Two phishing¹ attempts made it through the work spam filter earlier this month, and they show the creativity of bad guys as they try to get access to your machine. The attempts at social engineering were interesting enough I thought I’d describe them here. We’re getting pretty close the line where we can’t tell a legitimate e-mail from ones with nasty side effects.

The Fake Bounced Message

Screenshot of a fake bounced e-mail message.

Received: from cyber.net.pk (124.72.91.188) by mail.lyrasis.org (10.10.10.2) with Microsoft SMTP Server id 8.1.436.0; Sun, 16 Oct 2011 06:48:44 -0400

The payload is in the ‘document.zip’ file. I downloaded it without opening it, and uploaded it to the Microsoft Malware Protection Center. It told me that it was a version of Mydoom — an old e-mail worm that installs a backdoor on your computer. Mydoom is listed on Wikipedia as dating from early 2004, so maybe this isn’t all new — but this is the first one I’ve seen leak through the e-mail firewall in quite some time.

Fake Scanner-to-Email Message

Screenshot of a fake e-mail message from a networked scanner.

In short — be careful out there everyone, and if you see something suspicious or unexpected, ask someone about it. (Oh, and keep your anti-virus and internet security software updated!)

Footnotes

1. I think these would be classified as spear phishing as defined by Webopedia: “A type of phishing attack that focuses on a single user or department within an organization, addressed from someone within the company in a position of trust and requesting information such as login IDs and passwords. Spear phishing scams will often appear to be from a company’s own human resources or technical support divisions and may ask employees to update their username and passwords. Once hackers get this data they can gain entry into secured networks. Another type of spear phishing attack will ask users to click on a link, which deploys spyware that can thieve data.”

Most e-mail messages I send are digitally signed using a process called “Pretty Good Privacy“, or PGP. In e-mail applications that don’t understand PGP, this digital signature will show up either as an attachment called “PGP.sig” or as a part of the message starting with “BEGIN PGP SIGNATURE” at the bottom of the e-mail. This file — containing gibberish to the human eye — is used by PGP-aware programs to verify that the message actually came from me. If you are using PGP, I could also sent you a message that only you could read (e.g. “encrypted”). This page gives some background on PGP and why I consider it important.

Background on PGP

My messages are signed with my private key, which is protected by a long and secure password. At any point now or in the future, you could take my message with the PGP.sig file, run it through a PGP program (such as the free GnuPG suite of tools) along with my published public key (see below) and verify that I am the person that sent the message. Normal e-mail doesn’t give you that kind of assurance; the scourge of spam and phishing¹ is a demonstration of the problem that you can’t trust that any average e-mail comes from your relatives or from your bank. By contrast, a verified digitally signed message can give you strong evidence that the message actually came from me.

The Web of Trust

I can also publish the fact that I verified the ownership of someone’s public key. In doing so, I’m telling the world that I have matched a human with a public key and that you can trust it, too. If you believe my verification of that person’s public key, then you too can trust messages signed and encrypted by that key as well. And even if you don’t trust me completely, you might see that three other people have verified the owner of the public key and the combination of the four of us would be enough to convince you of the ownership of that public key — even if you have never met the person. That is the web of trust, and it is popular in software development circles to trust the people submitting patches to code. (For example, the Debian keyring.)

This mechanism for creating trust between individuals is a bottom-up, grass-roots scheme. It relies on one-on-one interactions to extend trust to other individuals. Contrast this with a top-down scheme like SSL that encrypts connections in our web browser². SSL, as commonly implemented, requires a central Certificate Authority to issue a key that is trusted by our web browsers. Our browsers trace the authenticity of the server key to the Certificate Authority key to validate the identify of the web server.

By analogy, another top-down scheme are driver’s licenses. They are issued by a central authority (a state), and as long as you trust the process by which the state issues licenses, you can trust the identity of the person holding the license. A bottom-up analogy might be our human capability of recognizing faces. If I see someone in our office meeting with people that I know work for my organization, I have some confidence that person works for my organization as well.

The web-of-trust gets stronger when more people verify each others public keys. So, needless to say, I’m always looking for people to sign my keys (verify my identity) and am willing to sign the keys of others. Side note: Going to ALA Midwinter in Boston? In addition to exchanging our own signatures, there are a number of people in Boston who are open to key signing exchanges as well. Perhaps a number of us could make an event out of running around the city together…

This Sounds Good. Why Isn’t It Used More?

