|
 |
Frequently Asked Questions
Understanding Email Basics
If you are already a client, please log in to your account as additional (and expanded) FAQ entries are available to you.
-
Should I leave messages on the server?
By default, email client software programs will delete all messages from your
mail server right after downloading them. This means that when you click “Get New Messages” or “Check Mail”
(or whatever you do to see if you have any new messages) your email client connects to the server where your mailbox account resides and copies
all of the messages from the server to your computer. When it finishes, it removes the messages from the server so that the only copies of the
messages are the ones downloaded to your computer (or phone or PDA if that’s what you used to check mail).
This is perfectly acceptable for those who only use one device to send and receive email. These days, though, many of us are likely to check
email at home, the office, the coffee shop and on also on phones and PDAs.
If the email clients on these devices are downloading and deleting email from the server, then one that gets there first gets the mail and the
other devices never see these new messages. Worse yet, since there’s often no telling which device is going to download messages at any
given time, you may never know which device has which emails.
Fortunately, most software programs have options to allow you to leave messages on the server even after downloading a copy. Used correctly,
the ability to leave messages on the mail server can be a powerful tool for managing and organizing your email communications.
So how do you prevent all of these clients from competing with each other for the email in one mailbox?
Coordinating mail access from multiple devices
To solve the problem, you just need to prevent your email clients from immediately deleting downloaded messages. (For now we’re just
going to stop deleting altogether, we’ll revisit the timing of deletes and archiving later.)
With web-based clients, like the one you’re probably using at the coffee shop, this is easy: Just don’t delete anything.
Webmail interfaces do not download and delete messages, they just display what is currently on the mail server.
For everything else we have to find the email account configuration options.
To some extent we’re going to leave finding the configuration options as an exercise for the reader but we’ll provide a few hints:
- In Windows programs look for “Options” or “Account Settings” under the “Tools” menu.
- In Mac OS either look for “Preferences” under the main program menu or the “Edit” menu. You might also have to
look for the “Tools” menu as more Mac programs are adopting this convention.
- Phone apps will vary but most should have a menu within the email client application that allows you to change settings.
- For all of the above, the option to leave mail on the server is going to be per email account so we’re looking for account
specific settings (so it’s more likely to be under “Account Settings” than “Options”.)
The specific setting you’re looking for is probably going to be a check-box labeled:
If this is checked it will activate additional options, such as:
- For at most “n” days (where “n” allows you to enter a number)
- Until I delete them
These examples are from Mozilla Thunderbird which is what we all use here at OnlyMyEmail. The phrasing may vary slightly from client to
client but whatever the options are they’ll have the same meaning as the above.
All you need to do now is check the box next to “Leave messages on server” and
click “Okay”, “Apply”, “Save Changes” or whatever needs to be done to apply the new setting.
Once this is done for every program that checks the email address in question,
then all of your devices will have access to all of your inbound messages.
A note about checking email automatically
Somewhere near the settings described above there will also be settings that instruct your email client whether and when to check
email automatically. These will be something similar to:
- Check for new messages at startup
- Automatically check for new messages every “n” minutes (where “n” allows you to enter a number)
If you have messages showing up in an email client without the client being told to check for new mail then one or both of these are checked.
Developing an archiving strategy
Now that we’ve solved the problem of making sure all of your devices can access all of your mail we can address the issue of when
to actually delete any of them. To make effective decisions about this, consider the following:
- How much email you receive and how much you really need to keep.
- How much server space is allowed for your email address.
- How frequently (and urgently) you expect to need to access saved messages.
- Whether you need to access messages when you’re offline.
Once you have considered these factors, then you can begin to make choices about where you want to store your email. Recall that of
the three options we listed above we have only used one: “Leave messages on server”.
We have yet to choose whether we want to use either, both or neither of the remaining two options:
- Delete them after a specific number of days or and whether
- They should be removed when you delete them from a client.
Whether you delete messages at all primarily depends on whether you want to be able to access messages from any computer with Internet
access and a browser (this is assuming there’s a web-based client available to access them).
For this to be possible the messages have to stay on the server. However, if you receive a lot of email or the server allows you limited
storage then you will have to be very careful about which messages we keep to avoid running out of space on the server.
If you expect to want to read messages while offline then you will want to make sure we keep them on the client(s) we expect to be
using offline. For example, if you have your laptop with you but are unable to access the internet, you can still refer to messages you
have already downloaded in order to make business decisions or plan responses. In this case you would not be deleting the local copies of
the messages so you would not want to use the “delete messages when I delete them from the client” option.
The “leave messages on the server for at least n days” option will usually only be used on one computer. For example,
the “archiving” computer mentioned in the previous paragraph. The email client on this computer could be set to delete the messages
after enough time has passed to allow all other clients to have a go at retrieving the messages. Depending on how often the other devices are
checking mail, this could be as little as one day but we usually leave it set to a week or ten days (maybe even longer if we’re about to
go on vacation for a couple weeks).
In conclusion
By controlling how and when email is deleted by the many devices you use to check your email you can make sure that you get all your email
whenever you want it.
