A suspicious e-mail ?

Discussion in 'other security issues & news' started by Yinda, May 20, 2003.

Thread Status:
Not open for further replies.
  1. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi,
    I received a suspicious e-mail in Outlook Express. I did not open it but used Properties | Details | source of message to have a look. There is the following :

    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_1E3_887D_0AE625B8.0700644B"
    X-Priority: 1
    X-MSMail-Priority: High
    X-Mailer: Microsoft Outlook Express 5.50.4133.2400
    X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400

    This is a multi-part message in MIME format.

    ------=_NextPart_1E3_887D_0AE625B8.0700644B
    Content-Type: text/plain;
    charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable

    ------=_NextPart_1E3_887D_0AE625B8.0700644B
    Content-Type: text/html;
    charset="us-ascii"
    Content-Transfer-Encoding: base64

    PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBU...

    Question : why is "text/plain" or "text/html" unreadable ? If this were an image/stationery, I would expect to find something like "Content-Type: image/jpeg". How would OE handle this mail ?

    Thanks,

    Yinda
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    The text block is merely uuencoded, as you pointed out, very much like an image or other attachment would be. Encoding text blocks is often done with spam in the hopes that spam filters won't be able to block delivery of the message. I receive a lot of spam that is structured this same way. When you read the message in OE, it can decode it just fine back into the original text. However, I never read these as I know they are spam (or worse).

    So basically, it's a perfectly valid form of message transmission, but, in practice it is now being used to help deliver spam more effectively.
     
  3. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Thanks LWM.
    I don't read such mails too (the Preview pane in OE is disabled).
    Regards,
    Yinda
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I have the preview open, but when i see lots of new emails, i might use the "search" function and put it on today's date or a day back; that way i can savely scroll through the mess and delete or open or look in the source without actually opening the email.

    Good that you tell about the uuencode ... i thought of that line it was an encryption key :)
     
  5. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    I'd like to understand your idea because the preview pane is useful.

    I understand that, in the search window, we can scroll through the list without opening anything. But how can we "open or look in the source without actually opening the email" ?
     
  6. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    Is not the preview pane as good as opening an email? all email clients I've ever used the first thing to do is disable the preview pane.
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    In essence: yes. any kind of code can be activated, HTML etc. coming with possible exploits.

    regards.

    paul
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yinda, in the search you see the message sender/subject.
    Rightclick it, get the properties, details, where you see the source. As this is the same you would see in notepad, the possible code in it can't run.
    It's the same when we look for instance with WormGuard in a blocked file in the safe mode, the file is not opened actually, you're just scrolling through it's source code.
     
  9. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    I see, Jooske. I'll keep the preview pane disabled in order to prevent from opening a mail through inadvertance.
    Thanks.
    Yinda
     
  10. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi,

    I am reactivating this post for one more question.

    I have an occasional correspondent who is used to send me uuencoded messages. I don't know why, because there are not spam. Please can you confirm that, as long as the Content-Type is "text/plain", such messages can't be harmful ?

    Thanks.

    Yinda
     
Loading...
Thread Status:
Not open for further replies.