I don’t know if it will get to a usable form, but I hope so. By using public key signatures on almost all of my messages and by posting this message, I’m hoping to generate awareness and understanding of public key cryptography in general and the PGP technique in particular. At least a little part of my corner of the universe will be aware of it, and given the bottom-up, grass-roots nature of the PGP web-of-trust, perhaps that is a good enough start. If you have questions about PGP and/or run into stumbling blocks try to use it, get in touch with me and I’ll help the best I am able.

My Keys

Peter Murray — Professional

Key ID: 2048D/877838CF

Fingerprint: B021 8300 6844 E459 A18E 83CF 4C7A 6A28 8778 38CF)

Created: 2-Jan-2010; Expires: 5-Feb-2015

Public key as known by keyserver pgp.mit.edu (ASCII-armored version)

Peter Murray — Personal

Key ID: 2048D/4637F6A1

Fingerprint: 5781 5786 7D66 D33B 0F54 D9DE 5820 0CEE 4637 F6A1)

Created: 2-Jan-2010; Expires: 5-Feb-2015

Public key as known by keyserver pgp.mit.edu (ASCII-armored version)

In another DLTJ post, I listed details on how these keys were created.

More Information

The text was modified to update a link from http://dltj.org/article/new-pgp-keys/ to http://dltj.org/article/new-pgp-key/ on December 31st, 2010.

Footnotes

1. “Phishing” is a term used to describe techniques used by scammers to try to convince you to give up passwords or other personal information.
2. SSL is an earlier form of the standard now called Transport Layer Security, or TLS.

It is the start of a new year¹, and it seems like a good time to update my public encryption key. My previous one — created in 2004 — is both a little weaker, cryptographically speaking, than the ones newly created (1024-bit versus 2048-bit) and also an uncomfortable mixing of my professional and personal lives. For my previous key, I attached all of my professional and personal user ids (e.g. e-mail addresses) to the same key. This time I decided to split my work-related user ids from my other ones. My reasoning for the split is that I might be compelled by my employer to turn over my private key to decrypt messages and files sent in the course of my work. If my personal user ids are also attached to that private key, my employer (and who ever else got ahold of that key), would be able to decrypt my personal messages and files as well. That is not necessarily a good thing. So my solution was to create two keys and cross-sign them. I’ve outlined the process below.

These keys are part of a computer standard and software algorithm called “Pretty Good Privacy“, or PGP. If you are interested in more of a background about PGP, see a companion post on why I digitally sign my e-mail.

The Two New Keys

Peter Murray — Professional

Key ID: 2048D/877838CF

Fingerprint: B021 8300 6844 E459 A18E 83CF 4C7A 6A28 8778 38CF)

Created: 2-Jan-2010; Expires: 5-Feb-2015

Public keys as known by keyserver pgp.mit.edu (ASCII-armored version)

Peter Murray — Personal

Key ID: 2048D/4637F6A1

Fingerprint: 5781 5786 7D66 D33B 0F54 D9DE 5820 0CEE 4637 F6A1)

Created: 2-Jan-2010; Expires: 5-Feb-2015

Public key as known by keyserver pgp.mit.edu (ASCII-armored version)

The key id is a short identifier for the PGP key, and it is broken up into two parts separated by a slash. The first part — “2048D” — says that this is a 2048-bit DSA signing key. The second part — “877838CF” — is the last eight hexadecimal digits of the key fingerprint. Taken together, these two pieces of the key id almost assuredly identify the key. It is a short form, though — the full identifier is the key fingerprint: 40 hexadecimal digits. Embedded in the key are creation and expiration dates. The expiration date can be changed later, and can be eliminated, too (e.g. set to not expire). There doesn’t seem to be much in the way of guidance on how long to set the expiration date, but five years out seems to be a good round number.

