Scam or Junk or Virus ??

24 Mar 2014 17:04:42

John Nicholas

For the last week , several times a day I have been receiving emails on one of my several email addresses which might appear to come from a mobile phone provider. The senders address includes T-Mobile, or Vodafone, or Orange, or whatever.

Mail identifies this potentially as spam. My email address which receives these is NOT that which I use for my genuine mobile provider. The message appears to have an attachment.

I consign these straight to trash. How should I do this given that we are warned not to "open" suspect messages. Surely clicking on the message in order to send to trash causes it to open? What I usually do is to click on another message I intend to trash and then shift click onto the suspect message or even another beyond it in the list of read messages and then trash a group of several. Is there a better methodology ?

A typical message header comes as .....>[undisclosed email] <....and a paperclip is in evidence.


Has any other member been troubled by these. Am I right or wrong to suspect these current particular messages ?

Re: Scam or Junk or Virus ??

24 Mar 2014 19:17:13

Euan Williams

Hi John, the short answer is that if you keep your Mac properly updated and use good password protection, you are unlikely to have a problem. Putting these emails into Trash (don't forget to actually empty the email trash) won't be an issue as malware would be in the attachment (your paper clip). the huge majority of these are PC-directed.

Other signs: the email send address is non-standard for your ISP or a 'phone company -- as you noted.

OSX is very well protected against Malware but you do need to make sure you keep your software up to date. Problem software outside Apple's control includes Flash and Adobe Acrobat Reader. Adobe offer automated reminders of security backups for these, but if you haven't asked for them you may not get any. Visit Adobe.com/Downloads for updates and learn what the Adobe updates look like (there are fakes out there).

Keep a sensible (but not neurotic) eye on the Mac web pages, e.g. MacWorld online (there are many other good sites).

In the past Apple have waged remote and automatic war on Trojans that could affect your Mac, for example:
"Flashback A"

Users are more in danger from Social Engineering and Phishing attacks which try to seduce us into giving out passwords and personal information.
Recent examples seen here:
"Your boarding pass for flight xxxx Dallas-Fort Worth to ... is enclosed"
"We have recalculated your tax rebate"
"Your package can be claimed using this identifier"
"We have been alerted to a problem on your computer and we can fix it"

Oh yes, spoiler alert! Please don't shout...
You may choose to use anti-virus software to keep an eye on your emails. Opinions differ about this and some AV software is, ummm, "not so helpful". I use the (free) Sophos AV which works efficiently in the background and is easy to use. This helps me to not pass on malware to my PC contacts who might be affected.

Re: Scam or Junk or Virus ??

24 Mar 2014 19:33:49

Drew McFarlane

Hi John,

I am the secretary of a sea angling club. The clubs e-mail address is freely available to one and all as it appears in numerous magazines etc.

Every day I receive numerous e-mails from all over the world asking for my bank details to enable the sender to top up my account with millions of pounds, they all end up in my junk folder thanks to my computer settings.

After placing the pointer on the e-mail I right click and select the Delete option. This allows me to delete the e-mail without opening it.

It is also possible to delete the e-mails directly from the Junk folder using the same procedure.

Re: Scam or Junk or Virus ??

25 Mar 2014 08:41:56

Mick Burrell

John, check with your email provider. Most offer spam filtering which would stop this sort of email even getting to your Mac.

Re: Scam or Junk or Virus ??

25 Mar 2014 19:26:30

John Nicholas

Thanks to you all for advice so far re general practice. It was the ISP filter that alerted me to the spam, but I do not want to upgrade the filter so that only known contact emails get through and everything else is held back. In my view that is too harsh.

Anyway Sophos AV is now causing me grief. I have scanned 4 times now and get stuck at 43% or 50% before it freezes. On the way 4 trojans ( I suppose using my Mac as a potential stepping stone to any contact who might be a Windows Pc user ?) were found and cleaned up. The next "threat" has been found so the scan pauses appearing to be awaiting my action. But a Cleanup then fails, so I do what "Sophos help" says to do re manual cleanup/custom scan , but after a few seconds of whirr whirr whirr that fails as well.

So I abort the scan and start from the beginning. All goes fine if rather slowly until the circa 50% mark and the offending threat is reached again. How do I get out of this loop so as to complete the bulk of the "scan' and then try to deal with the one single (?) remaining offending threat at the end. Just deleting the threat from the list in the Quarantine Manager doesn't seem to achieve a continuation of the remainder of the scan it just hovers for hours at the point at which it stopped.

My luddite wife is annoyed at the time "that stupid computer" is diverting my attention from her important household duties she has lined up for me !

Re: Scam or Junk or Virus ??

25 Mar 2014 23:55:01

Euan Williams

Hi John. I'm not looking at your screen (nor do I live at Sophos) but in general terms:

I would uninstall Sophos AV +/+/ using the uninstaller they supply \+\+.

