off, if one chose), and - very interestingly - a single-page (only) PDF document displayed in both folders. Note, however, that the interpreter of the PDF was the OS, not Adobe Reader (which has a history of network vulnerabilities).

Note, however, that one can double-click (select & open) any executable attached file, even an Unix executable, and IT WILL EXECUTE IMMEDIATELY, even from the Junk folder! (This assumes I ignored the siren.) Read the letter to be sure it's from a reliable friend before even considering opening one. Note the 'From' line is easily forged. Signed letters are guaranteed sent from your friend's computer, but not especially by him.

I don't know why more internal checking isn't done by mail servers. However, in my day, the Postmaster could ethically read, well, little more than only the TO line, the RETURN PATH line, and the SUBJECT: the minimal information he needed, to deal with errors. Your own application, however, can read anything! Your uploaded IMAP 'whitelist' is only a list.

Hope this clarifies the purpose of a Junk folder and the hazards involved. (I'm sure every new release of java scri_pt is examined carefully by internet crackers.) The only thing unique about a Mac, whose Junk filter appears to the user to work the same for IMAP and POP3, is its continuously synchronizing your 'whitelist'.

A Junk Folder is a standard folder, designed for opening mail not whitelisted, and designed specifically to protect you from spammers and crackers.

Rapakiwi

PS. official advice from Apple on opening email attachments:

http://support.apple.com/kb/HT2128

[Rapakiwi]

However, it is still better for those who are not interested in pursuing spammers to their lairs to NOT open any spam email.

Miss Betsy,

At some point, I'm going to stop copying & pasting, and ship off spam with a scri_pt. Is unopened spam presented in a SpamCop report in the same, transparent manner as that in its reports of spam that I opened, copied & pasted? This I ask because the spam isn't addressed to SpamCop, but to me. So, I open it. But, can SpamCop? Because SpamCop's reports are from a reliable organization, addressed to an administrator, he or she has the ethical obligation to read it. Its content, however, should be my responsibility. By passing the spam to SpamCop unopened, do I implicitly give them permission to display its content to an administrator? I want to. Just want to check, first.

(I'll still have to open them all and examine their headers, though. My enthusiasm to report them is greater if the spam is illicit.) Others needn't do this, of course.

The danger I alluded to before, images & pdf files containing code (other that links), is still around, which surprises me; so your encouragement to minimize opening spam is well taken. Firefox 3.0 for MacOSX has just released a patch to prevent GIF images (like the ones I recently received) from causing code embedded in the end of the 'image' from executing arbitrary code (usually remotely, which would likely not work in a Junk folder). This sort of thing is nevertheless an embarrassment that was supposed to have gone away with newer, security-oriented code.

It's also interesting that I examined two weeks of spam and listed the cities it was sent from, had stores in, and cities that tried to break into my little computer. They matched. What is interesting is that my mail server (where the spam was received) is 3000 miles away from my local ISP (where the break-ins were tried).

Cities attempting to break into a non-existent web server at my house include: Buenos Aires, Sao Paulo, Seoul, Athens (stone's throw from Istanbul), and Prague. Oh, and a college near Beijing is always practicing on me - that hardly counts. Think having my name on my SpamCop reports has something to do with this, or is illicit spam, identity theft, and zombie computers connected? Curious minds.

Rapakiwi

[StevenUnderwood]

A Junk Folder is a standard folder, designed for opening mail not whitelisted, and designed specifically to protect you from spammers and crackers.

It would be the email client specifically which would interpret the contents of the email. IMAP/POP/etc. have nothing to do with it... they are simply ways to access the message.

I have no idea on the Mac platform but...this is NOT universal.

Microsoft Outlook I have in front of me (2003) has a junk email feature which will "turn off links in messages". There is not further documentation I have been able to locate, nor have I seen any difference in any message between messages in my inbox or when they are in the Junk E-mail folder. This link disable feature can be turned off, however. Personally, I don't use it and most people I have seen have the Junk mail feature turned off because they lost too many emails to it.