Too bad there’s not a setting to give us more time to read it all.
-
What’s An Email Client
Sooner or later, anyone using email is going to run across the term “email client”. The context of this encounter is usually a
tech support conversation in which the support rep asks “Which email client are you using?” If you don’t know how to answer
this question don’t worry, you’re not alone.
An email client is any software program that you use to manage your email. In many ways it is like a desk where you would process paper
mail. In fact, some of the terms used to describe parts of this software, such as “Inbox”, are derived from this analogy.
At a minimum an email client should have the following functionality:
- The ability to connect to one or more mail servers to
send and retrieve messages.
- Interfaces to display and manage sent and received messages.
- An interface to compose and format new messages.
In addition most email clients will include:
- Some form of address book/contact management interface.
- The ability to create and manage folders for email categorization.
- Interfaces to manage preferences for the other interfaces.
There are many different email clients available, some for the desktop (i.e. installed on your computer) and some web-based (i.e. accessed
over the Internet). Among the major desktop clients are Microsoft Outlook and Outlook Express, Apple Mail, Mozilla Thunderbird and Eudora (to
name just a few).
Web-based clients are provided by major email services like gMail, Yahoo! and Hotmail, most Internet Service Providers (ISPs) and also by
email service providers like OnlyMyEmail.
Desktop vs. Web-based Email Clients
Desktop and web-based email clients generally offer most of the same functionality but there are distinct advantages and disadvantages to
both, and, depending on the circumstances, it may make sense to use both types of client with the same email account .
Desktop Clients:
- Must be installed. (Although most computers will come with at least one email client pre-installed.)
- Should be installed on a computer to which you have easy access.
- Require you to know certain details about the servers they will use to send and receive email for each email account they will be used for.
(This information is entered and saved when a new email account is added to the client and once it is saved you will not have to supply it again.)
- Can be used to manage multiple email accounts.
- Store downloaded email on your hard drive.
Web-based Clients:
- Are accessible from any computer with an Internet connection and a browser as long as you know the username and password for the address
and the web address of the client software (e.g. webmail.onlymyemail.com).
- Can usually only be used to manage one email account.
- Leave email on the hosting server.
Certain aspects of both types of clients can be regarded as either an advantage or a disadvantage depending on how you use the account.
Accessing Web-mail from any computer with Internet access and a browser can be very helpful especially to people who travel a lot. But,
if proper care is not exercised in using the account on public computers, can be a security risk.
The ability to manage multiple accounts using software, and without having to log in and out of different client sites can be very useful.
On the other hand, managing multiple account requires you to understand more about how the email client works in order to be able to configure
and use several accounts simultaneously.
Leaving mail on the hosting server allows you to access your email “archive” from anywhere. However, depending on how much mail
you receive and how long you store it, you can exceed the server’s allowed storage quota and find your account unavailable.
Related Posts
How Email Works, What Every User Should Know
More Info
Wikipedia Email Client Article
Wikipedia Client Comparison
-
A Quick Look At How Email Works
Understanding the basics of how email works can make life a lot easier for any email user. Especially those who are interested in using email
effectively. In this post we’ll cover the basics that every user should know.
The Email Client
Email is composed and read in an email client. This is the part of
the process you will be most familiar with. If you want to read mail you click “Check Mail”, “New Mail” or something similar
and new messages show up in your “Inbox”. To send mail you click “Compose” or “Write” and the client gives you
a compose window where you write your message. When you’re done you click “Send” and the message gets sent.
The “Client” part of the term email client refers to the fact that this software requires the help of a Server
to do its job. The client takes care of making the mail useful to you but the servers are the ones that actually move the mail around. Think of
the client as your desk (or wherever you store and compose paper based mail) and the servers as the postal service.
So what happens when I click the “Send” button?
First, your client must locate a Simple Mail Transfer Protocol (SMTP)
server to send mail through. This will generally be provided by an Internet Service Provider (ISP) or the host for the domain that the email
address belongs to. The client knows how to find this server because the server’s name or IP address was entered in the client’s
configuration for the sending address.
Passing the message to the SMTP server is roughly equivalent to walking a letter down to the corner post box and dropping it in. As far as you
are concerned it’s sent. Similarly, after passing the message to the sending SMTP server, your email client will say something like
“Message sent successfully” because at that point its job is done.
One major difference between the mailing a letter and sending an email message is that an email message can have multiple recipients. If you
want to send many copies of a letter using “snail mail” you have to make a lot of copies and address a lot of envelopes. With email
you just use one “envelope” with a lot of addresses.
What do the servers do?
After the SMTP server accepts the message from your client it works its way through all of the recipients (everyone with a “To:” or
a “Cc:” or a “Bcc:”) and tries to deliver the message to each one. This is where the
Domain Naming System (DNS) and specifically
Mail Exchanger (MX) Records come in. The sending SMTP server has to consult the DNS MX records
for each recipient’s domain to find out where to send the message. This is similar to your local post office sorting your letters for delivery
to your local post office.
