Prologue
Recently, I have published blog articles describing spam emails containing links to disreputable URLs. I have mentioned in these articles that one means of self defense against visiting obviously bad locations is to hover over a link and read the actual URL of that link - in your email client "Status bar." But, what if there is no Status bar showing in your email reader? How do you reveal it?
This brief technical article will show you how to show a hidden "Status Bar" on the most commonly email clients (in 2011). It also explains why having this bar visible is so important and a brief tutorial on making sense of the details that are displayed when one hovers over a link with their mouse pointer.
Displaying Email Client Status Bars
If you still have Windows XP (or, earlier; shudder the thought), you may have Microsoft's Outlook Express as your default POP3 email client. Others using XP, or Vista, have gotten the message about Outlook Express being deprecated (abandoned) by Microsoft and have moved up to Windows Live Mail (aka: WLM). People using Windows 7 are only offered Windows Live Mail 2011 (and newer, yet to come versions). All three versions have the means of turning the Status Bar on and off.
To show or hide the Status Bar in Outlook Express, Windows Mail (Vista only) and Windows Live Mail for XP and Vista, open the program, go to the menu bar item View, then click to place a check mark in Status Bar. It's that simple!
If you use Windows 7, your version of Windows Live Mail is probably version 2011 (or newer version, yet to come). Your interface is different than Outlook Express and the WLM for XP. To show the Status Bar, open the program, click on the "View" button in the row under the Title Bar, go to the right side and click the button labeled Status Bar. It appears (or disappears) instantly. Done!
If you are using Mozilla Thunderbird as your email client and for some reason the Status Bar is hidden, you can bring it back thusly: go to View > Toolbars > Status Bar and click to check it. The Status Bar will appear instantly.
Other email clients will have their own methods of turning the Status Bar on and off. I recommend leaving it on, all the time. Here's why...
The importance of having a visible Status Bar in your email reader (aka: client)
The main purpose of any Status Bar, whether on a web browser, ftp program, or email client, is to display information about the destination of hyperlinks (commonly called "links"), when you hover over them with your pointer. Secondary purposes include showing the progress of page loads, downloads, error messages, and in the case of email clients, the number of new or read messages and whether you are online or offline.
When you have a Status Bar visible in your desktop email client, anytime you hover over a link, no matter what the text in the email text says, the destination URL will be displayed in the Status Bar. The link might say "Login to your Account," or "I thought you might find this interesting." It might claim to go to a Facebook profile, whatever; it is just text placed between an opening html a href tag and a closing /a tag. The actual destination is only visible if you have a Status Bar, or, if you hover and right-click (option click, not execute click) then copy the link location and paste it into a safe document (or Wannabrowser input -> see * below)
So, if you receive an email from a friend, or contact, and all it contains in the message body is a link, or some odd text and a link, hover over that link and read the URL in the Status Bar. If the URL is a numeric IP address (for example, http://192.168.0.127/whatever), it is probably pointing to a hijacked PC somewhere, which may be hosting a malware exploit kit, or a spam page promoting counterfeit drugs or watches.
However, the use of numeric IP addresses in spam emails is very rare these days. It peaked during the reign of the Storm Botnet, in 2007. Nowadays, spammers can purchase throwaway domain names (from bargain or shady Domain Registrars) so cheaply that they sometimes buy them by the thousand. So, every few days, the domain name shown in spam links changes. But, some are more obvious than others.
Making sense of the domains shown in the Status bar
To me and most North Americans, the most common domain extensions (the 2 to 4 letter part after the period) are .com, .net, .org and .info. Therefore, if you hover over a link in a suspicious email message, and the domain part of the URL ends in .ru, it should set off your alarm bells! That means it is a Russian domain. Unless you are doing business with a legitimate Russian company, or person, I would treat all links going to .ru destinations as absolutely no-go's. Ditto for links pointing to .cn, .kr, .ua, .ro and several other potentially dangerous country code destinations.
<rant>
I write frequently about spam issues and fake pharmacies. Lately, there has been a scourge of Russian domain links leading to variations of the totally fake Canadian Pharmacy. Some are called My Canadian Pharmacy, some Canadian Family Pharmacy, etc. Whatever name they go by; they are all rogue websites, created and managed by Russian and Ukrainian cyber criminals. The drugs they sell are counterfeit and often dangerous to your health. There are zero US licensed off-shore pharmacies. ZERO! It is illegal for US residents to import any prescription drugs, or controlled Schedule 3 or 4 narcotics into the USA, from any other country, including Canada.