Key Creation / Cross-signing Process

Generating the New Key

$ gpg –gen-key
gpg (GnuPG) 2.0.13; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 2
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 62m
Key expires at Thu Feb  5 13:42:53 2015 EST
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Peter E. Murray
Email address: peter@OhioLINK.edu
Comment: Professional — supercedes 0x27cf2072
You selected this USER-ID:
    ”Peter E. Murray (Professional — supercedes 0x27cf2072) <peter@OhioLINK.edu>”

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can’t handle a DSA key with this digest size
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 877838CF marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:  10  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:  10  signed:   2  trust: 0-, 1q, 0n, 4m, 5f, 0u
gpg: depth: 2  valid:   1  signed:   0  trust: 0-, 1q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2011-03-13
pub   2048D/877838CF 2010-01-02 [expires: 2015-02-05]
      Key fingerprint = B021 8300 6844 E459 A18E  83CF 4C7A 6A28 8778 38CF
uid                  Peter E. Murray (Professional — supercedes 0x27cf2072) <peter@OhioLINK.edu>
sub   2048g/96854A46 2010-01-02 [expires: 2015-02-05]

Add Other Elements to the New Key

$ gpg –edit-key 877838cf
gpg (GnuPG) 2.0.13; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048D/877838CF  created: 2010-01-02  expires: 2015-02-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048g/96854A46  created: 2010-01-02  expires: 2015-02-05  usage: E   
[ultimate] (1). Peter E. Murray (Professional — supercedes 0x27cf2072) <peter@OhioLINK.edu>

Command> adduid
Real name: Peter E. Murray
Email address: peter.murray@wright.edu
Comment:
You selected this USER-ID:
    ”Peter E. Murray <peter.murray@wright.edu>”

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

pub  2048D/877838CF  created: 2010-01-02  expires: 2015-02-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048g/96854A46  created: 2010-01-02  expires: 2015-02-05  usage: E   
[ultimate] (1)  Peter E. Murray (Professional — supercedes 0x27cf2072) <peter@OhioLINK.edu>
[ unknown] (2). Peter E. Murray <peter.murray@wright.edu>

Command> addphoto

Pick an image to use for your photo ID.  The image must be a JPEG file.
Remember that the image is stored within your public key.  If you use a
very large picture, your key will become very large as well!
Keeping the image close to 240×288 is a good size to use.

Enter JPEG filename for photo ID: ~/pmurray.jpg
Is this photo correct (y/N/q)? y

pub  2048D/877838CF  created: 2010-01-02  expires: 2015-02-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048g/96854A46  created: 2010-01-02  expires: 2015-02-05  usage: E   
[ultimate] (1)  Peter E. Murray (Professional — supercedes 0x27cf2072) <peter@OhioLINK.edu>
[ unknown] (2). Peter E. Murray <peter.murray@wright.edu>
[ unknown] (3)  [jpeg image of size 4916]

Command> 1

pub  2048D/877838CF  created: 2010-01-02  expires: 2015-02-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048g/96854A46  created: 2010-01-02  expires: 2015-02-05  usage: E   
[ultimate] (1)* Peter E. Murray (Professional — supercedes 0x27cf2072) <peter@OhioLINK.edu>
[ unknown] (2). Peter E. Murray <peter.murray@wright.edu>
[ unknown] (3)  [jpeg image of size 4916]

Command> primary

pub  2048D/877838CF  created: 2010-01-02  expires: 2015-02-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048g/96854A46  created: 2010-01-02  expires: 2015-02-05  usage: E   
[ultimate] (1)* Peter E. Murray (Professional — supercedes 0x27cf2072) <peter@OhioLINK.edu>
[ unknown] (2)  Peter E. Murray <peter.murray@wright.edu>
[ unknown] (3)  [jpeg image of size 4916]

Command> save

Generate a Revocation Certificate

$ gpg –output 0x877838cf-revoke.asc –gen-revoke 0x877838cf

sec  2048D/877838CF 2010-01-02 Peter E. Murray (Professional — supercedes 0x27cf2072) <peter@OhioLINK.edu>

Create a revocation certificate for this key? (y/N) yes
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
> Revocation cert created at the time of key generation.
>
Reason for revocation: Key has been compromised
Revocation cert created at the time of key generation.
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: “Peter E. Murray (Professional — supercedes 0x27cf2072) <peter@OhioLINK.edu>”
2048-bit DSA key, ID 877838CF, created 2010-01-02

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

Cross-signing Keys

The command is “tnrsign”, which stands for a trusted, no-revokable signature. The “trusted” part is a little technical, but it basically means that the signed key can trust the signatures of the signing key. In a practical sense, it means that in my local web-of-trust database, I will continue to trust the keys of people I’ve signed with my old key. (The GnuPG-Users list has a more in-depth discussion of the meaning of trusted signatures.) The “non-revokable” part means, of course, that this signature — this “validation” if you will — cannot be reversed at a later time. In this context, that makes since because I control both ends — the signed key and the signing key.