Hopefully after locating and attempting to deliver to the mail servers for all of the domains in the recipient list the sending
server’s job will be over. But, if it is unable to deliver to any of the recipients you will get a message from it (usually as
“mailer-daemon”) letting you know it couldn’t deliver for one or more recipients.
If this happens you need to make sure you spelled the address right and/or call the recipient and find out if they’re still using the address.
Once you figure out what went wrong you have to start all over for that recipient. (Luckily you can probably find the message in your
“Sent” folder and re-send it instead of rewriting the whole thing.)
Setting aside possible delivery failures, once your message is delivered to the recipient’s server the receiving server has to figure out
how to route it internally. Depending on the size of the domain’s operation the message may have to be routed through several internal servers
(think large email providers like Yahoo or Hotmail) before it gets to the recipient’s “mailbox”, or, it may go straight to a
“mailbox” on the machine that received it. Either way, it eventually ends up in a “mailbox” file (or directory) and there
it stays until it is picked up by the recipient’s Email Client.
In “snail mail” terms, this is like when a letter gets to your local post office and they deliver it to your mailbox.
Which brings us to . . .
What happens when I click “Get Mail”?
With “snail mail” the postal service delivers letters to your mailbox. If you want to read the letters you have to get them out of
your mailbox and open them. With email, if you want to read your messages, you have to use an email client to pick them up off the server.
When you click “Get Messages” or “Check Mail” or whatever your client labels this operation, the client connects to the
mailbox and downloads your messages. This is usually accomplished using
Post Office Protocol (POP or POP3). It can also be done using
Internet Mail Access Protocol (IMAP) but this is less common.
As with the SMTP connection used for sending, the email client knows how to find the POP, POP3 or IMAP server because you (or whoever set
up your client) gave it this information when the address was configured. By default, most email clients will download new messages to your computer
and delete them from the server. (If you want to, you can configure your client to leave messages on the server so that other clients, possibly a
home computer or a Blackberry, can have a chance to retrieve them.)
Once the messages are downloaded they show up as “new” or “unread” messages in your “Inbox” and you can
interact with them (i.e. Read, Reply, Forward, Delete, etc.). If you choose to reply or forward the cycle described here is repeated, otherwise
the process is finished.
Related Posts
What’s An Email Client
-
Can Anyone Send Emails Claiming To Be From Me?
The short answer is yes. Anyone can forge the sender (From) field of an email and have it claim to be coming from pretty much any address they want.
At first glance you might think “That’s horrible, why do we allow that to happen?” The truth is that it’s rather common,
and you might even do this yourself, though for entirely innocent reasons.
Here’s an example. Lets say you’re an OnlyMyEmail
personal account subscriber, you are set up to use our SMTP server to send your outgoing mail, but you don’t want to send mail from
john.doe@onlymyemail.com; You want to send it from another address, say jdoe@example.com. So you set up an identity within your
email client software for
jdoe@example.com.
That’s a perfectly acceptable solution, but now you are sending mail using a server from one domain (OnlyMyEmail.com) but using an
address that belongs to another domain (example.com).
It is a common situation, and one reason why ISP’s and Email providers cannot “lock down” their servers to only send mail
from valid addresses at their domain; the backlash from users would be too great. And lets face it, there’s nothing wrong with the above usage.
There are exceptions of course. For instance: within our Webmail interface we don’t allow user to claim a sending address other than their
actual OnlyMyEmail.com address, but such restrictions are not very common.
The problem however, is that spammers use sender forging (spoofing) as a tactic to defeat spam filters that are set to allow emails from people
in your address book or those you’ve added to your “White List.”
There’s nothing you can do to prevent this. All you can do is be careful about globally “allowing” sender addresses in whatever
spam filter you use. Remember, that each time you add an address as an exception within your filter, you poke another hole that might let spam slip
through.
This also explains, in case you’ve ever wondered, why so many spammers spoof your own email address when they send messages to you. They do
this because they figure that if there’s one address in your own address book or that you’ve specifically “allowed” it’s
likely to be your own!
-
Forwards: The Other Unwanted Email Category
One of the most annoying types of unwanted email is the mass forward. You know, the kind where one of your “friends” sends a
heart-warming story about a dog or a list of interesting “facts” about bananas to everyone in their email address book. (More often
than not that friend also sends everyone’s address to everyone else too but that’s
another story.)
The reason this stuff is so annoying is that you can’t just block the person sending it because, most likely, they are a friend and
might actually send you something you’re interested in at some point. On the other hand you really don’t care about an amber alert
notice that was proven false five years ago. So, if you can’t block them, what can you do?
This is one of those things where you’re either part of the problem or part of the solution.
If you’re one of the people who reads these things and thinks “OMG I have to send this to everyone I know!” without
verifying them first, you are part of the problem. Please stop.
If you read them over quickly and delete them, you are helping, but you could do more. Still, as busy as we all are sometimes this is all we
can do. If the chain ends with you that means a lot less people are having their time wasted so you’re performing a huge public service.
If you have the time and you really want to make a difference there is a third option. You can reply back up the chain with corrections (and
possibly gentle chastisement for the sender). Since most of the people who send this kind of stuff are unaware of the
Bcc option in their
email clients,
they frequently expose the entire list of addresses they forwarded to. Thus, by using “Reply To All”, you can respond and reach all
of their victims.
