Today, via web mail, I was checking my personal (non-APL) email. I saw one of the messages was from Hallmark Postcards, saying I had a postcard from someone. Now, I already knew that it was spam, just from that information. What I should have done was just check the box next to it and click on “Report Spam.” Instead I opened the message. No problem. I saw the URL for the card, so I “hovered” my mouse over it. It was “postcard.exe.” Into the spam folder with you, sucker!
A few minutes later I got a call from someone in the IT department here at APL. One of our security devices indicated I tried to download that file. It blocked the download and reported it. Now, the Windows executable would have done nothing on my Mac, and recall I did not click on it to download it. What had happened?
I looked through the add-ons and extensions I had in Firefox. Sure enough, amidst the security-related add-ons, I also had added Interclue, “Your Personal Link Preview Multitool.” It promises, “Before you click the link: Hover your mouse pointer over the link, and a Linkclue icon will appear. Rest your mouse on the icon, and up pops an enhanced summary of the linked page.”
Hmmm. I don’t think it actually tried (or tries) to download anything. I think that our security software saw this in the stream and triggered an alarm. (On the other hand, what does it mean to “preview” an executable? I’m not sure, and I didn’t need Interclue enough to want to keep it. I uninstalled it and restarted Firefox.
Update
I heard from my co-worker in the IT department. He writes:
What our network systems saw is the following exchange between your host and the remote serverI agree. Avoid this Firefox extension.Request from your host:This, of course, shows your host asking for postcard.exe and our Websense device referring your host to a block page thereby preventing the download. Your Firefox plug-in wants to provide a preview of the web page. To provide a preview, it apparently downloads the web page (or at least part of it). Otherwise, how would it know what the page looks like so it could provide a preview? It looks like a rather dangerous plug-in, one designed for a more friendly Internet.
GET /postcard.exe HTTP/1.1
Host: nn.nn.nn.nn
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Reply to the request:
HTTP/1.1 302 Moved Temporarily
Date: Mon, 21 Sep 2009 14:05:36 GMT
Connection: close
Via: HTTP/1.1 localhost.localdomain (Websense-Content_Gateway/7.1.2 [c s f
])
Location:
http://nn.nn.nn.nn/cgi-bin/blockpage.cgi?ws-session=3741857785
Content-Length: 0