$ gpg –local-user 0x27cf2072 –edit-key 877838cf tnrsign
gpg (GnuPG) 2.0.13; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   3  signed:  10  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: depth: 1  valid:  10  signed:   2  trust: 0-, 1q, 0n, 4m, 5f, 0u
gpg: depth: 2  valid:   1  signed:   0  trust: 0-, 1q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2011-03-13
pub  2048D/877838CF  created: 2010-01-02  expires: 2015-02-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048g/96854A46  created: 2010-01-02  expires: 2015-02-05  usage: E   
[ultimate] (1). Peter E. Murray (Professional — supercedes 0x27cf2072) <peter@OhioLINK.edu>
[ultimate] (2)  Peter E. Murray <peter.murray@wright.edu>
[ultimate] (3)  [jpeg image of size 4916]

Really sign all user IDs? (y/N) yes

pub  2048D/877838CF  created: 2010-01-02  expires: 2015-02-05  usage: SC  
                     trust: ultimate      validity: ultimate
Primary key fingerprint: B021 8300 6844 E459 A18E  83CF 4C7A 6A28 8778 38CF

     Peter E. Murray (Professional — supercedes 0x27cf2072) <peter@OhioLINK.edu>
     Peter E. Murray <peter.murray@wright.edu>
     [jpeg image of size 4916]

This key is due to expire on 2015-02-05.
Please decide how far you trust this user to correctly verify other users’ keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I trust marginally
  2 = I trust fully

Your selection? 2

Please enter the depth of this trust signature.
A depth greater than 1 allows the key you are signing to make
trust signatures on your behalf.

Your selection? 2

Please enter a domain to restrict this signature, or enter for none.

Your selection?

Are you sure that you want to sign this key with your
key “Peter E. Murray <peter@pandc.org>” (27CF2072)

The signature will be marked as non-revocable.

Really sign? (y/N) y

You need a passphrase to unlock the secret key for
user: “Peter E. Murray <peter@pandc.org>”
1024-bit DSA key, ID 27CF2072, created 2004-09-15

Command> save

This command is repeated for the other five combinations of old-new and new-new keys.

Create ASCII-Armored Exports of the New Public Keys

$ gpg –armor –output 877838cf.asc –export 877838cf

Footnotes

1. Some have even said it is the start of a new decade, but of course that isn’t true. We won’t start a new decade until 2011, just like we didn’t actually start a new millennium until 2001.

Dealing with SPAM e-mail is a real hassle. Dealing with SPAM e-mail as a mailing list owner is an even bigger hassle. Here are some tips for dealing with SPAM e-mail on mailing lists using the Mailman software package.

The Symptoms

Hold Nonmember setting in Mailing list administration, Privacy Options, Sender filters

This will hold all of the messages sent by non-members — all of those spamy e-mail addresses — to a queue on the Mailman server. You’ll receive a notification that a message is being held for you:

As list administrator, your authorization is requested for the following mailing list posting:
 
  List:    mailingListName@mailingListHost
  From:    spam-email-address
  Subject: :)
  Reason:  Post by non-member to a members-only list
 
At your convenience, visit:
 
  http://mailingListHost/mailman/admindb/mailingListName
 
to approve or deny the request.


You’ll also get a message once a day telling you that these messages are being held and insisting that you do something about it.

The mailingListName@mailingListHost mailing list has 3 request(s) waiting for your consideration at:
 
  http://mailingListHost/mailman/admindb/mailingListName
 
Please attend to this at your earliest convenience.  This notice of pending requests, if any, will be sent out daily.


A Solution

Discard Messages setting in Mailing list options, General options

I use “4″ in that field: two days to cover weekends plus a two day grace period. For a message that is errantly caught in the queue (because it was too large, was sent by a subscriber who’s email address changed, or other reason), I now have four days to release it. If I do nothing, the message disappears from the hold queue after that time, and I get this final e-mail message:

From:    mailingListName-bounces@mailingListHost
Subject: mailingListName moderator request check result
Date:    July 16, 2008 8:00:08 AM EDT
To:      mailingListName-owner@mailingListHost
 
Notice: 1 old request(s) automatically expired.