You should suppress your first response which will probably be to flame them with something like “STFU and stop wasting my time with
this BS!” This might feel good for a minute but it doesn’t improve your relationship with the sender and just wastes
everybody else’s time.
Here’s what you can do:
- Politely ask the person sending the message to stop. Maybe they don’t realize how annoying these things are. They probably think
they’re helping you.
- For things like amber alerts and pictures of giant cats you can go to
snopes.com
and debunk them. More often than not, if you search on the subject of the message, you’ll find an article that explains the origins of the
myth. You can then send a link to this article to everybody in the reply list and disabuse them of the false information.
- For political messages you can use factcheck.org.
They do a pretty good job of tempering extremism on both ends of the political spectrum without injecting an agenda of their own.
- For jokes, you might want to respond “Ha ha” and refer back to the first item in this list.
- Finally, you could include a link to this article in all of your responses. This will do two things: first, it will help to educate all of
the recipients about this issue; second, it will get us more traffic and we’ll really appreciate it:)
If we all work together we can rid the Internet of the scourge of unwanted forwards. Please do your part.
This has been a public service announcement provided by
OnlyMyEmail.
-
Phishing Flow Chart
Phishing is a type of email attack where the sender pretends to be a bank or some other institution in order to trick you into providing
sensitive data such as your username and password. Usually phishing attacks link to a page which looks exactly like the target
institution’s login page. The login form may also be included directly in the message.
You can use this phishing flow chart (originally posted by Login Helper)
to help identify and avoid falling for phishing emails.
-
How To Stop Downloading Duplicate Emails
If your email software suddenly starts downloading duplicate copies of the same emails, there are four common causes to consider.
1. Your email software has more than one “Account” or “Profile” or “Personality” configured to download
messages from the same email POP account. As a result, your software downloads one copy for each Account/Profile/Personality.
- Symptom: All email from all senders are downloaded two or more times; but only up to a certain number of copies, which remains the
same… ie: two copies of every email or three copies of each.
- Solution: Manually review each Account/Profile/Personality within your email software to make sure that the same POP account isn’t
listed more than once.
2. The sender actually is mailing multiple copies, possibly due to a software problem on their system or server.
- Symptom: You receive two or more copies of messages from some senders, but not others. The “Message ID” for each email
(contained in the Internet Delivery Headers) is unique, even though the message itself is the same. Additionally, The “time stamp”
on each message may be slightly different, but this is not always the case.
- Solution: Contact either the sender or their ISP/Host and make them aware of the problem, providing as much information as possible,
such as: Dates, Time, Subject Lines and the Message IDs.
3. Your email software may have corrupted files (most common with Outlook & Outlook Express) which prevents it from successfully
downloading and deleting messages from the mail server.
- Symptom: In this situation your software program loses track of the emails that it has already downloaded. The result is that every time
you connect duplicate copies are retrieved of just certain emails, or of all emails older than some specific date, while newer emails are
downloaded just once. In either case the original date and message ID contained in the email’s Internet Delivery Headers will be
identical for each copy.
- Solution: Log into the Web-mail interface (if one is available for your mail server) and manually move or delete any messages that are
being downloaded repeatedly. If the condition re-occurs frequently you may need to uninstall and then re-install your email software application.
4. Messages are matching more than one “Rule” or “Filter” within your software program.
- Symptom: Specific emails are always duplicated (but most emails are not), and these messages usually have something in common, such as:
coming from the same sender or list-server; containing similar “Subject” lines, or having identical “phrases” within
the email body.
- Solution: With some email programs this can result in your software making an additional copy of the message when the second rule/filter
matches. Carefully review any such rules within your software and look for any instances where more than one might match the same message.
When such an instance is found, remove or modify one of the rules.
5. Your email provider’s server is regenerating the “Message ID” or is moving your mail from one server to another server.
- Symptom: Duplicates of all emails on the server are downloaded repetitively. This may occur every time your email software connects or might
be based on a specific time interval, once per hour or once per 90 minutes or some other predictable interval. While the date/time stamp
doesn’t change from copy to copy, the “Message ID” for each duplicate is different than the last.
- Solution: While rare, if this condition exists, then you’ll have to contact your email provider as it means their servers are changing
the “Message ID” for emails left on their server. This change causes your email client to believe each message is a new email that
needs to be downloaded, and only your mail host will be able to diagnose and correct this condition.
While it can take some time, and patience, to diagnose and correct the problem, one of these five causes and solutions will turn out to be
the cure in almost every case.
-
Email Account Phishing
Not all phishing attempts are out to gain access to your bank account. Some are after a lower profile target that can ultimately be worse: Your
email account.
Many people have several email accounts so the damage incurred from handing over access to one of them can range from mildly irritating
to totally devastating. If you maintain “throwaway” accounts that primarily serve as spam traps and/or places to send login info
for unimportant sites, having one of them breached is not a big deal.
