Avast WEBforum

Consumer Products => Avast Mac Security => Topic started by: email.dave2 on November 08, 2018, 03:49:36 AM

Title: strategy for dealing with repeated malware barrages by email?
Post by: email.dave2 on November 08, 2018, 03:49:36 AM
Thank you Avast for allowing me to scan & delete several types of malware following a ransomware attack that blocked login to my Mac.

As I now finish reassembling my sweet setup on the Mac, I'm coming under email barrages (a few dozen at a time) trying to re-deliver some of the same type of java trojans. Fortunately, Avast mail shield has been blocking the attacks so far, although Mail quits and needs to be restarted.

These emails spoof one of my contacts, but the actual sender address is of course different from my contact's address. The email is sent to "undisclosed-recipients".

Is there some obvious strategy for getting out from under this? Maybe some way to screen this stuff out up in the cloud before it gets to my Mac?

thanks,
Dave 
Title: Re: strategy for dealing with repeated malware barrages by email?
Post by: email.dave2 on November 08, 2018, 02:33:54 PM
Stepping back, here's a fundamental (ok, newbie) question:

If I receive an email containing a Java trojan, do I have to open the email to infect my Mac (vs simply have the email land in my inbox)? 

If the malware-containing email is inert until I open it, then simply treating it as spam and having it be automatically deleted should be sufficient, right?

On the other hand, is there malware that is infectious upon receipt—before it is opened—that would need to be blocked in the cloud before it hits one's computer?
Title: Re: strategy for dealing with repeated malware barrages by email?
Post by: ondrej.kolacek on November 08, 2018, 05:45:46 PM
Hello,

if the malware does not target the mail client itself (eg. somehow exploits mail/http parser in the client), it is safe to receive the infected email. I have no clue if there is malware in the wild that targets Apple Mail, hopefully not; I know Outlook used to be targeted a lot. I usually recommend users here to use web client if possible; otherwise you will probably have to risk it and turn mail shield off for a moment. The main risk is that you will not be able to find all the mails that are infected. But there is still fileshield which checks executed and opened files, so the risk is not so bad. Please note that usually removing threat from the mail does not lead to these redownloads, however it is being reported here quite a lot due to how annoying this is :(

Kind regards,
Ondrej Kolacek
Title: Re: strategy for dealing with repeated malware barrages by email?
Post by: email.dave2 on November 11, 2018, 03:34:25 AM
Ondrej,

Thanks for your reply, although I didn't understood all of it. I got another lesson today when I installed Outlook to check it out. A bit later, Avast intercepted what looked like another malware attack, just like the previous one!  Actually, I guess the fresh Outlook client simply populated itself from my iCloud Mail, pulling down the previous toxic email from the cloud one more time.

Finally I begin to understand (I think). Avast intercepts email at the user client level (Mail or Outlook or whatever) and deletes the message. The message still exists up in the cloud though, which allowed me to find it in a browser view of iCloud Mail, i.e., the web client, and, hmmm, yes, also on my phone which I suppose had previously pulled down a copy into the iOS Mail client.

So, after Web Shield intercepts a bad email in the user's email client, it seems like a good practice for the user to go to a web client and delete the toxic message from the cloud as well (and on one's phone too) correct?—to make sure the user doesn't step in it again.  Maybe that's what you were trying to tell me.

Last questions, and I'll go away:

Just double checking what you had written: Were you recommending using a webmail browser instead of a desktop client generally, or just for the task of finding the toxic email? And, is it less dangerous to open and inspect the toxic email on a web client? —and on my iPhone? (because the Java malware is probably operative only on a desktop OS?) I wouldn't click on any attachment, but if it were not dangerous, I'd consider inspecting the text of the message and the header.

Thanks again for Avast.
Title: Re: strategy for dealing with repeated malware barrages by email?
Post by: ondrej.kolacek on November 12, 2018, 10:27:06 AM
Hello,

you have a correct impression what is going on. Avast indeed intercepts the download of the email and cuts the infected part from it. It does not touch the mail server at all. Typically cutting the infection from mail is not problematic; the client considers the mail being retrieved, you can see it in the mailbox, just the attachment that has been infected is not accessible. But time to time it happens that the client considers the mail as somehow damaged, and retrieves it again, with the same result, etc.

To be honest, it is very hard to say what is the proper way how to delete such mails from the mail server. You can either disable mail shield, wait until the infected mail is downloaded, and then delete it. Or you can use web ui. In the latter case you will know for sure you have deleted the correct mail (as the popups stop), this is why I have recommended this. This does not mean that it is better to use web ui in general.

Kind regards,
Ondrej Kolacek

Title: Re: strategy for dealing with repeated malware barrages by email?
Post by: email.dave2 on November 12, 2018, 09:16:19 PM
Thank again for the comments, clarification and confirmation. Much appreciated.

Just FYI: Here's one non-idiotic situation in which a user can once again pull down the toxic email from the server, and I think justifies cleaning out the toxic email in a webmail browser as you suggest:

When a user someday moves her/his home folder to an external drive (or sets up a new Mac), and then repopulates the freshly installed mail client, the user will get the Avast warning that it intercepted the old toxic emails again.

Because I just did that (and would probably do it again sometime in the future when I've forgotten about this), I'm going up fire up iCloud and just delete the toxic emails.

--- done ! ----
Title: Re: strategy for dealing with repeated malware barrages by email?
Post by: bob3160 on November 12, 2018, 09:31:09 PM
I personally haven't used the email offered via my ISP for years.
Nothing but headaches and lots of SPAM in addition to many unsafe emails not being auto directed to the spam folder.
I've been perfectly happy with gmail. Haven't seen spam emails unless I manually take a look at the spam folder.
Title: Re: strategy for dealing with repeated malware barrages by email?
Post by: .: Mac :. on November 13, 2018, 02:03:58 AM
Dave,

If iCloud Mail, that is IMAP by default so you would be syncing the mail from the server back down on every device you add the account to. As stated, webmail is your friend here. Also this shows Apple has very poor or no malware scanning in iCloud Mail  :o

Cheers,
Mac