Defensive Computing

On the Internet people lie to you all the time. Back in April, I wrote that the most important aspect of Defensive Computing may very well be skepticism.

For the second time in the last few days, I received a phony e-mail message purporting to be from the package delivery company UPS. A skeptical person would have deleted the message, and good thing too, because odds are that anti-malware software on a Windows* computer would not have protected the trusting or inexperienced user that believed the scam.

The first thing to be skeptical of is the From address. Never trust the From address in an e-mail message, it is easily forged. Digging into the e-mail headers showed that the message, shown below, actually came from a computer at IP address 121.139.93.144.

Civilians (meaning someone not involved in law enforcement) cannot reliably trace an IP address to a city, let alone an exact address. However, tracing it to a country is, I believe, reliable: the message came from Korea.**

Subject: Problems with delivery

Unfortunately we were not able to deliver postal package you sent on September the 1st in time because the recipient's address is not correct. Please print out the invoice copy attached and collect the package at our office

Thank you for your attention!
Your United Postal Service
http://www.ups.com

The attached file, ups_invoice.zip contained a single file, ups_invoice.exe.

The interesting thing here is the constant struggle of anti-malware companies to keep up with the latest malicious software.

I sent the EXE file to Virus Total and they had already seen it. Of the 36 anti-malware products they scanned it with, only 14 (39 percent) correctly flagged ups_invoice.exe as something to avoid. Among the free anti-malware programs, Avira's AntiVir correctly flagged it as bad, but Avast and AVG did not. McAfee missed it, as did NOD32, Panda, PC Tools, Sunbelt and Trend Micro.

Yes, this message was amateurish and a number of things give it away as phony. However, the next one may not be so obvious and anti-malware software will always be imperfect. Thus, skepticism may be your best defense.

Update September 12, 2008: Two more of these came today. Neither even bothered hiding the EXE file inside a zip file. I sent one of them to VirusTotal and, again, they had seen it before, this time about 20 hours prior to my uploading it. Initially, 17 out of 37 anti-malware products (46%) detected it as suspicious. When I requested VirusTotal to scan it again, 17 out of 36 products (47%) detected it as malicious. Beats me what happened to that missing anti-malware product.

*As is the norm, Mac and Linux users would have been protected as the malicious software was Windows based.
**The message initially passed through an e-mail server run by servage.net, which was probably innocent in all this.

See a summary of all my Defensive Computing postings.

My clients often ask my opinion on whether an e-mail message is legitimate or not. The message below, asking for credit card information and claiming to come from Register.com, was a doozy, and a lot can be learned from analyzing it.

First, it addressed my client, who is a Register.com customer, by name and was sent to an e-mail address associated with a domain registered there. Both my clients' name and e-mail address are publicly available. The message did not contain anything private such as an account number at Register.com.

I left out the Register.com logo because I'm not sure of the copyright issues involved.
The logo looked legit, more on that later.

My gut reaction was that the message is a scam because:

1. The domain name registration referred to in the message does not expire for two years
2. The credit card on file does not expire for six months
3. There is only a phone number

A company that registers domains for a living certainly can handle a simple thing like updating a credit card number on its Web site. I would expect a legitimate message to also include instructions for logging in to your account to update the credit card and a link, perhaps to this page, for doing so.

Voice phishing

Plus, this message fits a known pattern of scams that started appearing last year. In April 2006, Joris Evers of CNET News.com wrote:

"In a new twist on phishing, fraudsters are sending out e-mails that attempt to trick people into sharing personal information over the phone...the spammed message warns of a problem with a bank account and instructs the recipient to dial a phone number to resolve it...As a precaution, people should not dial phone numbers received in an e-mail message..."

The bad guys are hoping that a phone number won't raise the mental red flags that a link such as http://1.2.3.4 does. And, thanks to the latest versions of Internet Explorer and Firefox, even nontechnical computer users now have some measure of antiphishing protection.

