Thunderbird Freezes When Deleting or Moving Email

I recently updated to the latest Thunderbird (v11.0) and was disappointed to discover that suddenly whenever I was deleting an email or moving it into a different folder, the entire application would freeze for 1-2 seconds while it processed that command.

I am fastidious about email and spend probably more time than I should ensuring everything is filed into appropriate folders (or deleted if I’m never going to look at it again). When you’re getting hundreds of emails a day, deleting and moving needs to be an operation that consumes near zero time, otherwise you’re suddenly spending way more time “doing email” than you should be. As a result, these freezes were massively irritating and caused no end of problems.

I reinstalled Thunderbird, which seemed to fix it temporarily – but before I knew it was happening again. I tried rebuilding and compacting folders – all for naught. I tried searching the Thunderbird Bugzilla looking for similar reports, but I couldn’t see anyone else having the problem.

I put up with this for a while trying various things, but eventually gave up and fired up the incredibly handy FileMon utility from the SysInternals guys to see if anything obvious was happening on the disk side of things that would account for this freeze.

Immediate pay dirt; this chunk of output in FileMon is shows the main part of what happened when I tried to move an email into a subfolder of the Inbox:

You can see there the operation started at 4:11:37pm and then the next activity was at 4:11:39pm – two seconds was roughly how long I was seeing Thunderbird freeze for.

Next step was looking at what MsMpEng.exe was – Microsoft Security Essentials. Turns out MSE was installed on my PC as part of a general system policy update at around the same time I upgraded to Thunderbird v11.0.

I tried changing the settings to see if that was indeed the cause – in MSE you just look for the Settings tab, select Real-time protection, and uncheck the ‘Turn on real-time protection’ box. Immediately Thunderbird started behaving normally with no more freezes.

Fortunately there’s an ‘Excluded processes’ option in Microsoft Security Essentials so you can add Thunderbird.exe to the list of processes to skip. This completely fixed the problem for me and now I’m back to moving and deleting emails fast as ever.

I Cannot Unsubscribe from the Ford Australia Email Newsletter!

I subscribed to the Ford Australia newsletter a while back as part of some competition; at the time I was also looking for a new car so I didn’t mind the occasional email about car-related things.

I decided to unsubscribe a few months ago, but I still kept getting the newsletters. At first I thought I only imagined unsubscribing, so I did it again – but to no avail. I went back and checked my email history, and sure enough I have confirmation that I have been unsubscribed, but I clearly keep getting emails:

Like most corporate newsletters, it irritatingly doesn’t give me any direct contact options – the reply address is do_not_reply@ford.com.au (which I tested and of course bounces). I clicked through to the Ford website and have filled out the contact form, so I shall wait and see if a human gets back to me to help me resolve this problem.

Having worked extensively on newsletter unsubscribing processes and systems on various BigPond properties for the last few years, I’m fairly tolerant of errors like this – as I know it is one of those things that sounds like it should be really easy, but it turns out to be surprisingly difficult to capture all cases. As long as there’s a reliable contact/support process though, it should never be a really big deal – as long as you can always get through to a human who can understand your problem and resolve it.

Update: The Ford guys got back to me within 24 hours to let me know they’d unsubscribed me manually. I will see if I get any more :)

Thunderbird v3.x ‘Add to Address Book’ Adds to Wrong Address Book

I’ve spent a bunch of time in the last few weeks trying to create a unified contact list encompassing Thunderbird, Gmail and my Android phone. I had a minor irritation in Thunderbird when clicking ‘Add to Address Book’ (or starring a contact in the message view) would create the new contact in the ‘Collected Addresses’ address book, instead of where I wanted (the ‘Personal Address Book’).

Turns out where new contacts are added is dependent on an options setting – Options, Composition tab, Addressing sub-tab – you’ll see the below:

Change the ‘automatically add outgoing e-mail addresses to my…’ field to be whichever address book you want new contacts to be saved in. Note that this takes preference regardless of whether or not the checkbox for that option is selected.