Then I would restart my Mac, download a fresh copy of S-AV from their site (not from some intermediary) -- checking its suitability for your version of OSX -- and install it, making sure it has downloaded the latest virus definitions: an 'S' in the shield in your top menu bar confirms this, an 'X' means it hasn't done so yet.

As of tonight this is v. 9.0.8
Threat detection Engine v. 3.50.1

Deleting threats from the Quarantine folder which have not been "sanitised" is never a good idea.

If you can see which email is suspected of carrying malware (Sophos should show you this) you can delete that email (making sure that you also delete it from the email trash. Note that the offending email may be old and hidden away in some backup folder. Look for a .emix file with an envelope icon.

If you need archaeological excavation, (for example you may know the date and general text of the threat) a typical path in Mavericks might be (IMAP may well be different, I don't use it, sorry):

Users > John > Library (option-click on the 'Go' menu) >Mail > V2 > POP [email address] > INBOX.mbox > > folder with impenetrably long reference number > Data > lots of nested numbered folders >Messages > ####.emix

Attachments are stored in the same way, and the suffixes will tell you what kind they are -- without opening them. Match the email to the attachment and destroy both.

And, yes, Apple HATES you to fiddle with these if you don't know what you are doing, so back up the whole Mail folder first. However it is OK to find the little offender and delete it, just leave the rest well alone.

If in doubt or divorce looms contact me via any committee member. Meantime good wishes to your wife!

Re: Scam or Junk or Virus ??

26 Mar 2014 15:49:23

Alan Cox

What a palaver. The solution is obvious - start using a quill with ink to write on parchment.

Re: Scam or Junk or Virus ??

26 Mar 2014 16:51:38

Mick Burrell

John, is this the only option you have :

but I do not want to upgrade the filter so that only known contact emails get through and everything else is held back

There's usually a scale, possibly with five steps.

You could consider using MailBox manager (available ob the app store)

Re: Scam or Junk or Virus ??

27 Mar 2014 02:21:15

John Nicholas

Thank you Euan for your follow up. I found some of what you said difficult to interpret or, with my low level of skill, to put into practice.

However, as you advised, I did uninstall Sophos AV and then download and install a new copy. This scanned completely, finding no further "threat"s. Phew. There were however "11 issues". Where do I find listed (in simple form) what these were. Clearly I need to read the Sophos pdf notes I also downloaded.

Re: Scam or Junk or Virus ??

27 Mar 2014 08:40:53

Euan Williams

Hi John. The Sophos .pdf notes don't cover the "issues" word, but you can find a discussion here:
"Issues Found"
Look for the explanation by "Diz" &#8206;08-30-2013 01:54 PM.

[NB. if you ever use Terminal (powerful magic, Hogwarts education advised, possibly best avoided for "the rest of us" along with Quills and Parchment just to be on the safe side) you need to be very careful about typos, and read up on what the commands mean. It sometimes helps to copy and paste commands to avoid gremlins.]

Once you have done a full 'scan everything' scan you can leave the Sophos App to simply scan incoming emails and files -- provided you have left the preferences to the factory settings (or have reset them to those).

Full scans take ages (and sometimes stall). If you look at the SAV shield in the top menu bar, click on 'Open Preferences' and sign in you will see the tab "Logging" which is one way to access the SAV log in Console. There are millions (if not gazillions) of threat signatures listed there -- virtually none of which will affect your Mac but could be passed on to your contacts.

A Sophos update and a found threat cleared up looks like this:
com.sophos.autoupdate: Updating catalogue information at 09:57:03 13 June 2013
com.sophos.autoupdate: Catalogue updated at 09:57:03 13 June 2013
com.sophos.autoupdate: Download started at 09:57:03 13 June 2013
com.sophos.autoupdate: Download completed at 09:57:10 13 June 2013
com.sophos.autoupdate: Software is up-to-date at 09:57:16 13 June 2013
com.sophos.autoupdate: Info: Checked primary server at 09:57 on 13 June 2013
com.sophos.autoupdate: Sophos Anti-Virus is up to date
com.sophos.autoupdate:

com.sophos.intercheck: 2013-06-13 11:40:56 +0100 Threat: 'Mal/DrodZp-A' detected in /Users/####/Library/Mail/V2/POP-########@mail.#######.com/INBOX.mbox/########-6395-484C-A4E0-############/Data/4/6/Attachments/64858/2/Recalculation details.zip
com.sophos.intercheck: Access to the file denied

com.sophos.intercheck:
com.sophos.autoupdate: Updating catalogue information at 11:42:19 13 June 2013

[### = alterations to daze and confuse].

So its probably time to make a cuppa and relax, knowing you have done the necessary; not forgetting to pick some flowers for your wife, and sleep the sleep of the righteous!

Re: Scam or Junk or Virus ??

27 Mar 2014 10:37:25

John Nicholas

Hi Euan

Thanks for your further input.

Moments before I came back to the Wamug forum for a further read, I had just seen and read the very same post you mention by Diz. "Nothing to worry about / you're safe" are reassuring words to read within that helpful post.

Wife smiling again.