This scheme goes by the names voice phishing, VoIP phishing and vishing. Voice over IP (VoIP) is included because the phone numbers use this technology rather than normal landlines. In part, this is because VoIP is cheaper, it may also be harder to track down the real owner of a VoIP phone number.

In his Security Fix column at WashingtonPost.com, Brian Krebs wrote in March of this year about an instance of voice phishing and warned "Generally, it's a good idea not to even dial these bogus 1-800 numbers, as you're essentially giving the scammers your phone number..."

From who?

Many people make judgments about an e-mail message based on the from address. This is a big mistake. You can not trust the from address of an e-mail message. It is a trivial thing to forge. That's why I didn't bother to include it in the example.

I wrote about this before, but when even the aforementioned Brian Krebs gets this wrong, it needs to be stressed. A couple of days ago, an otherwise excellent posting of his about fake FTC e-mail messages, included this:

"If a message comes from someone you don't know, delete it. If it appears to have been sent from a friend or family member, reply to the message and ask for confirmation that the sender indeed meant for you to view that e-mail attachment."

You should treat all e-mail messages as if you don't know the true sender. Because, without evaluating the hidden headers, you don't. Repeat after me:

You can not trust the FROM address of an e-mail message.
You can not trust the FROM address of an e-mail message.
You can not trust the FROM address of an e-mail message.

Verifying the phone number

Checking the legitimacy of the phone numbers proved inconclusive.

At the home page of Register.com, clicking on Customer Support leads to the link for the Contact Us page, which lists eight different phone numbers. The e-mail message had two phone numbers, a toll-free 877 number and one in area code 902. Neither of these numbers appears on the Contact Us page.

A reasonable person would stop here and conclude the message is fake. But I continue.

A Web search on the toll-free number turned up some references to it in discussions about Register.com. On the other hand, the references were as far from official as can be, they were just made in passing by individuals griping about the company.

The search also turned up a link to this page at the Register.com Web site that does list the phone number.

So, it's legit? Maybe not. There is no date on this Web page, so it may be old. Register.com may have changed its phone number. And, if it is legit, why is it not on the main Contact Us page?

Techie stuff

These mixed signals led me to look under the covers, to examine the underlying header and source code of the e-mail message. Thunderbird, my preferred e-mail program, shows the source code with View -> Message Source.

The source code shows the true destination of the links in the message. Below is the source code for a link in the fine print at the bottom of the message.

To unsubscribe from Register.com marketing emails, please click
<a href="http://link.register.com/us/DWX065/8Z/ISNCO/QF7J4T/
YW5uZUBkZXByZXNzaW9uZmFsbG91dC5vcmc=/">
<font color="#000000">here</font></a>.

This link does go to Register.com. But that means nothing. It is not at all unusual for a scam e-mail message to include legitimate links. The only one that matters however, is the one the victim is directed to click on. In this particular case, all the links are irrelevant to determining the legitimacy of the message.

E-mail messages don't travel directly from the sender to the recipient. The header provides a bread crumb trail of the path taken by the message. It also offers clues to the real origin. Below is an excerpt from the header of this message.

Received: from [127.0.0.1] ([local])
  by bm1-11.ed10.com (envelope-from <DWX065-ISNCO-QF7J4T-H@register.bounce.ed10.net>)
    ...
Message-Id: <31795-740-DWX065-ISNCO-QF7J4T-H@e-dialog.com>

In one place it seems that the message was from e-dialog.com, in another it seems to have originated from a computer named register.bounce.ed10.net and passed through an e-mail server at bm1-11.ed10.com. Three different domains, and none of them Register.com.

Then too, there's that legitimate-looking logo mentioned earlier. The source code shows that it came from ed4.net. You can see it for yourself here.

Four different domains have their fingers in this message. Ugh.