Targeted for Spamination

This morning at around 11am, I noticed an unusually high number of emails in my Gmail spam folder. I had a quick look and saw there was a lot of ‘Mail delivery failed: returning message to sender’ emails – not unusual, but in this case there were literally hundreds of them. As I was watching, the number increased. A bit over five hours later, I have over 21,000 bounces – so around 3,600 bounces per hour.

Turns out someone got a hold of my Gmail email address, and decided to make it (and my name) the ‘from’ field for a new spam campaign for their latest scam – http://tinyurl.com/moneyonline2010 (deliberately not linked). The email is as follows:

Good Morning,
Thought id share a link that helped me and my bank balance out!
Finally an easy way to make $1000 every day , without further hype check out the link below
http://tinyurl.com/moneyonline2010
To your success online
David

If you have received that email, please note that I am not sending it to you – someone is forging the ‘From’ header so it simply looks like it is coming from me.

Believe it or not, this is how the email system works – anyone can send an email claiming to be from anyone else, from any email address. Most email clients should let you do this – you can send as anyone, but obviously if someone hits ‘reply’ and sends something back, it will go to the person you’re pretending to be (if you used their actually email address, anyway).

Almost all of the bounces appear to be from a mail server that is rate limiting the send, as they all have the text: “Domain bristolz.co.uk has exceeded the max emails per hour (500) allowed. Message discarded.” So that’s at least some good news, in that it means ‘only’ 500 spams are making it out into the world with my name on it.

My first thought was that maybe my Gmail had been hacked and someone was actually sending these emails through my account, so I had a quick scan through to confirm this was not the case. I thought it was unlikely anyway as I assume Gmail have filters and limits in place to prevent people sending that many emails per hour.

– none of these messages were present in my sent mail, or IMAP sent mail
– ‘Last account activity’ indicated no-one other than me had logged into my account

I have contacted abuse@sky.com, which appears to be the ISP that owns the originating IP address (I will be amazed if I hear back), and I’ve also contacted tinyurl.com (as their terms specifically prohibit using their service for spam). In the meantime, sorry – but it ain’t me and it ain’t my fault!

MBF Newsletter Mail Merge Mistake

Either someone is doing an excellent job phishing for MBF member details, or they screwed up sending out their most recent email newsletter.

The newsletter’s subject is “Your chance to win 10K worth of prizes” and it contains the following text:

Hi William,

At MBF we want to help you get the most from your health insurance.

Register to receive our updates via email today and we can help to keep you healthy and happy.

To register click here, login to myMBF and make sure you complete your contact details and update your communications preferences to email. If you’re already registered, make sure you check your details in case anything has changed since you last visited.

Two things immediately jump out at me here:

  1. My name isn’t William. Something has gone wrong with their mail merge and it’s put someone else’s name on my email. Embarrassing, but not fatal.
  2. I have all my MBF communications set to ‘post’ – all email options (that I can find) are switched off.

To complicate things further, the links are all of the form: http://p1.eservicesesp.com/cts/click?q=randomcharactershere – no doubt this is a mailing service that they’re using to track newsletter click throughs, but to a casual observer, it looks like it might be a phishing attempt.

The net result of this email is that it looks like a phishing attempt. But it’s almost certainly just a screw-up on behalf of MBF and/or the marketing agency they’ve employed to handle their bulk emails.

To make things even more painful, there’s no easy way to report the problem to MBF listed in the email (a simple “if you believe you have received this message in error, click here” link would have done the trick, or on their website. Even logged in, you don’t get an option to provide feedback over the web or via email – you have to use the phone or write them something called “a letter”.

Sending newsletters to lots of people is hard. But it’s not that hard. We’ve done it at Mammoth every week for almost eight years, sending millions of emails to hundreds of thousands of subscribers, so if you need some advice on how to do it right, maybe you should ask us :)

Alltern8.com is hiring Writers & Bloggers – Spam?

