

Ask HN: Are all mail clients inherently vulnerable? - evo_9

I&#x27;ve noticed an increase in Virus&#x2F;Worms getting onto my machine (macbook air, osx 10.8.5).<p>I&#x27;ve noticed they are always via an unread email through my gmail account.<p>I wonder would I be safer to always accessing Gmail via the web versus my email client (in this case Apple Mail and PostBox).<p>I always thought I actually had to click on&#x2F;read an email to have it &#x27;execute&#x27; and get onto my system? Has something changed recently?<p>Is there anyway to harden the mail client so it&#x27;s not allowing these files to even reach my system?  Perhaps that&#x27;s an IMAP setting on GMail I can configure&#x2F;alter?<p>Thanks!
======
27182818284
>I've noticed an increase in Virus/Worms getting onto my machine (macbook air,
osx 10.8.5).

Whoa whoa whoa whoa. I'd like to know more. Your claim is basically that there
is a 0-day attack on OS X machines being exploited in the wild and it requires
even less than opening an email?

That's a _very_ significant claim. My best guess is maybe you're being
exploited by the numerous Java flaws, but even that sounds like a stretch.

>Is there anyway to harden the mail client so it's not allowing these files to
even reach my system? Perhaps that's an IMAP setting on GMail I can
configure/alter?

Google's security engineers are 10 to 1000x the average person. If there is a
useful default setting they know about, it is probably already enabled. Heck,
earlier today I hit a URL dealing with Namecoin and Google freaked out that it
was a known phishing website and prevented me from visiting.

~~~
evo_9
Look I'm not claiming anything, I'm simply stating the facts that I have
before me.

I scan with variou virus/worm tools and I see _ONLY_ gmail infected files.
They are not emails I've ever looked at, touched, clicked on, opened -
anything. They happen to be on my machine under the spam/junk folder.

That's it. That's the mystery. I don't understand how they are infecting my
machine. Maybe these items are being picked up by the tools (sophos, clamxav
and bitdefender) as on the machine but not causing harm - I don't know.

All I know is I've had peculiar behavior, behavior that in the past when I was
on lets say a Windows XP work-machine usually meant I had something funky on
my machine.

So that's where I'm at.

I've added 'Hands Off' and I'm going to closely track what is going on.

Until then I'm not sure what to do about my Gmail account(s). As far as I've
seen from a couple of friends that happen to work at Google (one is a VP...),
yeah I think they are (mostly) still humans and prone to mistakes from time to
time. Hubris comes to mind. Fun word if you are unfamiliar.

~~~
Terretta
> _I scan with various virus /worm tools and I see ONLY gmail infected files.
> They are not emails I've ever looked at, touched, clicked on, opened -
> anything. They happen to be on my machine under the spam/junk folder._

OH! This does not mean what you think it means. This means that Gmail is
correctly classifying evil emails into your spam folder. You are, for your own
reasons, downloading the SPAM folder to your computer instead of leaving it on
Google's server. This brings the email text and attachments into the email
app's storage folder on your HDD.

Your anti-virus software is scanning local files for virus or malware
signatures. The attachments on these emails have these signatures. This has
nothing to do with you opening them, running them, or being infected by them.
Your email client dutifully downloads the SPAM folder, stores it locally, and
your AV tool is spotting the bad sequences of bytes.

That's sort of like having a collection of viral agents in glass vials. You've
collected them, but you're not infected.

Opening the email and running the attachment, that'd be a problem. Or, if the
attachment can get itself to run in the context of just viewing the mail, and
you view it, that'd be a problem.

So, (1) Don't download the SPAM folder, waste of time and storage; if you
don't download it, Sophos etc won't see/detect the bytes. (2) Don't browse the
spam folder if you don't want to be infected by things in spam emails. (3) If
you do download the spam folder because, say, you have a lot of false
positives you need to rescue out of it, then check for them frequently and
delete the rest or set it to auto-empty.

I'd go with just not downloading it.

~~~
evo_9
Gotcha, thanks that's the conclusion I came to (aka, the spam folder is being
pulled but nothing from it is being 'run'). That whole thing (gmail spam
folder/etc) turned out to be red-herring.

The mystery was what caused the odd behavior I started having in Safari that
triggered all this. Long/short I watched a, let's say 'non-standard' sports
field a buddy sent me of a blacked-out red-wing game. I remember the browser
firing a window fullscreen for second that vanished and thought 'oh that's not
good...'. I was of course drinking watching the game and forgot about the
whole incident until really thinking about what might have caused it...

Anyway, thanks for the help... on a side note does anyone have an opinion on
which (if any) of the various AV tools out worth running? Sophos seems pretty
good but I'm not a fan of something constantly running in the background ala
norton/mcaffee.

~~~
Terretta
Well, pirated live video events are a well known malware vector, along with
certain kinds of online gambling and adult video. Often they don't even bother
with a zero day, they just ask you to install a "video codec" which is really
the payload. They know you want it ...

Running that illegal live stream is a far cry from your initial hypothesis of
unopened Gmail messages. By definition the people offering it to you are
perfectly happy with doing harm.

------
Terretta
An _increase_? You already had a _baseline_ of viruses and worms getting onto
your Macbook?

WTH are you doing with your machine?

~~~
evo_9
I had none up until 2 weeks ago; the only major change/software installed was
a new VPN client.

Before that I've never had a virus and I've been using a Mac since, oh,
1988ish...

SO that what the hell I've been doing.

~~~
stevekemp
And what proof do you have that you have a virus now?

(Sorry but suggesting that having unread mail accessed via gmail has infected
your computer seems pretty extraordinary, and does require a fair bit of proof
to be taken seriously.)

~~~
evo_9
NP, I understand. See my reply above; if that's not sufficient let me know and
I can provide more information though I have successfully removed everything
using a combination of the tools I listed in that reply. Thanks.

------
wglb
This part is interesting: _I 've noticed they are always via an unread email
through my gmail account._

How were you able to determine that?

~~~
evo_9
I believe it was Sophos that showed the original path, or retained the
original directory path in the quarantine listing; aka, the listing had my
gmail email address in the path on all infected items.

~~~
wglb
Ah.

So the email was downloaded to the hard disk, but not read or opened. The
virus scanner looked through the folder and found the problem.

If you use the web client, then it seems like you won't have the email on your
machine until you open it for reading.