Since the logo definitely came from ed4.net, I decided to focus on that. Its Web site belongs to e-Dialog. Public information about domain names is available from a system called WHOIS. A check of the WHOIS information for ed4.net at Network Solutions shows that the domain belongs to:
  e-Dialog
  131 Hartwell Ave.
  Lexington, MA 02421

This lends some credibility because it's neither hidden nor a post office box. I didn't bother checking if there really is such a company at that address. The domain ed4.net was first registered in 2000, which also lends it some credibility. Often the domain names used in scams are newly registered.

The underlying IP address for a Web site can be determined with a simple Ping command. In Windows, open a command prompt window at type "Ping www.ed4.net." Ping showed that the Web site resides at a computer whose IP address is 64.28.75.199.

Then, I plug this into www.ip-adress.com, which shows the physical location of an IP address. The Ed4.net Web site is in Waltham, Mass., and is registered to e-Dialog. Very legit looking.

But who or what is e-Dialog? Its site says it does e-mail marketing and its list of clients includes Register.com.

Finally, I check the return e-mail address, which is at custhelp.com. Who is custhelp.com? Names like this are often used in fraudulent e-mail messages. If the message legitimately came from e-Dialog, then why don't they handle the replies?

Needless to say, I go to www.custhelp.com to see if it's on the level. But there is no Web site with that name. Instead, I get redirected to www.rightnow.com. So, who is RightNow? They do "Customer Experience Software & Management: IVR, CRM, Sales Lead & Incident Management".

I give up.

Beats me if this messages is legit. If it is however, Register.com is making a big mistake by not displaying either of the two phone numbers in the message on its Contact Us page. Could they be that clueless? Either way, I wouldn't call the phone number. No need to take the risk.

Update November 13, 2007:According to Register.com this message is legit. Quoting them: "This email you received is in fact legitament. This email is generated and sent to you when your credit card information on your account is near or has passed expiring."

My last posting, Defending against a phishing e-mail message, described a JavaScript trick bad guys use to make a link appear to go one place when it really goes somewhere else.

So you can test if your e-mail program (or Webmail system) falls for this type of forgery, I created a test e-mail message.

To receive my test e-mail message, send an e-mail to:

It does not matter what, if anything, is in the subject or the body of your message.

The test e-mail message contains a link that appears to go to CNET, but really goes to my personal Web site. When you move the mouse over the test link, you should see my personal Web site in the status bar. If however, you see the silly message below, then your e-mail program is vulnerable to manipulation with JavaScript.

Hope you pass the test.

I previously made the case that Windows users should use Thunderbird for email. When I got a fraudulent e-mail message on Saturday claiming to come from PayPal, Thunderbird offered two lines of defense.

The first was the big warning that the message might be a scam. Indeed it was.

The body of the message was a pretty standard phishing scam, with the usual typos and the true destination of the link hidden.

Thunderbird's second line of defense was not falling prey to the common practice of using hidden JavaScript code to hide the real destination of a link embedded in the message. In the screen shot below you see that the blue link appears to go to a secure PayPal login page.

This, however, is not the real destination of the link. When the mouse hovers over this link, Thunderbird shows the true destination in the status bar (shown above), a page at mardur.net. Some other e-mail programs reinforce the scam by showing the phony destination in the status bar. They willingly obey hidden JavaScript code. In this case, the code was:

<a onmouseover="window.status=
"https://www.paypal.com/cgi-bin/webscr?cmd=_login-run";return true"
onmouseout="window.status="" target="_blank" href=
"http://www.mardur.net/clickable/paypal-secure/costumers/connexion/
login/index.html">
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run</a>

The formula, so to speak, for the above trickery is this:

<a onmouseover="window.status="phony-destination"";
   onmouseout="window.status=""
   href="real-link-destination">phony-destination</a>

The phony link destination is displayed initially. When the mouse is moved over the link, the "onmouseover" code is executed to modify the status line and make it show the phony link destination. When the mouse moves off the link, the "onmouseout" code resets the status line to not show anything.

FROM WHERE?

