Brain on Fire » Blog feed Tim McCormack says words

Why not to click on links in unexpected email

Automated disclaimer: This post was written more than 15 years ago and I may not have looked at it since.

Older posts may not align with who I am today and how I would think or write, and may have been written in reaction to a cultural context that no longer applies. Some of my high school or college posts are just embarrassing. However, I have left them public because I believe in keeping old web pages aliveā€”and it's interesting to see how I've changed.

This is a quick explanation you can send to folks who are a little too trusting of what ends up in their inbox.

  1. Notify a spammer that your email address is real and that you can be tricked, increasing the amount of spam and scams you receive.
  2. Land you on a virus-laden page, infecting your computer.

But the email is from a site I trust!

Really? How can you be sure? It's easy to fake an address or a link.

  1. Just because the "sender" address is "abuse@paypal.com" doesn't mean the email is from paypal.com. It is trivial, for example, to send an email that appears to be from bill.gates@microsoft.com.
  2. Those links don't necessarily go where you think they go. A well-crafted spammer can have a link display one thing and go somewhere else.

But the link goes to a domain I trust!

Even a link to a safe domain is not always safe.

  1. Many sites have "redirect scripts": http://www.google.com/url?sa=D&q=http://www.example.net/ redirects to example.net.
  2. Change your settings on that website (CSRF). For example, clicking here will change your Google language preferences to Pig Latin.
  3. XSS (Cross-site scripting) is a nasty little technique wherein a well-designed link to a poorly-designed site can do all sorts of things in your name on that site.
  4. Look-alike domain names are common. Depending on your font, you may not be able to see the difference between paypal.com and paypaI.com.

So, what is safe, anyway?

Just don't click on links in unexpected emails, or open ANY attachments without running them through a virus scanner first.

  • Go to the site like you would normally (not using any information form the email). For example, if you get what appears to be a notice from PayPal that something has happened to your account, type paypal.com into the browser's address bar and log into your account. If they have anything to tell you, they'll tell you there.

It's as simple as that to be safe.

Responses: 6 so far Feed icon

  1. #472 | Wednesday, August 2nd, 2006 at 01:27 (EDT)

    TrvlnMn says:

    tongue in cheek

    "But hey.. I like looking at por.. err.. adult material. It's a risk I'm willing to take."

    :)

  2. #474 | Wednesday, August 2nd, 2006 at 12:53 (EDT)

    Sally Carson says:

    Hey, thanks for this write-up. I'm glad that you used PayPal as an example, because that's a really common piece of spam that I get -- an email insisting that my PayPal account has been compromised and I need to click on this-here link to go to the PayPal site and change my password.

  3. #475 | Wednesday, August 2nd, 2006 at 12:57 (EDT)

    Tim McCormack says:

    @TrvLnMan: Yes, so in your case you can go ahead and type FreeLlamaPix.com directly into the address bar, instead of clicking the handy link.

    :-)

  4. #476 | Wednesday, August 2nd, 2006 at 13:01 (EDT)

    Tim McCormack says:

    @Sally: Yeah, I've decided to start writing these nutshell explanations, starting with my Javascript namespacing mini-article. They're fun (and hopefully helpful).

  5. #480 | Thursday, August 3rd, 2006 at 00:53 (EDT)

    Neosamurai85 says:

    "Yeah, I've decided to start writing these nutshell explanations, starting with my Javascript namespacing mini-article. They're fun (and hopefully helpful)."

    RE: Yeah, it's fun to help people with things you know about. One of my favorite past times is helping uninformed parents (the internet has mostly done away with this) not rent japanese porn for their eight-year-olds. Not to mention The Plague Dogs... which, though a good cartoon about animal testing... will mess you up at five... which is when I saw it... thus I rest my case.

    Ok some of that sounded wrong. You see I have a big catalog of anime and it lists thousands of films from kids stuff to adult... so I used to look things up for people. I ain't no guide to pettin' zoos! Zero llamas be a-spitting on my clock!

    Anyway. Yeah, I love using my super geek powers to help people find movies they'll like and keeping them away from movies they probably won't.

    Much like you like keeping peopel away from duh virus. Which was my point... I stop hogging your comments board now and e-mail my parents a link to this. Thanks!

    Peace.

  6. #481 | Thursday, August 3rd, 2006 at 00:58 (EDT)

    Tim McCormack says:

    Neosamurai85: Maybe you could write a nutshell guide on raising opossums.

Self-service commenting is not yet reimplemented after the Wordpress migration, sorry! For now, you can respond by email; please indicate whether you're OK with having your response posted publicly (and if so, under what name).