How can I open attachments blocked by SpamCop?

[newmanpi]

Recently, I have received several emails that say:

spam detection software, running on the system "bear.dns-nac-zone.com", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or block

similar future email. If you have any questions, see

the administrator of that system for details

The original message was not completely plain text, and may be unsafe to

open with some email clients; in particular, it may contain a virus,

or confirm that your address can receive spam. If you wish to view

it, it may be safer to save it to a file and open it with an editor.

I do not know what this means or why these are being blocked? At least one of these emails was valid and was important that I receive it...and eventhough the first paragraph says the original message has been attached so I can view it, I can't open it....near the top under the Toolbar above the 'from" line it says

OE has removed access to the unsafe attachment in your mail InternetSolutions.eml

Can anyone tell me what this means. My internet is the Direcway Satellite Service and my email is configured through Outlook Express, but these blocked spam messages just started coming in to me in the last 2 weeks...

Thanks, newmanpi

[agsteele]

Can anyone tell me what this means.  My internet is the Direcway Satellite Service and my email is configured through Outlook Express, but these blocked spam messages just started coming in to me in the last 2 weeks...

Can you suggest why you think this may be a result of the SpamCop block list? It would assist if you provided the full error message provided including, in particular, the IP address of the blocked mail server.

From the description you give, however, I'd suspect you need to talk to your ISP or possibly the ISP that has sent you the message since I'd imagine they are the ones who are attaching or otherwise the blocked Email and will therefore be able to tell you how they are doing it and what steps to take.

Others may have insight to offer however.

Andrew

p.s. If this is not related to the SpamCop block list I expect that one of the admins will move the discussion to the lounge.

Wazoo, any thoughts?

[dbiel]

Again we will have to repeat the old and wearing request, please included the details.

You say you are using OE - thats a start.

Where is OE getting the mail from? SpamCop email account? some other email provider?

OE version number sometimes can be important as different versions handle mail differently.

The operating system you are using can affect things ie MAC OSX,

Background software/hardware can affect things ie firewalls, popup blockers, virus filters

Including the entire bounced message with full headers is very helpful, it is OK to munge (replace) personal data ie change references to your email name from

tomjones [at] earthlink.net to xxxxxxx [at] earthlink.net or "myname" [at] earthlnk.net which is probably better than xxxxx as it makes it clear that it is your name that has been replaced with the phrase "myname" If there are other valid names you want to protect change them to "myfriendsname" or similar phase.

The more information we have the better we can answer your questions.

"bear.dns-nac-zone.com"

What is the relationship between this domain and you if any?

The simple answer to your question is Something, Somewhere in the path of servers that process and forward the mail to you including our own receiving computer has run the mail though some type of filter and as a result has altered the message in some way including a statement to that effect of which you only posted the part that you thought was important.

You are the only one that has this information and unless you share ALL of it our answers will be based on our assumptions obtained by running the limited information you have provided though our crystal balls which results in replies of very questionable relibility.

The reply from agsteele falls in this catagory, his best attempt, but depending upon what the information that was not supplied reveals may make his suggestions either helpful or worthless.

[flagginator]

READ THIS CAREFULLY

Attachment blocking is a SECURITY FEATURE of Outlook Express (OE) 6. Microsoft has included this SECURITY FEATURE by design. You would be FOOLISH to disable this feature.

By DEFAULT Outlook Express blocks access to ALL file attachments.

That is the reason your attachments are being blocked.

Write this down: Actually what is being blocked is ACCESS to your attachment. You are actually receiving the attachment, and with a few minutes of work you can gain access to this attachment (or any attachments).

Until you take this extra step you will NEVER be allowed access to ANY attachments that are sent to you in OE.

There are two ways to UNBLOCK the access to your attachments:

1. Unblock access to ALL file types (all file extension types). This is NOT the safest way to go as it will open the floodgates to all 65,000+ types of file extensions. Virus spammers have some favorite file type extensions they use and there is NO need to unblock those (.pif, .scr, etc.).

2. Unblock ACCESS to file type extensions on a need to know basis. Right now you want ACCESS to a .eml file attachment. So, for starters, only UNBLOCK ACCESS to .eml's. Forget about the other file extensions until you ACTUALLY RECEIVE one. YOU ONLY HAVE TO UNBLOCK THEM ONCE. Once you UNBLOCK a file type your Outlook Express becomes WIDE OPEN to that file type extension. It takes about a minute to unblock each type. Only unblock them when you actually need to. This is the preferred solution.

AND, REMEMBER, you should only open attachments from people you TRUST. Even that can be a toughy, as virus spammers can impersonate your FRIENDS. So, a better policy is to only open attachments you are EXPECTING.