Received:
from innovas by gator133.hostgator.com with local (Exim 4.68)
  (envelope-from <innovas@gator133.hostgator.com>)

The header also shows the originating IP address. This particular message came from a computer with an IP address of 74.52.58.242. According to dnsstuff.com the machine is in Dallas, Texas, and owned by The Planet. In this case, not very helpful information.

WHO GETS THE MONEY?

Based on the publicly available DNS servers for mardur.net, it's obvious the Web site is hosted at HostGator. Only HostGator knows who is paying for the account.

The public contact information for the domain mardur.net is

David Hayter (kgoodsoft@gmail.com)
+1.45443344
Fax: +1.565434534
South Street
Loave Sowna
Colombo, P 4543343
LK

I know of no way to verify this information. However, the domain was registered by NameCheap.com and they would know who paid for it. At times good Web sites get hijacked by the bad guys for these phishing scams, so we can't assume that David Hayter is a bad guy. It's a safe bet, however, that neither he nor mardur.net is PayPal.

Be careful out there.

Update. October 28, 2007: See my next posting Test your email program for more on this.

Thunderbird is the best e-mail program for Windows users, and the portable version is the best version of Thunderbird.

On August 31st I explained why I think Thunderbird is the best client-side e-mail program for defensively thinking Windows users (see There is only one e-mail program). Earlier the same day I discussed my personal e-mail backup scheme (Backing up e-mail). Here I'll tie both these previous postings together.

To begin with, a portable application is one that does not need to be installed. The entire application exists in a single folder. It does not store anything in the Windows registry or a Windows system folder.

Typically, portable applications go hand in hand with flash/thumb/pen/USB drives, but this is not a requirement. You can run portable applications off your C drive or any internal hard disk partition. In fact, doing so makes them run faster.

While portability is the prominent, public, sexy feature, to me, being able to backup an application is just as important, if not more so. You can back up a portable application simply by copying a folder. It is impossible to back up a normally installed Windows application because pieces of it are scattered all over the place. To get around this, you're forced to do disk image backups, which are a big hassle.

The flip side, uninstalling, is another advantage of portable applications. You get rid of a portable application simply by deleting a folder. No fuss. No muss. In contrast, it can be next to impossible to erase all traces of a normally installed Windows application. If nothing else, it's very common for junk to be left in the registry after uninstalling.

A portable Windows application can either be created that way originally or the portability can be retrofitted onto it. John T. Haller makes portable versions of normally unportable open-source applications at www.portableapps.com. Like the original, the portable version is free.

If you use more than one computer, the advantages of portable applications that can be transported on flash drives is obvious. However, even if you only use a single computer, being able to simply and easily backup an application is reason enough to opt for a portable application. The simple backup of a portable e-mail program is especially important.

Your e-mail program has three different types of data; your mail, your address book and your settings for things like the POP3 and SMTP servers. Backing up these different types of data with a normal Windows e-mail program, such as Outlook Express or Eudora, can be a real pain.

You can try to back up the files where the various types of data reside, but finding them all is error prone and the locations may change with new releases. Your e-mail program may have an Export function, but the ones I've seen have a different function for each type of data. None of these problems exist when backing up a portable e-mail program such as Thunderbird.

Copying a single folder copies your e-mail, address book, settings and more. More? Let's not forget it also copies the application itself and any changes you might have made to the user interface (Thunderbird is fairly customizable) and, in the case of Thunderbird, any extensions you might have installed. As an old commercial put it, I can't believe I copied the whole thing. :-)

Installing

You can download the portable version of Thunderbird from portableapps.com. According to the Web site, it runs under Windows 98, Me, 2000, XP and Vista as well on Linux/UNIX with assistance from the Wine program loader.

The downloaded file is currently named Thunderbird_Portable_2.0.0.6_en-us.paf.exe. When you run it, an installation wizard starts. Agree to the license agreement, and select a folder. The wizard instructions about the folder are to "Choose the folder in which to install Mozilla Thunderbird, Portable Edition". The wording is unfortunate as you are not installing the application, just un-compressing it. The wizard extracts a bunch of files and ends.