I’ve been getting the following email to a few email addresses:

Hi Everyone,
Alltern8 (www.alltern8.com) is gathering together a group of dedicated experts in MMO Games, LARP & Ren Faires, Tabletop and Collectible Card Games, Tabletop Wargames, PC & Console Games, Comics/Graphic Novels, Cosplay/Memorabilia, and Indie Music & Film to hire a brand new blogging and writing network! This is your chance to make your voice heard about the games you love to play and the events you love to attend.

… and so on in that manner. The subject is ‘Alltern8.com is hiring Writers & Bloggers’.

On the surface it seems like a legitimate email that I might have (inadvertently) signed up for. But I’ve never been to their site before, or heard of it. I have almost every single website sign-up email I’ve ever been sent – since 1999 – and I don’t have one from their site.

I look in the footer of the email where the unsubscribe options are, and I see this:

Alltern8.com only emails to addresses collected via it’s own site or one of it’s associated partner sites, we take SPAM seriously so please unsubscribe by replying with the subject UNSUBSCRIBE and you will no longer receive mails from us. This is the quickest way to stop getting mail via our site.

So maybe it was an associated partner site I signed up to. Possible.

But then – something happened! I got the exact same email to a QGL mailing list, which has long been targeted by actual real spammers.

Now the most likely scenario has changed. I think they’re spammers. I’ve replied to their email (for reference, always a foolish thing to do, because it can simply just highlight the fact that your email address is still active and ripe to be spammed).

It’s an interesting issue. If I was less anally retentive about emails I get and where they come from, I would have just accepted this as something I signed up for and moved on. So much spam I get these days just has a similar footer, a we’re-so-innocent routine that is rapidly becoming tiresome – “oh, you must have signed up for something with us at SOME point, how ELSE would we have gotten your email.

I’ll be making sure that we accurately track sign-up information so when users want to know why they got a newsletter, we can say “well, you can see right here that on the 15th of May 2009, you created an account and left the ‘subscribe to newsletter’ checkbox ticked!”

edit: Shortly after posting this, someone from alltern8.com replied – check the comments for their thoughts.

ANZ on the Security of Email

A while back, ANZ offered me the opportunity to receive some of my statements as ‘e-statements’. While I fully approve of the move away from paper, I must confess I was slightly disappointed to find out that they’d be emailing me notices about these e-statements – one of the big reasons I think Australia (or at least, ANZ) has done well in the fight against phishing is because they’ve simply not ever sent any emails out, ever. Contrast this to a US bank (Wells Fargo) – within days of signing up I’d received a huge variety of emails, making it easy to see why so many US citizens get scammed so easily.

I typically ignore these emails but as part of my ever-growing interest in how email works and how people use it, I checked out my most recent one, and was interested to see the following disclaimer in the email footer:

ANZ does not guarantee the integrity of this communication, or that it is free from errors, viruses or interference. As email is transmitted via the Internet, which is an unsecure environment, ANZ cannot ensure that an email is not interfered with during transmission.

Clearly they’ve never heard of public cryptography! Of course, even if they had, and the email was encrypted and/or digitally signed, that last sentence wold probably still exist from a sheer cover-their-ass perspective.

Still, I’m looking forward to the day when my bank (and other sites) let me enter in my public key as part of my account settings so all correspondence from them can be encrypted. I’m continually surprised that so few sites do this. I’m keen to integrate something like this into AusGamers – not that we really need it, but just because I think it would be cool to do.

It should be noted though that their emails include /no/ links at all and are sent in plain text.

Chase Bank’s Email Security

For a few months I’ve been getting emails from Chase, which appears to be a financial establishment of some kind. These emails are addressed to a ‘Barbra Harrison’, who is not me. These are coming to my Gmail address – a fairly common occurrence, as many people mistakenly think they own my Gmail address.

People not knowing their email address – or simply mistyping it by accident – is a ridiculously common occurrence. In fact, I was working on how to mitigate it on AusGamers just before writing this. It seems a little scary though that people would screw up their actual email address in anything related to their bank or financial institutions.