Read this posting carefully at least three times. In my next post I'll tell you how to unblock ACCESS to the blocked file attachments. And, it's not a big deal to do. It only takes a minute for each file type. But, DO NOT unblock more file types than you have to.

PS: Norton (Symantec) will tell you it's safe to unblock ALL file types as long as you have THEIR anti-virus installed. This is total BS, because viruses are in the wild for a while before Norton creates a virus definition to neutralize the virus. So, there is a window of time when you can be infected by a virus that is UNKNOWN to Norton (or to any anti-virus). So, please take my advice and ONLY allow access to one file type for now (.eml). Later when you get blocked by something else (like .doc) and you are expecting it from a trusted source you can unblock that file type too.

[flagginator]

How to selectively unblock access to file attachments in Outlook Express:

Method one uses Windows Explorer or My Computer and FOLDER OPTIONS:

Right-click on Start -->

click Explore (Windows Explorer) -->

Click on Tools -->

select Folder Options -->

click on the File Types tab -->

search for the registered file type or extension you want to edit -->

Highlight that file type -->

select Advanced -->

select "open" action from the displayed list -->

UNCHECK (deselect) "Confirm open after download".

Of course, do this only for file types that are relatively safe and harmless, and of course only do it for file types you are expecting from trusted sources.

If your file type extension is not listed in the registered file types you will have to add it to your list.

Method two uses the Windows Registry:

Microsoft Office's Outlook was designed to block certain file extensions from opening due to possible malicious code. A simple edit of the registry will allow you to specify which file attachments Outlook should not block.

1) Open regedit

2) Goto HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security

3) Create a new String value called Level1Remove

4) In the Value Data field type the file extension you wish to unblock.

To specify multiple file extensions separate each extension with a semicolon. Ex: .mdb;.bat;.exe

[dbiel]

Wazoo, please consider adding flagginator comments to the FAQ

[newmanpi]

Thanks for all replies, I have pasted what I receive below, I appreciate your help:

OE removed access to the following unsafe attachments in your mail: Internet Solutions.eml

From: Webmedia

Date: Monday-August 30, 2004 9:36 PM

To: portia[at]newmanpi.com

Subject: Internet Solutions

spam detection software, running on the system "bear.dns-nac-zone.com", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or block

similar future email. If you have any questions, see

the administrator of that system for details.

Content preview: This is a multi-part message in MIME format Web Designs

by Webmediaprofessionals

URI:http://www.webmediaemails.com/080E16130000171E321C17051F131C021B5C111D1F0E434A4A41450E43430E400E404142424A47430E08.aspx

URI:http://www.webmediaprofessionals.com/adtop1.jpg [...]

Content analysis details: (12.5 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

2.8 MIME_BOUND_RKFINDY spam tool pattern in MIME boundary (rfkindy)

1.6 LARGE_HEX BODY: Contains a large block of hexadecimal code

0.1 HTML_TAG_EXISTS_TBODY BODY: HTML has "tbody" tag

0.1 HTML_60_70 BODY: Message is 60% to 70% HTML

0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.8 HTML_IMAGE_ONLY_08 BODY: HTML: images with 600-800 bytes of words

0.9 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image area

0.0 HTML_MESSAGE BODY: HTML included in message

1.6 FRONTPAGE BODY: Frontpage used to create the message

2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net

[blocked - see <http://www.spamcop.net/bl.shtml?69.6.66.10>]

0.1 RCVD_IN_RFCI RBL: Sent via a relay in ipwhois.rfc-ignorant.org

[$ has inaccurate or missing WHOIS data at the]

[RIR]

0.8 RCVD_IN_SBL RBL: Received via a relay in Spamhaus SBL

[69.6.66.10 listed in sbl-xbl.spamhaus.org]

1.1 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts

0.2 MIME_BOUND_NEXTPART spam tool pattern in MIME boundary

The original message was not completely plain text, and may be unsafe to

open with some email clients; in particular, it may contain a virus,

or confirm that your address can receive spam. If you wish to view

it, it may be safer to save it to a file and open it with an editor.

[flagginator]

If you do not know the sender, and you are not expecting the attachment, simply delete the entire email and attachment.

[newmanpi]

Flagginator and all who replied:

Thank You, I appreciate your replies and instructions. Yes, Flagginators comments should definitely be added to the faqs....I followed the instructions and 'mission accomplished'!!! I did as you suggested, BUT I did NOT enable the eml attachment on these particular emails, as they were NOT from the source I was expecting attachments from.....they were from someplace called

WebMedia subject Internet Solutions and I was expecting email and attachments from eMedia with a similar subject line.....if you had not provided me with step by step instructions, I would have most likely 'let the attachment open'....I try to learn something each day, and today's lesson was "Well-Learned"!!!