The folder you pointed the wizard to now has a sub-folder called ThunderbirdPortable. To move or back up your copy of portable Thunderbird, this is the folder you move or back up. Everything you ever wanted to know about portable Thunderbird is in this little folder.

As evidence that nothing was installed, you'll notice there is no icon for portable Thunderbird on the Windows desktop, no entry for it in the Programs or All Programs list off the Start button and no entry for it in the Add or Remove Programs applet in the Control Panel.

That's the good news. The bad news is that you have to make your own shortcut for it. In the ThunderbirdPortable folder is a program called ThunderbirdPortable.exe. Create a shortcut to this EXE file and copy the shortcut anywhere you'd like (the Windows desktop is a good starting point). The first time you run portable Thunderbird, it behaves like any e-mail program the first time it's run, you have to set up a new account.

To reiterate an earlier point, portable applications run just fine from the C disk, they are not married to flash/thumb/USB drives. In fact, they run faster from an internal hard disk. Trust me.

I've run across only one down side to using portable Thunderbird as your main e-mail program--making it the default e-mail program in Windows. That is, making it the program that Windows invokes when you click on an e-mail link in a Web page. Since the program was not officially installed, Windows barely knows that it's there. This has still got me stumped.

Update: Portable Thunderbird is also available from download.com. September 4, 2007.

Update: Replying to reader comments/questions September 4, 2007

The portable version of Thunderbird updates itself the same way as the normally installed version. Of course, updating any application can cause problems and this is where portable applications shine - you can make a full backup of portable Thunderbird before updating it.

I updated version 1 of portable Thunderbird many times without incident. However, I waited a long time to move from version 1 to version 2 and by the time I ran that update, it failed. But, I had a full backup, so the failure didn't slow me down. Some day, I'll deal with this, no rush though.

This story does however, illustrate the big problem with free software - the lack of technical support. I'm on my own to deal with this problem. A posting I made at the official forum was a waste of time despite including a screen shot of all the error messages.

As for the Lightning calendar add-on for Thunderbird, I haven't tried it. I prefer my email program to only do email. Just keeping that alive and well can be hard enough (see above), no need to complicate things.

The supported operating systems for Portable Thunderbird are listed in the posting. Windows Mobile was not one of them.

There is only one email program for Windows users. No, I haven't lost my mind, and yes Windows users can chose from many client side email programs. But this is a Defensive Computing blog and speaking defensively, that is, with the hope of avoiding problems in the future, there is only one choice when it comes to email programs (webmail is another topic entirely - if you use webmail exclusively you can stop reading here).

Outlook

Outlook is out because it stores all your email in a single file. You don't need to be a techie/nerd to know how dangerous it is to have all your eggs in one basket. A single bad hard disk sector will suck up your time, money and/or email. And because the basket can get very large, backing it up is a pain. Not to mention it's expensive (OK, I did mention it).

Outlook Express

Outlook Express starts with two big advantages, it's free and pre-installed in Windows XP and earlier versions of Windows. And it stores each folder as a separate file, avoiding the big Outlook design flaw. I never liked it, in part because it uses Internet Explorer to display HTML formatted email and thus inherits the security problems of IE. But don't rule it out for this reason alone.

A few days ago, Leo Notenboom wrote that Outlook Express is dead. At his Ask-Leo website someone asked about un-installing and re-installing Outlook Express, a classic tactic for a problematic application. No can do. Quoting Leo: "With the introduction of Internet Explorer 7, Outlook Express has apparently been put out to pasture, at least if you're on Windows XP."

There never was a standalone download of Outlook Express, it was always married to IE5 and IE6. When you updated Internet Explorer, you also updated Outlook Express, like it or not. With the introduction of IE7, Outlook Express was thrown overboard, it's no longer included with the browser.

