The Top 25 Most Common Mistakes in Email Security

[Jon Westfall]

http://www.itsecurity.com/features/...istakes-022807/

"Someone recently pointed me to this article which describes the 25 Common Email Security mistakes people make.... It's an interesting read and one section really did make me smile! About making people aware that when they receive email from unknown sources...

• You have not won the Irish Lotto, the Yahoo Lottery, or any other big cash prize.
  
• There is no actual Nigerian King or Prince trying to send you $10 million.
  
• Your Bank Account Details do not need to be reconfirmed immediately.
  
• You do not have an unclaimed inheritance.
  
• You never actually sent that "Returned Mail".
  
• The News Headline email is not just someone informing you about the daily news.
  
• You have not won an Ipod Nano."
  

Jason Langridge points out a very useful article that I enjoyed reading through. If there is one rule I could make others obey it would surely be "Never trust the From: line"! Clients at the Hosting company I consult for continually have issues with that one simple rule, most often complaining to us that "Someone has hacked my account" when they get returned mail or get spam from themselves. Oh how I wish people would spend some time and learn how to talk to a SMTP server - then they'd see just how easy it is to change the "From" line!

[Jon Westfall]

http://www.itsecurity.com/features/...istakes-022807/

"Someone recently pointed me to this article which describes the 25 Common Email Security mistakes people make.... It's an interesting read and one section really did make me smile! About making people aware that when they receive email from unknown sources...

• You have not won the Irish Lotto, the Yahoo Lottery, or any other big cash prize.
  
• There is no actual Nigerian King or Prince trying to send you $10 million.
  
• Your Bank Account Details do not need to be reconfirmed immediately.
  
• You do not have an unclaimed inheritance.
  
• You never actually sent that "Returned Mail".
  
• The News Headline email is not just someone informing you about the daily news.
  
• You have not won an Ipod Nano."
  

Jason Langridge points out a very useful article that I enjoyed reading through. If there is one rule I could make others obey it would surely be "Never trust the From: line"! Clients at the Hosting company I consult for continually have issues with that one simple rule, most often complaining to us that "Someone has hacked my account" when they get returned mail or get spam from themselves. Oh how I wish people would spend some time and learn how to talk to a SMTP server - then they'd see just how easy it is to change the "From" line!

[Brad Adrian]

I'm probably the only person here who doesn't know this, but how do spammers and phishers provide a link that takes you to their spoof site, but which appears to have a legitimate domain name?

[Patrick Y.]

call me crazy, but I acutally enjoy those spam sometimes. They're actually comical to read. Lol!

[kaiden.1]

Funny :lol: And the absolute truth!!!!!! I think that we have all recieved those e-mails.

[Darius Wey]

Quote:

Originally Posted by Patrick Y.

call me crazy, but I acutally enjoy those spam sometimes. They're actually comical to read. Lol!

Well, okay, I receive hundreds a day. You're welcome to take a good portion of it for bedtime reading.

[Darius Wey]

Quote:

Originally Posted by Brad Adrian

I'm probably the only person here who doesn't know this, but how do spammers and phishers provide a link that takes you to their spoof site, but which appears to have a legitimate domain name?

Plain old HTML. They simply wrap the seemingly legitimate address in a fake one, like so:

http://www.pocketpcthoughts.com/

[Jon Westfall]

Quote:

Originally Posted by Darius Wey

Quote:

Plain old HTML. They simply wrap the seemingly legitimate address in a fake one, like so:

http://www.pocketpcthoughts.com/

Another old trick is the @ symbol or user credentials in the URL string. An old method of allowing a person to specify access credentials inline with the URL was http://usernameassword@domain.com (This allowed you to jump past pesky login pop-ups). However, this can be used with sites that don't require authentication in the following ways:

http://www.microsoft.com:bunchofjunkhere@REALDOMAIN.COM

or

http://www.microsoft.com@REALDOMAIN.COM/

those both don't take you remotely near microsoft.com, but look like they will.

[Steve Jordan]

All good tips. I noticed that the article assumes the user is using Outlook for e-mail (based on the commands and backup tools he references), but says nothing about Outlook's status as most-hackable e-mail program. I would have expected a mention of other e-mail apps that are a bit more secure.