Yet another malicious email link...

The other day I received an email in my inbox that, on the surface, looked like it was from Microsoft. Even though Google Apps is extremely proficient at redirecting these to my spam box, it does miss the occasional. As a 20 year veteran in the IT field, I never assume that an email is legitimate without checking several things out. You can also do these things to help prevent the unintentional infection of your computer.

The first thing that I do is to check any links in the email that I am requested to click. For example, the image below is from a recent email claiming to be a critical update for MS Outlook and Outlook Express. In this example, I right click the link and then choose Copy link address.

I use Google Apps for my domains email, however, the process should be similar no matter what service you use. Next I open a notepad window and paste the address there for inspection. Typically, there will be something other than the correct address for the originator of the email. In this example, the link reads

http://update.microsoft.com.iXXXXXX.com

NOTE: I have X'd most of the portion of the address that is not the originator as well as the rest of the link as it is irrelevant to this example.

Had this been a valid email for an update from Microsoft, rest assured that update.microsoft.com would have been the domain without the extra .iXXXXXX.com after it.

The other thing I do is to check the emails "header information". I will explain how to do this in Google Apps/Gmail. While in the message, click the down arrow next to Reply in the upper right of the message and select Show original. This will open a new window that will show the text in the example below (plus more that I've omitted from this example). If you are using Outlook 2003, see this article on how to view the header information.

The information you would be most concerned with is the Return-Path field (highlighted in the image). As you can see in the example, the Return-Path is definitely NOT from Microsoft. This is a sure sign that the message is not from who it claims.

One final item that made me suspicious about our example email was that it referenced Outlook Express. Microsoft currently does not offer OE for download and I believe that it is out of its life cycle.

For the record, I did NOT click on this link and I would recommend you follow suit. Maybe, I will setup a test pc and do it just to see the consequences.

Thanks for reading this. I welcome any comments (pro and con) as well as suggestions for articles.