Thus, if you're currently using Outlook Express on Windows XP, or an earlier version of Windows, you'd better hope it doesn't start acting up. Leo describes a number of ways to try and fix a broken copy of Outlook Express, but none are mainstream operations (I suggest reading the article to see if the fixes are things you're comfortable doing). And his suggested fixes are all Windows things, not Outlook Express things. In my opinion, you're better off using an email program that is not an integral part of the operating system.

Windows Mail

Windows Mail is the replacement for Outlook Express in Vista (it only runs in Vista). According to Leo, there is no stand-alone download of Windows Mail, so it too can't be easily un-installed and re-installed and is, perhaps, too much a part of the operating system. Also, it's new and thus likely to be buggy.

Windows Live Mail

Leo Notenboom updated his posting September 1st to include Windows Live Mail, an email program that neither he nor I was aware of. It's a new version of Outlook Express that runs on both Vista and XP with Service Pack 2.

First off, I can't believe the name. Microsoft learned nothing from the confusion they caused non-techies by similarly naming two totally different email programs (Outlook and Outlook Express). My guess is that it will eventually be referred to as Live Mail, both because the "Windows" is superfluous and to help differentiate it from the Vista-only program (which they should have called Vista Mail).

Whatever it's name, the software is in beta, so the jury is still out. Except, that is, when choosing defensively. Beta software is out of the question when it comes to applications that really matter to you.

Thunderbird

I recommend Thunderbird from Mozilla, the same organization behind Firefox. According to Leo Notenboom "Thunderbird is free, fairly similar to OE to use, and actually somewhat more powerful. It's free, downloadable, it's being updated, works on Windows XP and Vista as well as the Mac and Linux, and there are many add-ons available for it."

To this I'll add that Thunderbird, like Firefox, is very good about updating itself with bug fixes. Keeping your applications up to date is a great defense against malicious software. And since Thunderbird does not use Internet Explorer under the covers to display HTML formatted email, it's safer still.

The safety provided by Thunderbird comes at virtually no cost. Not only is the software free, but it's easy to use. I say that not based on my own use of the program but based on the reaction of many of my non-techie clients.

You can download Thunderbird from Mozilla or from download.com where the Editor's review gave it 5 stars (out of 5) and where 511 users (as of September 1, 2007) rated it 4.5 stars.

Eudora

Eudora is liked by many techies but it's in transition and thus I'd be wary of trusting it with my email. The official website says "The Paid mode commercial versions of Eudora are no longer available as of May 1st, 2007. The Sponsored mode versions of Eudora continue to be available for download. An open source version of Eudora® is being developed by Mozilla and will be free of charge."

To translate, "sponsored mode" refers to a free ad-supported version. While free is good, abandoned is not. The new open source version of Eudora is called Penelope and the first beta was released August 31, 2007. Any brand new software is likely to be buggy for a while. I'll pass.

Lotus Notes

Perhaps the most hated email program to ever walk the face of the earth.

Updated September 1, 2007: Added Lotus Notes, Windows Live Mail, link to download.com for Thunderbird and Penelope.

E-mail, for many of us, is very important and accumulates forever, making it a large mess when it comes to backing it up.

The importance of my e-mail snuck up on me. Once upon a time, I opened my old reliable e-mail program and was confronted with an error message. The net effect of the problem was that the last four days of incoming mail had disappeared from my in-box. This was, for me, a very big deal. In large part, my in-box is my "to do" list. As a consultant, my incoming e-mail is too important to ever allow a repeat of this problem.

Suffice it say, this made me think about backing up my e-mail perhaps more than most people.

The need for reliable and redundant e-mail backups dictates the use of a client side e-mail program such as Outlook Express, Thunderbird or Eudora. Web based e-mail systems such as Gmail, Yahoo mail and Hotmail, have their advantages but backup is not one of them.