But what’s worse is the emails don’t provide me with a clear way to notify the bank that they’re coming to the wrong place. I’ve tried replying to them a few times (despite the notice saying they won’t read them – sometimes they do). I’ve tried navigating their website, but it’s a maze and the only way I can seem to do it easily is to either log in with the account details of Barbra (which I might be able to retrieve as I am in control of the email address she submitted for her online account!), or call them.

I was a little amused when I got this email from them today:

chase-email-security

I decided to spend a bit more time reading the email to see what my options are. I can unsubscribe from mailouts – which I don’t want to do, because my email address might still be attached to Barbra’s account, which is not great for anyone. I can report it as fraud, which I don’t want to do because it’s not really appropriate.

The FAQs have one useful question: “I don’t have an account with Chase, but I’m getting e-mail about my Chase account. How does that happen?” The answer to that, however, assumes that I’m the victim of a phishing attempt. I’m confident that is not the case here.

They have an email address for other inquiries – emailquestion at chase.com. I always feel like mailing addresses like this is a total waste of time, but I’ll give it a go – for Barbra.

Update: emailquestion@chase.com bounces:The original message was received at Tue, 4 Aug 2009 20:44:45 -0400 (EDT)
from sg3.svr.us.jpmchase.net [155.180.248.7]

—– The following addresses had permanent fatal errors —–
<t000900@gti0s025.svr.bankone.net>
(reason: 550 5.2.0 /var/mail/t000900: irregular file)</t000900@gti0s025.svr.bankone.net>

They sure make it hard.

PayPal Changes Their Email Address

I recently got an email from PayPal (an actual one, not a phishing attempt) telling me that they’re changing their email address (subject: “Important Address Change Information from PayPal”).

I noticed this part:

How do I know if an email is really from PayPal?
PayPal emails only come from a ‘paypal.com.au’ or ‘paypal.com’ address. We will always address you by your first name AND last name.

It’s important to note that the first part of this answer is utterly useless from a security point of view. Anyone that knows anything about the Internet will tell you that it is completely trivial to send an email so it looks like it is coming from any email address. Email has no built-in security to stop this from happening.

It’s a little annoying that PayPal focus on that by putting it first, because it’s much, much less of a useful security measure than the second thing they propose – using your first AND your last name. Most email spam/phishing attempts simply attempt to guess your name by deriving it from your email address – for example, if your email address is david@example.com, then they’ll start their email with “Dear David”.

However, there’s (almost) no way to derive your last name in bulk mailing attempts like this – unless you already have that information, like PayPal would if you had an account with them. (I say ‘almost’ because there are fringe cases where spammers could guess your first and last name – for example, if your email address is formatted like david.harrison@example.com).

If you’re reading emails and wondering whether or not they’re from who they purport to be, bear in mind that looking at the actual email address is never a good way to do it. You’ll need to look for other clues.

Unless, of course, they’re using PGP or some other mechanism to digitally sign their emails. It boggles my mind that financial institutions aren’t offering this as a matter of course, even if only a handful of people would actually use it.

Strip Attachments from Outlook Express Emails

I have been using Outlook Express for almost 10 years now. I have gigabytes of emails stored in it dating back that far.

Lots of the emails are from game publishers or various press sources and often include really ridiculously huge attachments. I often don’t need these attachments at all, so I’d like to be able to delete the attachments but keep the email just as a record.

Outlook Express, presumably through some sort of misguided security reason, doesn’t let you open an old email and just delete the attachment. What you can do is drag the email out to your desktop, where it will create a .eml file – basically a plain text version of the email with the attachments encoded. You can then just strip out the attachments manually (a relatively simple process) by opening them in a text editor and removing the relevant sections.

I got bored of doing this so wrote a quick PHP script to do it, using the PEAR mimeDecode package. It’s really rough and simple but basically consists of two parts:

1) a PHP script which parses the email, spits out the attachments, and spits out a re-written version of the email just in plain text.
2) a batch file which calls the PHP script, so you can just drag a .eml file onto the batch file and have it execute.

The PHP script is available here.

The batch file just looks like this – change it to suit your system:
c:\php\php.exe c:\utils\mailextract.php %1
pause