On the other hand, allowing access to an account that processes email for your bank, credit card companies and other important relationships
can have dire consequences.
From the Phisher’s point of view, the minimum benefit of gaining access to your email account is having another resource to use for
sending spam. If they’re lucky, they may also tap into a rich stream of personal data that can be used to enhance future fraud attempts
and possibly give them direct access to important financial accounts.
Here’s an example of how one might go about persuading you to let them into your email account:
Subject: Dear WebMail Subscriber
From: “Webmail Account Alert” <admin@messaging.org>
To: undisclosed-recipients:;
Dear WebMail Subscriber,
We would like to inform you that we are currently carrying out scheduled
maintenance and upgrade of our webmail service and as a result our email
client has been changed and your original password
will be reset. We are sorry for any inconvenience caused.
To complete your webmail account, you must reply to this email immediately
and enter your password here ( )Failure to do this will
immediately render your email address deactivated from our database.
Thank you for using our webmail !
Sincerely,
Webmail Support
Right off the bat you should notice how generic this is. There is no branding whatsoever. No legitimate company would pass up a chance
to show their logo and mention product names in a message like this. (For those of you who think WebMail is a brand or product name,
it’s not, it’s a generic term for any
web based email client.)
Another clue is found in the “From:” address:
“Webmail Account Alert” <admin@messaging.org>
As a rule of thumb, any message claiming to be about your email account that doesn’t come from the domain your account is on is
suspect. So unless your account is at “messaging.org” you shouldn’t trust this message. There are plenty of exceptions to
this, such as the email coming from the company hosting your domain, but in this instance it’s better to start from a position of skepticism.
Finally, they’re asking for your password, and no legitimate email would make this request. As a rule of thumb, never ever give your
email account password to anyone you wouldn’t trust with your life. Even then it’s risky.
There are two scenarios where you will be asked for your email password in an email message:
- You receive a phishing attempt like the one above
- A friend, co-worker asks for whatever reason
In the first scenario, you don’t know them so don’t give them your password.
In the second, you might know the sender, but you can’t really be sure it’s not a Phishing attempt that is
spoofing
their address or they their email account hasn’t been compromised too.
Sooner or later you’ll be tempted to ignore this advice because somebody locked themselves out of the system at work or your
spouse needs to do some emergency banking. Hopefully, you’ll remember this article and figure out something safer (a phone call might
be better if you’re in a business that doesn’t have a lot of industrial espionage). If not, don’t say we didn’t warn you.
-
What Happens If I Click That Link?
An important email safety practice is to avoid clicking on links that aren’t safe. This begs the question “How do I know
if a link is safe to click?” The truth is you can never be sure, but there are ways of mitigating the risk.
A link’s presentation has two major components:
- The visible text (or image)
- The URL that
the link references
These two pieces of information are not required to be related so you can have a link that says “Log in to my bank” but
actually takes you to “badwebsite.com”. The trick is to know what the link actually refers to, not what it wants you
to think it refers to.
Why should I care about HTML?
To view an email containing links you have to open it with something that reads
HyperText Markup Language
(HTML). Plain text messages cannot contain hyperlinks so the trick only works if you’re reading your messages as HTML. (One way to avoid
clicking on links is to switch your email client to Text Only mode. We’ll cover this in another post.)
Most modern email clients (and all browsers) display HTML by default. “By default” means the program picked an option that it
thought you would like without asking you. The down-side of having HTML on by default is that scammers can use it to create tricky links.
The up-side is that you can use it to catch them.
How do I see what a link refers to?
Another feature that email clients
and browsers enable by default is the Status
Bar. This is the display area at the bottom of the bottom of the browser window where you see the “Transferring data from
whatever.com…” or “Waiting for http://www.whatever.com…” when you visit a web page. A lot of the time it just
says “Done”. Or it may be blank.
If you look at the bottom of your browser window right now you should see something like this:
Note: If you don’t see a Status Bar like the one above, it may be slightly different, depending on
which browser you are using, or you may have to enable it. Try clicking View on the File menu. You should see an entry for Status Bar either
directly under View or under View >> Toolbars. If there is no check mark next to Status Bar, click it and the Status Bar will be
enabled.
But if you hover your mouse here you should see something like this:
By the way, “hover” means point your mouse but don’t click. If you clicked you got “Error 404 – Not
Found”. Welcome back:)
Notice that the Status bar now shows “http://blog.onlymyemail.com/link-to-nowhere”; the URL that the link refers to. Using this
information you can look before you leap when confronted with suspicious links.
Yes, it’s that simple. Hover over the link and look at the Status Bar.
To click or not to click . . .
Any time you’re even remotely suspicious of a link you should check to see where it goes. For example you often see things like this displayed:
http://www.mybank.com/login.html
But if you hover over the link you’ll see something like this:
http://www.badsite.com/givemeyourpassword.html
Kind of a link “bait and switch”. Of course the URL won’t always be so obvious about being a bad site. Some spammers will
assume you know how to check the link and get trickier.
What if you see this:
Click to log in
And it links to this:
http://www.facebook.cn/login.php
in an email from Facebook?