Thanks again to all of you for your assistance and your time....I am certain I will be back for more help and I hope that I can provide help to someone else on this board...(surely I have expertise in some area of computing that somebody needs)

[Wazoo]

First of all, after just recently going off on someone about this not really being the place to explain how to use a browser, I'm not sure that jumping on this set of actions isn't along the same vein. This would be something I'd rather have in the "changed configuration" with the separate tips & hints section.

I don't want to tick anyone off, but I have problems with the content and some of the procedures included. For starters, it's my belief that it's OE6 SP-1 that made the default changes. Granted anyone doing all the updates gets this covered, but ... but we start out a bit wrong. One of the changed defaults was to set OE to run in the "restricted zone" .. but the actual settings within the restricted-zone aren't manipulated (perhaps I should say - manipulated enough in my opinion) .. but this isn't addressed.

The commentary states that "There are two ways to UNBLOCK the access to your attachments:" .. but actually goes into a method/hack for OE, then a method/hack for Outlook. OK, so two methods are described, but one only applies to someone with (at least some part of) Microsoft Office installed (and also appears to be version dependent), and the other isn't really an OE specific thing.

The method/hack for OE actually opens up the rest of the system for other actions, as the change made there is a system-wide thing, not strictly an OE option. I can only say that I would never offer this to one of my clients, other than in an answer to a direct question.

So bottom line, I don't see enough of some specific data, not enough caveats, and even missing the other alternative of simply changing the flag for "Do not allow files to be opened or saved ..." to handle that "must have" e-mail / content package. (and then of course, changing it back before playing with the next spam/e-mail) The issue of someone performing one of these actions, making a bad decision, then making yet another mistake, and then coming back and pointing to this "expert" advice is just too real for me to do a link at this point anyway.

What I find strange is that missing from this whole Topic is the right-click, Properties, Details, Message Source sequence in taking a look at what the message actually contained. Much safer, not accidentally starting something, and of course, making the real decision of what to do next based on the actual contents.

That said, maybe add this to DavidT's quiet riot <g> and see if some more Forums could get added to cover things like this.

[dbiel]

Wazoo, interesting point of view. and a lot to think about.

Under the current format of the FAQ there really is no place to put it.

Do we end up building a bible on how to set up computers and if so where do we stop. Hard enough to just deal with the SpamCop issues let alone email in general and now issues that have system wide implications.

A lot to think about.

Do we restrict the extent of advise given in these forums and if so where do we build the rules for doing so.

A simple comment "Add to the FAQ" and it sure becomes a complex issue just by looking at it from a different point of view.

The question becomes, where to we go from here?

Thanks for the insight, now that I have made it even more complex.

[Wazoo]

Be advised that some of these thoughts come from one who spends too much time over in the Microsoft peer-to-peer support newsgroups <g>

Well, a bit of a compromise here ... I'm going to add another link (or three) to the 'other than SpamCop' list ... for example, notice all the additional detail provided by the folks at slapstick for the Outlook side of things on this subject; http://www.slipstick.com/outlook/esecup/getexe.htm ... more options, more details, version numbers mentioned, third-party tools, etc. ... and in all fairness, I'll also add a link to another OE 'expert' page ..... Tom's alternative instructions are here; http://insideoe.tomsterdam.com/faqs/why.htm#oe6attach

[turetzsr]

Wazoo, interesting point of view. and a lot to think about.

Under the current format of the FAQ there really is no place to put it.

Do we end up building a bible on how to set up computers and if so where do we stop.  Hard enough to just deal with the SpamCop issues let alone email in general and now issues that have system wide implications.

A lot to think about.

Do we restrict the extent of advise given in these forums and if so where do we build the rules for doing so.

A simple comment "Add to the FAQ" and it sure becomes a complex issue just by looking at it from a different point of view.

The question becomes, where to we go from here?

Thanks for the insight, now that I have made it even more complex.

16114[/snapback]

...FWIW: I would argue that the FAQ should be limited (more or less) to "SpamCop" issues. Questions about Microsoft applications like OE may be on-topic insofar as they "generally" arise in the minds of SpamCop users who run under Microsoft environments or use Microsoft software (for example, the two-part form issue). Questions such as the one in this thread are not among such questions (again, IHMO -- I don't see this question often, if at all, from other users) and therefore are better handled in the fora in a "user helping user" format.