Customize these instructions

Note that this JavaScript probably doesn’t work in feed readers, but you can make it work by viewing this post on the DLTJ site.

The text was modified to update a link from http://dltj.org/article/mailman-spam-howtomailman-spam-howto/ to http://dltj.org/article/mailman-spam-howto/ on December 30th, 2010.

I’ve been a fan of Getting Things Done as a technique for managing projects, but it was only recently that I settled on OmniFocus as the “trusted system” collecting all of my next actions. One of the things I like about OmniFocus — as a rich, Mac-only application — is its ability to hold links to messages from Mail.app as notes for each action. This occurs, for instance, when you use the “Clippings” function of OmniFocus to create a new action based on the message that you are currently viewing in Mail.app. (There are other ways to do it, such as the method described by Adam Sneller.)

One of the things I find myself doing is creating actions in a “Waiting” context based on e-mail messages I’ve just sent. Initially, I’d just create the action via the OmniFocus Quick Entry window. But I found myself needing to refer back to the message I sent when the person I’m waiting on doesn’t come through. So I started clicking and dragging the message from the Sent mailbox to the action. But to do that I’d have to click into the Sent mailbox and have the Mail.app and the OmniFocus windows set up just right. Or I’d have to follow a select-sent-mailbox, select-message, OmniFocus-quick-entry-with-clipping, select-Inbox, select-next-message workflow. And that took time and effort. So I’ve created an AppleScript ditty that does the work of creating a hyperlink on the clipboard of the last sent message. The results can then be pasted into any RTF-aware application, including OmniFocus.

The script is based heavily on Speedy creation of rich text links to Mail messages by Brett Terpstra. In particular, he had the missing link about creating RTF hyperlinks on the clipboard using a bash shell script. The meat of the AppleScript is:

tell application "Mail"
 
	-- Ask the user which account to use
	set _accts to get accounts
	set _enabledAccounts to {}
	repeat with eachAccount in _accts
		-- Only offer the enabled accounts for the user to choose
		if enabled of eachAccount then
			set the end of _enabledAccounts to name of eachAccount as string
		end if
	end repeat
	set _selectedAccount to (choose from list _enabledAccounts with title "Select Account" with prompt "Select the account from which to copy a link of the last sent message..." default items (item 1 of _enabledAccounts))
 
	-- Quit script if the user selected "cancel"
	if _selectedAccount is false then
		return
	end if
	set _selectedAccountName to _selectedAccount as string
 
	-- Get the "last" message of the Sent mailbox of the selected account
	set _msg to first message of mailbox "Sent" of account _selectedAccountName
 
	-- Get various properties of the message
	set _date to _msg's date sent
 
	try
		set _recipient to name of first recipient of _msg
		set _test to _recipient
	on error
		-- if the Recipient's name property was blank, use the e-mail address instead
		set _recipient to address of first recipient of _msg
	end try
 
	set _sub to _msg's subject
	if _sub starts with "Re:" then
		-- Remove the "Re:" prefix from messages
		set _sub to text 5 through (length of _sub) of _sub
	end if
 
	set _msgid to _msg's message id
 
	-- Create the URL to the message
	set _msglnk to "message://%3C" & my urlencode(_msgid) & "%3E"
 
	-- Create the anchor text for the link
	set _anchorText to "Message sent " & _date & " to " & _recipient & " regarding '" & _sub & "'"
 
	-- Execute the external script to generate the RTF hyperlink on the clipboard
	do shell script "/bin/bash -c \"" & _script & " \\\"" & _anchorText & "\\\" \\\"" & _msglnk & "\\\"\""
end tell

It first prompts the user for which account to use based on the list of active accounts. Then it gets the last message in the Sent mailbox of that account, gets various metadata properties, and sends the results to the bash shell script. The shell script comes from Brett; it creates the RTF snippet and pipes it into ‘pbcopy‘ to put it on the clipboard:

#!/bin/bash
# Places a rich text link on the clipboard
# usage: rtflink.sh "Title of link" "URL to link to"
#
# This will paste *nothing* into applications that don't recognize rich text
 
echo "{\rtf1\ansi\ansicpg1252\cocoartf949\cocoasubrtf270
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\margl1440\margr1440\vieww9000\viewh8400\viewkind0
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\ql\qnatural\pardirnatural
{\field{\*\fldinst{HYPERLINK \"$2\"}}{\fldrslt 
\f0\fs24 \cf0 $1}}}" | pbcopy -Prefer rtf

The end result is a hyperlink with an anchor that looks something like:

    Message sent Thursday, May 15, 2008 8:36:33 AM to Jane Partner regarding 'Can you pick up milk?'

…waiting on the clipboard to be pasted into an action note. With that bound to a keyboard trigger via QuickSilver, copying a link to a message is now a simple matter of keystrokes.

If you are interested, you can download the “Copy last sent message as RTF link” AppleScript bundle and try it yourself. Let me know what you think.

Update 20080516T1219 : I had to modify the part of the code that gets the recipient name or (for recipients without name parts) the e-mail address. The downloaded version has been updated.

Update 20110405T1946 : The script has been improved! See this thread on the Omni Group forums for the update. Thanks to whpalmer4 for the modifications.

The text was modified to remove a link to http://docs.blacktree.com/quicksilver/triggers on January 28th, 2011.

I’ve been collecting disclaimers that appear on the bottom of e-mail messages in a draft post on DLTJ for about a year now — every time I’d get a new one with a different twist, I’d save it anticipating the day would come that there would be enough humor here to share with the rest of you. That day has come. There wasn’t one that disclaimer that finally pushed the publication of this post over the edge; just the accumulation of examples. Identifying information has been removed, but the humor was left intact. If you recognize your institution/company in these examples, please laugh along with me. If you are the lawyer or pseudo-lawyer that drafted these, please do us all a favor and find something else to work on. Like drafting disclaimers for toothpicks and such.

An Institution By Any Other Name is Just a Number

YOU MUST READ THIS NOTICE [And you must do so while suppressing any giggling about it.]
This email has been sent by institution (institution's random numeric identifier). This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery to you. The views expressed in this email are not necessarily those of institution. It is very important that before opening any attachments to this email you check them for viruses and defects. institution does not accept liability for any corruption or viruses or any consequence which arise as a result of this email transmission. Email communications with institution may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read by its intended recipient at institution. Please tell us if you have concerns about this automatic filtering. The Commonwealth Register of Institutions and Courses for Overseas Students (CRICOS) Provider Number is another numeric identifier (institution branch), yet another random numeric identifier (institution branch), and a final numeric identifier (institution branch) for institution.

I don’t have concerns about the automatic filtering, just the automatic insertion of needless disclaimers. Which brings us to…

Disclaimers as a Form of Spam?

CONFIDENTIALITY NOTICE AND DISCLAIMER

Information in this transmission is intended only for the person(s) to whom it is addressed and may contain privileged and/or confidential information. If you are not the intended recipient, any disclosure, copying or dissemination of the information is unauthorised and you should delete/destroy all copies and notify the sender. No liability is accepted for any unauthorised use of the information contained in this transmission.

This disclaimer has been automatically added.

So the disclaimer was automatically added. Thank goodness for that, because I can’t imagine having to copy and paste needless disclaimers into every e-mail that I sent. But does the fact that it was automatically sent to me make it a form of spam? Hmmm — maybe there is a market for software that automatically removes disclaimers from e-mail messages.

Speaking of Spam

The information in this email is confidential, and intended solely for the Addressee. If you have erroneously received this message, please delete it immediately and notify the sender. Any copying or further distribution beyond the original addressee is not intended, and may be unlawful.

This one arrived in a spam message sent to me. I decided to risk breaking the law by posting this portion of the message in a public forum.

Have Your Agents Talk To My Agents

DISCLAIMER: This e-mail is confidential and should not be used by anyone who is not the original intended recipient. If you have received this e-mail in error please inform the sender and delete it from your mailbox or any other storage mechanism. Neither company nor any of its agents accept liability for any statements made which are clearly the sender's own and not expressly made on behalf of company or one of its agents. Please note that neither company nor any of its agents accept any responsibility for viruses that may be contained in this e-mail or its attachments and it is your responsibility to scan the e-mail and attachments (if any). No contracts may be concluded on behalf of company or its agents by means of e-mail communication. Company in England and Wales with registered number company's random number Registered Office company's address.