You might just go ahead and click this one, not noticing that it goes to facebook.cn (.cn is the top level domain for China. In this
case you’d be safe if you clicked it because there actually is a legitimate facebook.cn. What? Of course there’s Facebook in China.)
The point is the URL was slightly varied from what you expected. Enough to get a computer to go to the “wrong” site, but not enough
for a human to notice without looking for it.
This is often done with sub-domains:
http://www.visa.notsupposedtobehere.com
For it to really be VISA, the “visa” has to be right next to the “.com”, otherwise it’s probably not VISA.
(We use probably here because
huge corporations
don’t always understand this stuff.)
The bottom line is, don’t just look at link URLs, look at them carefully. And remember, even if you know the
URL
that a link references, there’s no guarantee you’ll end up there because the server or file that the link refers to can redirect
requests for that URL to anywhere on the Internet.
That being said, knowing what the link actually connects to is valuable information if you know what to do with it.
-
What’s In A (Pretty) Name?
The answer to this question is: Not much really.
In email parlance, the “pretty name” is kind of a plain text hitchhiker that can (but is not required to) accompany an email address
for display purposes. It allows email clients
to display meaningful text for address fields (From, To, Cc, Bcc) instead of just an address.
So, instead of seeing something like this:
somecrypticaddress@somedomain.com
Your email client will show you something like this:
Name of Somebody I Know
A correctly formatted email address with a pretty name will look like this:
“A Pretty Name”<address@optionalsubdomain.domain.tld>
However, you will rarely, if ever, see an address displayed this way. Most email clients will just display the pretty name if one is available
(BTW, this explains why you see addresses for some of the people in your address book and names for others.)
If the pretty name is set on the sender’s end, your email client will see something like the example above but some email clients, in an
effort to be extra friendly, will also match addresses to address book entries and substitute the name field from the address book. Therefore, there
is always a chance that you see a “pretty name” even if the sender didn’t supply one.
Setting your own “pretty name” is done on a per client basis. This means that if you’re using Outlook at work, Thunderbird at
home and some kind of web-mail client on the road you’ll have to set the name you want displayed to recipients in all three places.<
/p>
The field to enter this info usually right before the one for the actual address in the account configuration and will likely be called
“Display Name”, “Your Name” or even just “Name”. You can have hours of fun with your email clueless friends by
setting your pretty name to “IRS Audit Division” and sending them official looking email.
And speaking of tricking people with pretty names, the pretty name can be just about anything and is not required to bear any relationship
whatsoever to the address it accompanies. Accordingly, spammers like to use the “pretty name” option in order to fool people into
opening their messages.
For example you might see a pretty name like this:
Name of Bank Security Dept.
With an actual address like this:
anyname@gmail.com
If all you see is the pretty name, which is common to many email software clients, then you might be taken in by this and end up sending your
account information to some random gmail, yahoo or msn address. And, in case you weren’t absolutely sure, your bank will not be sending
sensitive correspondence from some huge supplier of free email addresses like gmail.com.
There are a lot of email clients available so we can’t go into the details of how to get to the real address from the pretty name on all
of them. However, in all of the ones we’ve tried while writing this it was as simple as either hovering the mouse over the pretty name or
clicking on it. Taking a few minutes to find out how this works in your email client or clients can save you tons of grief later on.
-
How To Stop Unwanted Emails From Reaching Your Inbox
There are really only two ways to keep spam out of your in-box:
- Prevention — This is at best only partially effective and requires a fresh and un-spammed email address. However, if you do start with
a new address prevention can seem downright miraculous.
- Filtering — Also not perfect but a good spam
filtering service should remove more then 99% of the messages you don’t want. The thing to watch out for in filtering is false
positives. (False positives are messages that should have been delivered but were blocked instead.) Blocking spam is easy, the hard part is
not blocking the good messages.
(Actually, there is a third way but we’re assuming you don’t want to give up email altogether.)
These approaches are not mutually exclusive. In fact the most effective spam filtering comes from a combination of both. This means that,
even if you have a good spam filtering service, it still helps if you take preventative measures. Relying on your filtering service to take
care of everything is like asking asking your doctor to keep you healthy when you have a lousy diet and fail to exercise.
Don’t Encourage Them
First and foremost, spam exists because it works. If a spammer sends out millions of emails enough people will respond to make it worthwhile.
Don’t be one of them.
In many cases just opening spam alerts the spammer
to the fact that somebody saw the message. This alone will put your address on high value, verified address lists and one of the ways spammers
make money is by selling these lists to each other. So every time you open a spam message that’s tracked this way you can expect a lot of
spammers to get your address.
And don’t even think about buying something from a spammer. The only way spammers will go away is if they are universally ignored.
If you’re actually looking for any of the many interesting services offered by spammers, find them yourself and cut out the middleman.
To buy in response to receiving a spam email not only rewards the initial spammer, but more importantly, it makes your address even more highly
valuable for sale to other spammers. Look at it this way: from a spammer’s perspective, no list of addresses is worth as much as those that
are not only verified as active but also those belonging to users that have proven they will buy in response to spam email.