The reason I mentioned all of these details about the fake pharmacies, is because they often make bogus claims that they are licensed in the USA. I see such subject lines as "non-USA Licensed Pharmacy." Bullshit! Ain't no such animal! Totally false claim. The web pages one sees, if they are foolish enough to click on links in spam email messages, often contain logos for various alleged accreditations, all of which use stolen graphics, with links leading right back to the same fake website you are already on. Please don't fall for these scams!
</rant>
It is easy to guess that links to foreign domains are likely to fake pharmacies, or counterfeit watch sellers, or worse, to exploit attack sites. But, it is not so obvious in the case of links to .com domains. To get the lowdown on these destinations, without going to them, hover over the link and right-click. Note: If your mouse buttons are purposely reversed, for left handed use, then you would have to left click to get the same result as a right-handed person. Assuming you are right-handed, mouse-wise, right clicking gives you options, rather than executing an action (visiting a link's destination). The option you want is to "Copy the link location."
Tracking suspicious link destinations and gathering intelligence about them
* With the suspicious link URL copied, go to www.wannabrowser.com and paste that link into the "Location" field, replacing the http:// that is already in it. Then for reasons I won't explain, type a dash (-) into the "Referrer" field. Place check marks in the two options: "Show HTTP Response Headers" and "Follow Redirects," then click on the "Load URL" button. (If possible, make a donation for the free service while you are there). The HTML Output of the destination will be displayed in a large text area below and the actual domain name and web page, and IP address of that website will appear on the right side of the input fields, under Request Response Summary. This is very important information which can be used in what are called "Whois" look-ups.
First, look at the source code in the HTML Output field. If the second line begins with: Server: nginx/, you are looking at a free Russian http web server named Nginx that is that favorite of most botnet operators. There are some, but not in my experience, many legitimate websites operating on the Nginx server. 99.99999% of Nginx websites are rogues. 100% of Nginx web server sites that delivered via unsolicited email message links are rogue.
If you continue reading the details of the source code you will probably come to a line that is between Title tags. That is the title of the website that would normally appear in the Title Bar of your browser, if you have actual clicked through to that (phoney) website. The title tag usually reveals all you need to know about the nature of that business. The detective work involves going over to the upper right side, to "Request Response Summary" and copying the name of the final destination domain, then go to www.domaintools.com and paste it into the Whois Lookup input field and click the "Search for Domain" button. The resulting page will tell you much about the domain, including the name of the Registrant and the names of the "Name Servers." In the case of many of the rogue pharmacies, the name servers end in .cn (China) or .ru (Russia). You can use this information to file a complaint with the domain's Registrar and their hosting service. I have frequently used this information to get spam domains suspended.
Using the Status Bar to alert you to Phishing scam links
In addition to links for fake pharmacies and exploit websites, you also have to be wary of Phishing scams. If you receive an email that appears to come from PayPal, or your bank, etc, and it doesn't address you by your proper name, as they normally do, carefully hover over all buttons and links and read the domain part of the URL carefully. While Phishers often register look-alike domains to fool scam recipients, a wary person will spot a fake destination instantly. The actual domain follows the http:// and ends to the left of the first single forward slash (/). The URL may contain www, or it may not. There could be a sub-domain name in front of the actual master domain. This might be the Octopus Juice put there to blind you to the actual destination.
In view of the extent to which scammers are able to register domains with names similar to authentic domains, you should make it a point to save legitimate email fro all financial institutions with which you deal and use them as a reference. If an email claims to be from PayPal, and you are a PayPal member, hover over the links and write down the first part that contains the actual domain (ignore everything after the first single forward slash). Then, go through your saved important email and find a legitimate email from PayPal and hover over the links in it. Compare the domain and sub-domain used and you will see if they are similar, identical, or totally diverse.
Epilogue
All of this identification work is accomplished by means of the Status Bar at the bottom of your email client. Don't operate without it showing. Don't left click to go to a linked website until you identify the location from the Status display and confirm that it is an authentic destination, and not a Phishing scam or link to a rogue pharmacy. Don't click on numeric domain links at all, unless you personally requested them for a specific reason and they were sent by the person or company you requested them from.
These tips should help you make sense of URLs that are actually inside links. following my tips will keep you from making what could be a serious error of judgement which could lead to your computer getting hacked, or you credit/debit card being used to purchase illicit goods. Should you do such a foolish thing, know that criminals now possess your credit/debit card details, your email address and your actual mailing address (probably your actual residence).
Stay safe and practice Safe Hex!
back to top ^