I wish I had agents who would act on my behalf that would read through this gobblety-gook so I wouldn’t have to read through the message and decide if I may or may not be entering into some sort of contract by reading the message.

You are hereby informally notified that I could care less about your disclaimer

This communication is for use by the intended recipient and contains information that may be Privileged, confidential or copyrighted under applicable law. If you are not the intended recipient, you are hereby formally notified that any use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. Please notify the sender by return e-mail and delete this e-mail from your system. Unless explicitly and conspicuously designated as "E-Contract Intended", this e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer. This e-mail does not constitute a consent to the use of sender's contact information for direct marketing purposes or for transfers of data to third parties.

Can I imply the inverse of the sentence that begins, “If you are not the intended recipient…”? That is to say, if I am the intended recipient, that I can use, copy and distribute the e-mail in any way that I see fit?

Caveats: Humorless

Classification: UNCLASSIFIED
Caveats: NONE

Damn — and I was hoping to find out the secret plans for invading Canada. By the way, is it conceivable that there could ever be a russia.army.mil and china.army.mil along side us.army.mil?

From the My-Disclaimer-Is-Three-Times-Longer-Than-My-Message Category…

DISCLAIMER and CONFIDENTIALITY CAUTION:

This e-mail and any attached files are confidential, proprietary, and may also be legally privileged information, and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient of this e-mail, please send it back to the person who sent it to you and delete the e-mail and any attached files and destroy any copies of it; you may call us immediately at company's phone number or email us at company e-mail address.

Company and/or any of its sister companies owns no responsibility for the views presented in the e-mail and any attached files unless the sender mentions so, with due authority of company.

Unauthorized reading, reproduction, publication, use, dissemination, forwarding, printing or copying of this e-mail and its attachments is prohibited.

We have checked this message for any known viruses; however we decline any liability, in case of any damage caused by a non-detected virus.

For more details about our company, visit company website.

This one came in a message posted to a mailing list that contained exactly five lines of real content — line 1: greeting, line 2: blank, line 3: a quick question, line 4: blank, line 5: author’s name. Talk about a bad signal to noise ratio!

No Bogosity¹ Here!

READ CAREFULLY. By reading this email, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

It is good to know that there are companies out there that are trying to stamp out needless b*llsh*t². But let me see if I got this straight — by reading your message, I agree to release you from Bogus Agreements because I am able to do so. But what if I don’t have that authority? Should I not read your message? Perhaps you should have told me that before I read it…

There are No Guarantees on the Internet

Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. The integrity and security of this message cannot be guaranteed on the Internet.

There are, of course, ways to guarantee the integrity and security of messages on the internet. PGP-signed e-mail is one such way.

Let the Lawyers Have the Last Say

******************* Disclaimer *******************

This e-mail, together with any attachments, is intended for the named recipient(s) only. This e-mail may contain information which is confidential, of a private nature or which is subject to legal professional privilege or copyright. Accordingly, any form of disclosure, modification, distribution and/or publication of this email message is prohibited unless expressly authorised by the sender acting with the authority of or on behalf of the institution.

If you have received this email by mistake, please inform the sender as soon as possible and delete the message and any copies of this message from your computer system network.

The confidentiality, privacy or legal professional privilege attached to this email is not waived or destroyed by that mistake.

The institution uses virus scanning software. However, it is your responsibility to ensure that this email does not contain and is not infected by a computer virus.

Unless expressly attributed, the views expressed in this email do not necessarily represent the views of the institution.

******************** Disclaimer *******************

So just to be sure, should I run the entire message past my legal counsel just to be sure they do not want to assert some sort of legal professional privilege on the correspondence?

Your Turn

The text was modified to update a link from http://en.wikipedia.org/wiki/Quantum_bogodynamics to http://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/Quantum_bogodynamics_%282nd_nomination%29 on January 19th, 2011.

Footnotes

1. Definition: http://en.wikipedia.org/wiki/Quantum_bogodynamics
2. See http://www.slate.com/id/2114268/ if you need it spelled out for you.