To begin with, I have an external hard disk attached to my computer and every morning I copy all of my e-mail from the internal hard disk to the external one. This is a destructive backup. That is, every morning the backup is totally re-created on the external hard disk. The advantage of this is that I never have to worry about running out of space on the external hard disk. The disadvantage is that I can't use it to recover e-mail from three days ago. Everything is a trade-off when it comes to backups.

Also, this backup doesn't manipulate the original files in any way; they aren't combined, compressed or re-formatted. Thus, I can easily copy e-mail from the external hard disk back to my computer and use it immediately. And simple means there is less that can go wrong. The downside is that the backup is the same size as the original, but external hard disks have a huge capacity and transferring files over a USB2 connection is more than fast enough for this purpose.

One of my prime rules for backups is to never to copy a file while it's in use. That is, I never copy e-mail when my e-mail program is running and never copy Word documents when Word is running. The morning backup of my e-mail is scheduled by the Windows scheduler and since it runs first thing after Windows starts up my e-mail program is not running.

This however, is just a starting point as it still allows for the loss of an entire day's worth of e-mail. To cut my potential loss in half, I also backup my e-mail midday. This backup is also scheduled using the Windows scheduler, but it's very different from the morning backup. Rather than backing up all my e-mail, here I only copy the most important folders (the in-box and a few others). Also, the backup is sent via FTP to an online file storage company.

This limits my worst case scenario to the loss of a half day's worth of e-mail. It also means that no matter what happens to my computer and the external hard disk, I always have the most important e-mail stored a thousand miles away. And since my e-mail is sensitive, online storage space is limited and uploads are slow, I compress, encrypt and password protect the e-mail before it leaves my computer and travels over the Internet to the file storage company.

The midday backup is different in other ways too. For one, all the e-mail is combined into a single file. In addition, I keep multiple copies of the midday backup. The backup program tags the daily file with the current day of the week. Thus every backup made on a Monday will result in the same file name. When the backup is sent offsite, the backup program is instructed to delete older versions of files with the same names. I end up with seven off-site copies of my most important folders and, again, don't have to worry about running out of space.

Finally, once a month I compress and encrypt all my e-mail and send it off-site to another file storage company.

No one approach is right for everyone. For example, I have chosen to limit my worst-case loss to a half day of e-mail, which may not work for you. And my approach requires constantly filing e-mail in folders, something not everyone wants to do.

After living with the above scheme for a while, I modified it a bit to prevent the most important folders from growing in size forever.

I manually archive the in-box, sent folder and a few other important folders by moving old messages to new folders tagged with the year. For example, all the messages in my in-box from 2005 are stored in a folder called inbox2005. Likewise there are folders called inbox2004, inbox2006 and inbox2007. A couple months ago I moved messages in my in-box from January through March of this year into the inbox2007 folder. Later this year, I'll again move old messages from this year into it.

With this approach, I can eventually delete the inbox2004 and inbox 2005 folders from my computer. They remain on the external hard disk and are also stored off-site if need be. Without some type of archiving scheme, e-mail will grow forever. I find that manipulating a few folders this way a couple times a year is well worth the effort.

Of course, you can't use this approach, or anything remotely similar, unless your e-mail program stores each folder as a separate file (or two). But who would use an e-mail program that stored all your mail in a single file? :-)

I get more than my share of unwanted e-mail messages of all types, but a new (to me at least) scam appeared in my in-box today. The subject was "New User Letter" and the message appears below with the ID numbers changed as a precaution.

By the time I looked into it, the IP address seemed to have been taken out of service--it was unreachable both with a browser and the ping command.

One reason to lookout for this sort of thing is that the Web page it sends you to might try to install malicious software on your computer. My recent blog trilogy on DropMyRights is one way to defend against this type of attack. See "DropMyRights" Part 1, Part 2 and Part 3 .

My personal Web site has more "Examples of Bad E-mail Messages". The important lesson is to always be skeptical about e-mail messages, and, not to judge them based on the from address. It is very easy to forge the from address in an e-mail message.