Re: virus warnig

["J. R. Fox" jr_fox@xxxxxxxxxx]

Judith Davidsen wrote:

> Me, too.
>
> Judith Davidsen
>
> I'm interested, please elaborate.
>
> Fred
>
>   ----- Original Message -----
>   From: J. R. Fox
>   To: xywrite@xxxxxxxxxxxxxxxxxx
>   Sent: Tuesday, October 22, 2002 3:15 PM
>   Subject: Re: virus warnig
>
>   .... So, if you're at all curious about a particular
> suspect
>   email, you can find out, even without the help of a
> virus scanner.

Fred, Judith, and any other interested parties:

O.K., here's what I do. The following two methods are specific to the
email program I use, which as of this writing continues to be the mail
client built into Netscape Communicator. (Sometime in the not too
distant future, I hope to transition to using MR2 ICE, but I have a
rather large mail cleanup & reorgainization project first, even before
I attempt to convert the contents of existing folders, address book,
etc.) For sure, the 2nd. method is applicable to other mail programs;
not sure about the first.

It is important first to note the structure of mail in Netscape.
There are always file pairs: a uniblock mail file, in which you can
discern the beginning and end of individual messages, and a
corresponding index file that parses said mail file. On just this one
mail account, my Inbox file has (mostly through neglectful processing)
grown to about 19 meg. in size. That's after trying to steadily
delete everything that was clearly deletable, as it came in ! Much
other mail that I wished to retain has been farmed out to specific
folders and sub-folders. For example, the XyList Folder has under it
sub-folders for Display Issues, Conversion Issues, U2 Reference,
Printing, and about 8 other categories. Each discrete category will
have its own 2-file pair. (I don't really know, but this may be this
is a common structure for many mail programs.) We can forget about
the index files for purposes of this discussion: so far as I'm aware,
embedded code, attachments, or any other "payload" can only exist
within the actual NS mail files.

Method 1 (very low risk): I highlight the message of interest and
SAVE it AS Plain Text, almost always to a RAM Disk. The latter point
is just a convenience, since I have one loaded by default in OS/2 (RAM
Disks apparently became illegal in WIN, from NT onwards). That leaves
nothing real to clean up afterwards . . . but you could use a floppy
disk whose contents you didn't care about, just as easily. Now, *in
the 4.x series NS mail client*, on any platform, this does NOT open
the file. It flenses out anything that is not plain ASCII text,
saving only the short message header and any ASCII text that may exist
in the message. I forget what happens to Javascript -- it is either
dropped entirely or comes out as plain text. You probably want your
Javascript setting turned OFF though when doing this, just as a
reasonable precaution. There will be a plain text notation at the
end, indicating the existence of any attachment, something on the
order of "Base 64 Encoding. DUBIOUS_FILE.EXE." These results you can
read.

I can tell you this works for NS Communicator for OS/2 and for Win-32,
presumably also under Linux, but the last version I have used is 4.79
for WIN. I doubt they changed this in the later codebases, but I
don't know for sure. I'm also using Mozilla, the successor to
Communicator, which is based on NS 5.x, but I don't use the Mail
client there. As to the latest NS 6.0 (7.0 ?), no idea. You should
make *no assumptions* re other mail programs for Windows. Internet
Explorer won't even let you turn off Javascript (and harmful
Javascript code is reported to exist). WIN programs have a nasty
habit of opening files you never explicitly asked them to open. So,
_in other cases_, I certainly *can't* guarantee you that SAVE AS Plain
Text won't open it !

There are a couple drawbacks to Method #1. NS can crash when
attempting to save certain complex emails as plain text. Not harmful,
just annoying. I've seen this happen with other programs, too. If
they can't convert it to plain text, they just terminate. Also, you
don't get to see all the revealing info you were looking for, this
way.

Method #2 (risk should be non-existent): I peek at the master Mail
file, or Search it, with a real file viewer. Do NOT, under any
circumstances, use Windows Explorer !! (That would likely open
Pandora's Box.) I use the Viewer built into ZTree, which can view
anything in Ascii or Hex, plus other options. You could probably use
XyWrite, but ZTree's Viewer won't choke on very large files, or give
you anything equivalent to that "X" at upper right of the CM, when you
do. I can jump instantly to the end of a mail file, or search for a
keyword I believe to be unique to that message, or nearly so. The
Viewer shows _everything_, revealing without really "opening." I can
see suspicious blocks of code, Javascript, the alleged file-type
(where I saw the indication of the last one being an X-Wave Audio
file), as well as full header info that gets discarded by Method #1.
[Do unknown persons send you unrequested audio files? Very unlikely,
so delete it.] Were I far more savvy in things TCP/IP, I could
possibly find some useful clues as to the message's point of origin,
from the routing info in the long header. In the case of a recurrent
message, this could facillitate filing a complaint with the relevant
ISP.

I'm sure there are a number of straight file viewers for WIN that
would do the same thing in much the same way. Any good _real_ File
Manager program should have one. One that comes to mind is
POWERDESK. But I really loved the old XTree, and love the ZTree
successor even more. It is available for both OS/2 and Win-32. Linux
folks will have to look for something else.

Again, many of the more suspect junk emails that come through are
quite routine and guessable. But, now and then, one of them will
pique my curiosity, and these methods have worked well for me in
identifying them.


Jordan