[rconner]

It would be the email client specifically which would interpret the contents of the email. IMAP/POP/etc. have nothing to do with it... they are simply ways to access the message

Agree, the "Junk" folder is a feature of Apple Mail, it may not be possible to generalize it to other Mac mail clients or other OSes. In fact, I'm not even sure that there is anything "blessed" about the Apple Mail "Junk" folder other than that this is where Mail's internal spam filter will offer to put messages that it flags. Unfortunately I am at work, don't have my PowerBook with me to check.

-- rick

[Rapakiwi]

It would be the email client specifically which would interpret the contents of the email. IMAP/POP/etc. have nothing to do with it... they are simply ways to access the message.

I have no idea on the Mac platform but...this is NOT universal.

Microsoft Outlook I have in front of me (2003) has a junk email feature which will "turn off links in messages". There is not further documentation I have been able to locate, nor have I seen any difference in any message between messages in my inbox or when they are in the Junk E-mail folder. This link disable feature can be turned off, however. Personally, I don't use it and most people I have seen have the Junk mail feature turned off because they lost too many emails to it.

Now I understand Miss Betsy! You are (essentially) completely right, and (having read my message above again) I suggest my previous letter be deleted, because it gives the impression that one can safely open mail in a JUNK folder provided with your mail client (Microsoft Outlook) or your ISP (webmail from Hotmail). That is apparently not the case. In general, mail in a pre-defined Junk folder may only be the mail labeled 'suspect' and may allow you to open it with no precautions at all.

A 'Junk Folder' is neither defined nor suggested by the IMAP or POP standards, but a pre-defined one is provided by each of my several mail servers, half of which are IMAP and half POP3. Each, however, uses a (different) spam filter. The 'Junk Folder' appears an 'ad hoc' standard that came along with the use of these. The server's Junk Folder, seen in webmail (which is what I thought Miss Betsy was writing of), means different things on different servers. The safety features I described come with the Apple Mail client, do not require using Apple's own mail server.

Junk folders on servers using the IMAP protocol, have the capability (as you know) of offering real security. I'm too tired to check all mine, but 'flags' on IMAP can both move suspect mail to a 'Junk Folder' on the server, and not display images (or 'fetch' anything but the envelope), until requested by the user. Whether your particular ISP's implementation will do this is another matter. This would make spam safer to open.

Junk folders on servers using the POP protocol can do little more than filter suspect mail into their own 'Junk folders' (and strip attachments containing known malware). One's own mail client must download all of the letters, the Junk ones simply come 'tagged' as suspect, and each mail client treats these differently. POP mail itself has no features that would allow you to safely open spam.

Because the 'Junk Folder' was meant for suspect mail, and Apple Mail goes to great lengths to try and make it safe to open, I ASSUMED this was how every 'Junk Folder' was implemented. Having improved the security in Vista, I ASSUMED Hotmail would, for example, separate the text and HTML halves of the letter, and store them in different folders. (If not, why not use POP3 or IMAP?) Junk mail on a POP3 server should never be opened by a browser, for the full letter has access to the browser's full array of services.

I assumed wrongly. It's clear that, in the worst case, the 'Junk' label may be only a message to be cautious. In this case, unless one can read only the text letter (usually appended to HTML mail) or the source code, one should consider not opening it all all, even offline. How not reading your spam affects a SpamCop report, I don't know.

Not being a Mac programmer, I actually don't know whether the Mac's safety precautions are implemented in special libraries or implemented by the mail client. Thunderbird, I read, implements them, but additionally permits one to control 'white list' synchronization. It's safer to make it continuous, as Apple Mail does.