Prevent Spam
The only effective way to avoid spam email (without help) is to prevent it. If your address is already receiving large quantities of spam
it’s too late for this approach. However, if you are starting with a new email address, the following tips will help:
- Never reply to spam emails. Replying lets them know the address is active which only makes your address more valuable. As hard as it is to
avoid hitting the reply button and cussing them out it’s much better to just hit the delete button.
- Be very careful with “unsubscribe” links. As a rule of thumb, only unsubscribe if the sender has a reputation to protect. In
other words if it’s Wallgreen’s pharmacy it’s probably safe, if it’s Wally’s Green Pharmacy don’t do it unless
you know Wally.
- Don’t share your address on social networking sites, online forums, chat sites and so on. If an email address is required
use a throw-away address.
- When publishing your address on your own web site (or any other web site for that matter)
use obfuscation to hide it from address harvesters.
- Keep your anti-virus software up to date. This not only protects your email address, it also protects everyone in your address book (and,
conversely, protects you from everyone that has you in their address book).
Spam Filtering Techniques
Unless you own and maintain your own mail server (and more than likely even if you do) spam filtering is best left up to
professionals. However, if you want to give it a go
on your own here are a few things you can try:
- Email rules – Most email clients support email rules that allow you to automatically delete certain messages. This is basically just a
game of whack-a-mole though, so don’t try it unless you have nothing else to do.
- Whitelists can be practical if you correspond with a limited group of people and don’t expect to hear from new contacts. In this case
you can use the email rules mentioned above to only accept email from a specific group of addresses. (This, unfortunately, doesn’t prevent
spoofing.)
If you just want a cheap and easy way to get rid of spam we’ll be glad to help you and you’ll be glad you asked.
-
How To Avoid Identity Theft By Recognizing Bogus Email
Phishing is a form of Internet fraud that involves tricking the victim into divulging sensitive personal data such as login information (user-name
sand passwords), bank account numbers, credit card numbers and security codes, and so on.
A typical phishing message will almost always include a link to a bogus web site which attempts to imitate the real web site that the victim
expects to see. These web sites range in quality from unbelievably lame copies to exact replicas and everything in between. What they all have in
common is a form that allows the victim to submit private information.
Occasionally, and mostly with Phishing attacks that are trying to gain access to your email account, the email message itself will claim to be
an official form that you are supposed to fill out and return by email.
The object of the game is to get the victim (you) to go to the web site and enter the data the phisher wants to collect. If you take the bait
the phisher wins. If you recognize the message as a scam and delete it, you win.
What Types of Accounts Are Phished?
Phishing is not just used to acquire explicitly financial information. We’ve seen phishing attempts for all of the following (just to
name a few):
- Banks and Credit Card Companies
- The IRS and other Government Agencies
- Gmail, Yahoo! and other Email Hosts
- Online Games (especially Gambling)
- PayPal, Google Cart, Authorize.Net and similar Merchant Services
- Internet Domain Registrars like GoDaddy and Network Solutions
- Amazon, eBay, Facebook, Twitter, Craigslist, Vonage and Wikipedia
- Word Press and other Blogging Tools
- Professional Organizations
The list of targets is endless so don’t trust an email just because it’s not from your bank. Be suspicious of anything that wants
you to provide information that you would normally keep secret.
The Usual Advice
Before we go any further we have to make sure you’re familiar with the usual advice for phishing avoidance.
- Don’t click links or call phone numbers in Internet messages (email, chat, etc.) to get to login forms. Visit the web site directly and
find the login page from there or use a phone number from a statement or other official document to call the company in question.
- Don’t email sensitive information. Email is not a secure form of communication. Only provide information through secure web forms (you
should see both https:// in the address bar of your browser as well as the lock icon or whatever your browser uses to indicate a secure connection)
or use a telephone (preferably a wired land line if you have such a thing.)
- Don’t give out sensitive information that the company should already have. Nobody is going to ask you to confirm your username and
password or to provide your full name. If they’re already doing business with you they already know these things.
- Never fill out forms in email messages. This goes for both HTML forms and hand typed forms (e.g. Name:…..). See all of the above.
If all you get from this article is the items above you’ll be fairly safe. But if you’re interested in getting really savvy
about phishing, keep reading.
Spotting Identity Thieves
The trick to staying off the phishing hook is being cautious and knowing how to recognize bogus email when you see it. Most of the time this
is pretty easy.
Note: The items below are mostly positive indicators meaning that their absence does not prove the email’s authenticity. Very sophisticated
phishing attacks will exhibit none of these telltales.
Check the From:
Any good phishing artist will spoof the From: address so it looks like it comes from accounts@mybank.com instead of
phisherman2195926917@yahoo.com. (More on this below.) However, not all phishing practitioners are artists. A lot of them are really bad
at what they do. Consequently, spotting random, not-at-all-official-looking addresses in the message’s From: field can tip you off
right away, especially since most
email clients display this
information before actually opening the message.
Urgency
Phishers try to force you to act by creating false urgency. They will often claim that your account will be closed if you don’t respond
within some very short time frame. This works because real institutions do this too.
