E-Mail Safety Rules

(Author’s note: once upon a time—well over five years ago—I used to keep my website relatively active. There are some pages that, for whatever reason, have cemented themselves in Google’s web of indexes and continue to drive traffic. This is one of those pages. Since I’ve moved pretty much everything to WordPress, I am retiring the old raw-html version and reposting it here.)

Every now and then I get an email passed along from Mom that warns me about the harvesting of kidneys or other about killer computer viruses from AOL that will delete your hard disk if you even read them, etc. Actually, Mom’s pretty savvy, so rather than spamming all of her friends, I would get the forwarded email with the question “Is this legit?”

Without exception I type a couple choice keywords into Google, find a site that debunks hoaxes and give her a URL to a page describing that particular hoax. After the millionth such e-mail I finally got tired and decided it was time to address Mom’s friend directly. This time she had passed along the following to my Mom:

Subject: HOW TO PROTECT YOUR ADDRESS BOOK

I learned a computer trick today that’s really ingenious in it’s simplicity. Just received it from a friend.

As you may know, when/if a worm virus gets into your computer it heads straight for your e-mail address book, and sends itself to everyone in there, thus infecting all your friends and associates. This trick won’t keep the virus from getting into your computer, but it will stop it from using your address book to spread further, and it will alert you to the fact, that the worm has gotten into your system.

Here’s what you do: first, open your address book and click on “new contact”, just as you would do if you were adding a new friend to your list of e-mail addresses.

In the window where you would type your friend’s first name, type in AAAAAAA… Also use address AAAAAAA@a.aaa

Now, here’s what you’ve done and why it works: The name AAAAAAA will be placed at the top of your address book as entry #1. This will be where the worm will start in an effort to send itself to all your friends. But, when it tries to send itself to AAAAAAA, It will be undeliverable because of the phony e-mail address you entered.

If the first attempt fails (which it will because of the phony address), the worm goes no further and your friends will not be infected.

Here’s the second great advantage of this method: If an e-mail cannot be delivered, you will be notified of this in your In Box almost immediately. Hence, if you ever get an e-mail telling you that an e-mail addressed to AAAAAAA could not be delivered, you know right away that you have the worm virus in your system. You can then take steps to get rid of it! Pretty slick, huh?

If everybody you know does this then you need not ever worry about opening mail from friends. Pass this on to all you friends.

Instead of writing a simple note saying “No, in fact that’s pretty stupid and not likely to work.” I decided to actually write a set of rules that the lay-person should be able to read, understand and follow which would probably do more good than all the Anti Virus software companies combined if only people of the world would take the time to read them. The following is the response that I’d send to Mom, her friend, and all the e-mail addresses I was able to pull out of the dozen headers from that e-mail:

From: Murray Todd Williams
Date: Mon Jul 28, 2003 8:31:57 AM America/Los_Angeles
To: (Mom’s e-mail address)
Cc: (Mom’s friend’s e-mail address)
Subject: E-MAIL SAFETY RULES (was Address Book Protection)

Wrong. There is no e-mail program that waits to make sure each individual delivery works before sending the next one. Although having an undeliverable AAAAA entry may possibly give you a warning that something was sent out when it shouldn’t have. Even this is not always the case. Sometimes people will “spoof” a spam header making it look as though it came from your account. Every now and then I get a “bounced back” e-mail that I’d never sent in the first place. The e-mail didn’t actually come from my computer but some spammer had forged the header so that it appeared to have come from some legitimate person.

In conclusion, the best you can hope from the AAAAA trick is maybe to get an advanced warning that your system has been infected. More likely the infected e-mail your system is sending out will somehow spoof your return address so that the warnings wont even get to you. But here’s the deadliest item in that e-mail you forwarded:

If everybody you know does this then you need not ever worry about opening mail from friends. Pass this on to all you friends.

The best thing you can do is to educate yourself about some things regarding e-mail protocol. Since I’ve been spending so much time fronting questions about this stuff, I’m going to sit down and write down some standard e-mail practices. I put to you that these practices work because in the 25 years that I’ve worked with computers, I have never once had a computer infected with a virus!

BEST PRACTICES FOR LIVING WITH E-MAIL:

  1. Never click on an attachment you don’t know. If your son send you an e-mail saying “here’s a picture of your new grandson in the Christmas outfit you sent. Isn’t he cute!!” guess what? YOU KNOW WHAT THE ATTACHMENT IS!! You have been told that it is a picture and what the picture is. You know the e-mail came from your son, and that it he knew he sent it. In this case, go ahead and click this attached picture and enjoy it. If on the other hand you get some random looking e-mail that says something vague like “This is regarding our conversation last Tuesday.” DELETE IT! At best you can hold onto it without viewing it until you’ve confirmed that it is legitimate. If you don’t know who the person is who sent it, NEVER click on the attachment. THIS RULE WILL SAVE YOU FROM 95% OF POTENTIAL PROBLEMS.
  2. Get in the practice of writing meaningful Subject lines. Okay, this one works if everybody starts following the practice. Engage your brain that extra little bit to actually write a meaningful subject line for any and every e-mail message you ever send out. If you are forwarding or replying to something, consider replacing the “RE: blah blah” or “FWD: blah blah” with something with meaning. It can be your opportunity to be witty or informative, but it makes it that easier for people to identify suspicious e-mails if they know you never sent something with the vague subject “Really Cute Thing” or “About last week’s phone call” or “This is Amazing”. Can you see how these are subjects crafted to lure victims into opening them?
  3. Avoid things that just look cute. There used to be lots of nasty programs that were designed to open a window and display some cute and funny and quaint little cartoon. It would be always be in the form of some innocent looking attachment that you could easily drag into your e-mail and send to someone else. The cuter or funnier the animation the more likely it was to be sent out. While entertaining you, these programs would do nasty and violent things to your computer. The worst sort of thing to send other people are files that make some entertaining little video. Every few weeks someone sends me an e-mail with an attachment. It is not explained further than “Oh my God I laughed my ass off when I saw this!” I NEVER EVER EVER open these. If you simply MUST send something along, at least learn what the legitimate and safe file types are, like JPG and GIF for photos or MOV or SWF for movie animations. These run through programs that are designed to be secure. BAT and EXE and PIF are extensions of programs that are almost always deadly.
  4. If something says “pass this on to everyone you know” then DON’T! After 25 years I finally got a legitimate “warning” e-mail (about a product recall) for the first time. EVERY OTHER TIME any e-mail that seems to be some sort of important warning was ALWAYS a hoax. Let me repeat this. If any e-mail tells you to pass it along to everyone you know, it is certain to be a hoax. Want to find out how? Go to your favorite search engine (like http://www.google.com) and type in “hoax” and then some keywords about the particular story like “kidney harvest victim” or “rain anti-lock brake” or “microsoft forward test money” or “AOL e-mail virus subject”. Most likely you will be sent to one of a dozen web sites that exist to expose all the hoaxes floating around there.
  5. Let’s recap this last one.E-mails that seem to be designed to warn and protect you about something (like the one Pat Venable just sent my mom about this “Address Book” fix) are always hoaxes. Warnings about nasty viruses, about people drugging unsuspecting people in bars, about dangerous practices, etc. are always hoaxes. Ask yourself this: if any reputable agency wanted to warn people about something, would they go through trustworthy channels like the TV news or newspapers or would they suddenly say “let’s write an e-mail to everyone we know and have them forward it to their friends!? BZZZZZTT. You lose.The only way such an e-mail might be legitimate is if it sports a link to a web page or a trustworthy entity like the CDC or other government agency AND that link goes to a web site that stands to provide you updated information about the crisis. Such was the case with the one and only real e-mail I’d gotten in 25 years. It had a web link to a real product recall effort. The hoax e-mails never provide such links. Still, it’s just best to assume that any e-mail that says “pass this on to all your friends” is ALWAYS a hoax.
  6. Political petition e-mails never work. The e-mail that seems to harp on some sympathetic cause that tells you to forward it to everyone you know simply doesn’t work. The petition has no way of getting collected, organized and processed. Even if it did, there’s no way to validate e-mail addresses so politically they are meaningless. At best they are great ways for people to harvest your e-mail address for further spamming which brings me to…
  7. If you must pass something on to a large mailing list, use the BCC: field.Notice on Pat’s e-mail (sorry to make an example of you, Pat) that there are two dozen e-mail addresses here. Hell, you know because most of you don’t know me and I just sent you an unsolicited e-mail. (He he he!) In some cases I get e-mails with hundreds of e-mail addresses. I’m sure some of your friends wouldn’t be thrilled to know hundreds or thousands of strangers now have a copy of their e-mail addresses. On the other hand, spammers are likely to love you because they can harvest new victims.AHA! There is a fix to this, but it takes a little figuring out. Every e-mail program has three different “send” fields: “To”, “CC”, and “BCC”. Most don’t show the “BCC” field unless you explicitly tell it to. If you just HAVE to send an e-mail to all your friends, if you put all those e-mail addresses in the “BCC” field, they will get the e-mail, but none of the recipients will see the list of all the people the message had been sent to. Thus, you get to send out mass e-mails but you protect your friends’ privacy. Go do the research it takes to figure out how to use the BCC field for addressing any bulk e-mail.
  8. Get a Mac. Sorry, I couldn’t help myself. Horrible product plug. Still, the fact of the matter is almost all viruses and worms attack Microsoft Windows, so using a Macintosh keeps me safe and secure.
  9. Buy an Antivirus package. Norton Antivirus or MacAfee are the two big products. Yes, they cost money (on a subscription basis: some money every few months for updated immunization), but they may protect yourself if the above 6 points are just too confusing for you to remember. Actually, if you bought the Mac, you don’t really need to do this one…

Okay, that’s enough to keep you safe in your computing adventures. I firmly believe these points are not too complicated to remember. And despite the warning that you should “NEVER FORWARD SOMETHING TO EVERYONE YOU KNOW WHEN IT TELLS YOU TO” maybe, just maybe this e-mail is an exception. Anyway, safe computing everyone!