However, my IMAP servers I have adjusted to act just like POP3, from which the whole letter is copied (then deleted from the POP server after two weeks): white listed goes to Inbox, the rest goes to Junk. (I would do otherwise if I used a modem or read webmail.) The Apple Mail client imposes the safety restriction upon the Junk Folder, as you state. Mail of temporary value is moved to trash after reading, and every month, I rotate and archive my Inbox out of the mail program, leaving only the last two months' mail. Special letters, such as instructions for unsubscribing to mailing lists, I keep in a permanent folder.

All my ISPs let me keep all my folders for as long as I have the space. :-) Yes, I had heard that Microsoft doesn't (which seems to discourage using the service at all). Here's an add-on for Microsoft Outlook that MS approves of, which might alleviate some pain. You turn off your Hotmail filter and use this one instead, which even supports 'white lists':

http://www.spam-reader.com/outlook-spam-blocker.shtml

However, I doubt the above makes spam any safer to open on a PC.

Now I understand what Miss Betsy was writing about. Yes, I agree with her. (I've never bought a Microsoft product.) DON'T OPEN spam (unless you own a Mac, your ISP strips all images from Junk, or your mail client implements stringent safety precautions).

Before acquiring a Mac, I simply passed all attachments through two viral checkers, then opened all letters while disconnected from a network. Still, this was hardly a problem, since I browsed with Lynx on an AT&T 3B1. Since buying my used Mac, I open mail as described earlier. If I send an attachment, I first run it through an application, updated moment before, that checks for about 250,000 malware for every popular OS, then 'sign' the letter.

Thank you for correcting me.

Rapakiwi

[Rapakiwi]

Why would you want to know? I admit that, occasionally, there are some funny ones. And, sometimes, there are problems such as no body where you need to find out what is going on. But, in general, one pitch for viagra or drugs or watches or millions of dollars in a bank is much like

This question takes on a new importance, now that I have learned that many SpamCop reporters have mailing agents that don't permit them to safely view spam. It would be nice to compile a satisfactory manner of viewing spam using various, popular email clients.

Today my wife received an unsolicited letter advertising, supposedly, a local Yoga teacher. Now, I should not report this as spam, for genuine yogis usually offer unappreciated services for small fees. The envelope and some checking showed it apparently came from a 'legitimate' advertising agency, if there is such a thing. Also, my wife belongs to some organizations that may well be authorized to send advertising for local businesses. The envelope was reasonable.

However, the street listed was not in this town, and the city wasn't listed. Examining the source code, I found two 'web bugs' hidden in plain sight, as little icons from the advertising agency, to better mark the 'unsubscribe' link (amusing). Doing some more checking, I found many, many Yoga Centers with this name; but the only one even near a street address of this name was over 3000 miles away.

This was spam, whose only purpose was to see whether my wife's mail address was still valid. (Because I use Apple Mail, they won't know.) So, I went from considering the letter innocent, local advertising that I should not report to considering it illicit spam, phishing for live email addresses.

However, reading the envelope wasn't sufficient for this: I had to read the whole letter. The text (possibly viewed if one has IMAP mail) required much research to give it away, but the web bugs clinched it. So, how can one really determine whether a letter is even unsolicited without reading it?

This isn't a problem with the Viagra ads, but young people will often get letter from aliases with strange or no subject lines. Do you read such letter, trash them, or report them? If reading is selected, then - short of saving the letter as a file and opening it with a text editor - should there be some instructions on how to open unrecognized mail safely? It has to be easy, for one should use it for all unrecognized mail.

Just something to think about, in answer to your question. There may be a 'plug-in' or other modification to Microsoft's popular e-mail applications that people are unaware of.

Rapakiwi

[Farelf]

...There may be a 'plug-in' or other modification to Microsoft's popular e-mail applications that people are unaware of.

I use Pocketknife Peek to view Outlook mail headers, text and HTML (seperately) without opening. Not as convenient as "view source"/"view page" available with some mail applications but it seems to work fine. Generally people should review the How do I get my email program to reveal the full, unmodified email? FAQ (as you mentioned in your opening post) and go from there, ensure their security settings and patches are adequate/up-to-date.