Threats
Threats go hand in hand with urgency. Urgency only works if failing to respond quickly results in some dire consequences. Thus the claim that
your account will be closed or your property will be seized if you don’t respond yesterday.
Bad Grammar
Real businesses generally use decent grammar and spelling in their official emails. If the message is poorly written with numerous spelling,
usage, capitalization and other errors it’s almost certainly fraud.
Poor Quality HTML
This mainly applies to larger institutions like Amazon or PayPal. Big companies pay a lot of money to make all of their communications look
good. If you get an email that tries to say it’s from CitiBank and the layout looks like crap it’s not because they’re having
a bad hair day.
Weird Salutations
Most phishing attempts originate in “developing” countries and the authors are often not familiar with the languages or current
business practices in more prosperous countries. Therefore you’re likely to see something like “Esteemed Customer” or
“Honored Sir” instead of the usual “Dear Customer”.
Phone Numbers With Country Codes
Not all phishing messages tempt you with links, sometimes they ask you to call them. Or they may do both. In any case, phone numbers with
country codes are particularly suspicious. A country code alone is unusual enough to worry about but finding one that resolves to Nigeria or
Russia in an email from craigslist is a dead giveaway.
Taking It Up A Notch
The following items require a bit more effort and skill with a computer but if you learn to use them they can be immensely helpful in spotting
more sophisticated phishing attempts.
Link Stealth Techniques
To get you to go to a bogus web site, the phisher has to provide you with a link that will take you there. Most of the time these links are
connected to text like “Sign-In”, “Update your account” or something similar. The trick is to know
how to find out where links really go. This is something that is very difficult to hide so it requires extra trickiness on
the part of phishers.
To find out where a link goes, all you have to do is hover your mouse over the link and look at the status bar at the bottom of your
browser. (If your status bar isn’t showing, look for it under the View menu.) This is a problem for phishers so they use a couple of tricks
to fake you out if you know how to see where links go.
- Sneaky domain names –
The important part of a domain name
is the part on the right so a domain like bankofamerica.com.phishing.org might persuade you to think it’s bankofamerica.com.
The link above goes to phishing.org but the first thing you see bankofamerica.com. They do this one a lot.
- Sneaky file names – The right side of a URL is the file name of the page so you might also see
myphishingdomain.com/bankofamerica.com/login. The domain is still myphishingdomain.com no matter what they call their files.
- Hiding in plain sight – Many legitimate organizations will include fully qualified links like
http://www.legit.biz/index.html in an attempt to be less phishable. This is great if they’re not linked. Unfortunately, cutting
and pasting a link to the browser’s address bar is a lot to expect of everyone using the Internet so they’ll often include a link.
This allows phishers to use the tricks above but with the expectation that you’ll trust the link because the text looks like a legitimate
link. Super sneaky.
Hovering over links to see where they go is an excellent tool for avoiding fake websites with one caveat: Sometimes banks and other institutions
will use third party processing services or register separate domains for their financial services divisions. This can lead to situations where you
suspect an “innocent” email. If your bank is doing this they’re asking to be phished, look up their phone number and call them;
never trust their emails.
Spoofing
Another interesting feature of the way the Internet currently works is that
it’s really easy to fake email addresses.
Therefore, checking the From: address in an official looking email is seldom helpful (unless you’re dealing with a lame phishing
attempt as noted above). To detect spoofing you have to look at the message headers. (We’ll write a more detailed post about message
headers soon.) Spoofing is a certain indictment of an email’s authenticity but it takes effort and knowledge to prove it. We think
it’s fun but then we’re in the spam filtering business.
SSL
Secure Sockets Layer (SSL) is how browsers and servers
exchange information privately. Using SSL requires a secure certificate and not all phishers have access to SSL servers. Consequently, something
to look for if you actually visit websites linked from emails (generally not a good idea) is a secure connection. If you don’t see
https:// in your browser’s address bar you can eliminate the site immediately.
However, just having https:// in the URL is not enough and phishing sites will take advantage of this by allowing SSL calls on their
servers without backing the connection with a valid SSL certificate. Your browser will detect this and point it out. (How browsers indicate an
encrypted connection varies so you should make it a point to learn
how to tell if you have a secure connection.)
It is possible that the phisher DOES have a secure server. Don’t assume that a site is safe because your browser says it’s secure.
Check the URL and apply all of the other tips above as well.
Conclusion
This post lists several ways to identify bogus emails. Armed with this knowledge you will be able, with certainty, to avoid falling into most of
the identity theft traps that land in your email. There will still be a few that you will be unsure about and for these remember the two cardinal
rules of phishing avoidance:
- Never contact an institution asking for private information using the links, addresses, phone numbers or anything else provided in the email
itself. Always look up their contact info yourself.
- Don’t provide sensitive information using email at all and only provide it using secure web forms if you have followed rule
one and contacted them to verify the authenticity of the email.
Other FAQ Sections:
MX-Defender for business/corporate/enterprise
Email Hosting
Technical Email Issues
Understanding Email Basics
If you don't find the answer you're looking for here, please email your question to:
|
|