Say you get an email with a link in it.  Most people are content to delete it without clicking on the link.  But you want to know whether or not there's malicious content at the other end.  By malicious content, I mean anything from relatively harmless (but annoying) spyware to much more dangerous virus payloads (sometimes with insidious trojan capabilities). 

Well, the smartest thing to do would be simply to run linux (or a mac?).  There are very few vectors for hitching a ride into your machine via a webbrowser on either of those platforms (so far).  Sometimes if I am convinced there's probably malicious content on the far end, I'll not use my firefox browser on linux, but instead follow the below protocol.

So you really need a shell account somewhere on a linux box.  Probably there are utilities on windows that can do some of what I advise below, but really everyone should begin to become familiar with GNU/linux, because it's just better (and if you prefer bsd and/or a mac, by all means, use that instead of linux if you really want to).

So the first thing is sort of "background information".    It appears that I'm having trouble locating an example of this particular type of attack in my inbox (perhaps the rbls configured on the mailserver are keeping most of that type of thing at bey).

But if I did have something I didn't trust, I'd look at the base part of the url first.  From a  shell, execute:

$ host <base-url>

$ whois <base-url>

Where your suspicious link is something like http://example.com/goofy-stuff/click-me.php

the <base-url> would be example.com

This usually works for phishing type attacks too where the link might be something like

http://192.0.34.166/goofier-stuff/ooh-ooh/click-here.asp

In this case you use the numeric value in the command like so:

$ host 192.0.34.166

166.34.0.192.in-addr.arpa domain name pointer www.example.com.

if reverse dns works on that IP, you'll get a name back -- use that name in the next command

$ whois www.example.com

This gets a NO MATCH FOUND result (buried in lots of other verbiage) because we want to instead drop the www. and do:

$ whois example.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered

with many different competing registrars. Go to http://www.internic.net

for detailed information.

   Domain Name: EXAMPLE.COM

   Registrar: RESERVED-INTERNET ASSIGNED NUMBERS AUTHORITY

   Whois Server: whois.iana.org

   Referral URL: http://res-dom.iana.org

   Name Server: A.IANA-SERVERS.NET

   Name Server: B.IANA-SERVERS.NET

   Status: clientDeleteProhibited

   Status: clientTransferProhibited

   Status: clientUpdateProhibited

   Updated Date: 26-mar-2004

   Creation Date: 14-aug-1995

   Expiration Date: 13-aug-2011

>>> Last update of whois database: Mon, 05 Feb 2007 05:21:40 UTC <<<

NOTICE: The expiration date displayed in this record is the date the

registrar's sponsorship of the domain name registration in the registry is

currently set to expire. This date does not necessarily reflect the expiration

date of the domain name registrant's agreement with the sponsoring

registrar.  Users may consult the sponsoring registrar's Whois database to

view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois

database through the use of electronic processes that are high-volume and

automated except as reasonably necessary to register domain names or

modify existing registrations; the Data in VeriSign Global Registry

Services' ("VeriSign") Whois database is provided by VeriSign for

information purposes only, and to assist persons in obtaining information

about or related to a domain name registration record. VeriSign does not

guarantee its accuracy. By submitting a Whois query, you agree to abide

by the following terms of use: You agree that you may use this Data only

for lawful purposes and that under no circumstances will you use this Data

to: (1) allow, enable, or otherwise support the transmission of mass

unsolicited, commercial advertising or solicitations via e-mail, telephone,

or facsimile; or (2) enable high volume, automated, electronic processes

that apply to VeriSign (or its computer systems). The compilation,

repackaging, dissemination or other use of this Data is expressly

prohibited without the prior written consent of VeriSign. You agree not to

use electronic processes that are automated and high-volume to access or

query the Whois database except as reasonably necessary to register

domain names or modify existing registrations. VeriSign reserves the right

to restrict your access to the Whois database in its sole discretion to ensure

operational stability.  VeriSign may restrict or terminate your access to the

Whois database for failure to abide by these terms of use. VeriSign

reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and

Registrars.

IANA Whois Service

Domain: example.com

Name: IANA_RESERVED

Registrant:

    Name: Internet Assigned Numbers Authority (IANA)

    Organization: Internet Assigned Numbers Authority (IANA)

    Address1: 4676 Admiralty Way, Suite 330

    Address2:

    Address3:

    City: Marina del Rey

    State/Province: CA

    Country: US

    Postal Code: 90292

    Phone: 310-823-9358

    Fax: 310-823-8649

    Email: res-dom@iana.org

    Registration Date: 11/01/2001

    Last Updated Date: 11/01/2001

Administrative Contact:

    Name: Internet Assigned Numbers Authority (IANA)

    Organization: Internet Assigned Numbers Authority (IANA)

    Address1: 4676 Admiralty Way, Suite 330

    Address2:

    Address3:

    City: Marina del Rey

    State/Province: CA

    Country: US

    Postal Code: 90292

    Phone: 310-823-9358

    Fax: 310-823-8649

    Email: res-dom@iana.org

    Registration Date: 11/01/2001

    Last Updated Date: 11/01/2001

Technical Contact:

    Name: Internet Assigned Numbers Authority (IANA)

    Organization: Internet Assigned Numbers Authority (IANA)

    Address1: 4676 Admiralty Way, Suite 330

    Address2:

    Address3:

    City: Marina del Rey

    State/Province: CA

    Country: US

    Postal Code: 90292

    Phone: 310-823-9358

    Fax: 310-823-8649

    Email: res-dom@iana.org

    Registration Date: 11/01/2001

    Last Updated Date: 11/01/2001

Nameserver Information:

    Nameserver: a.iana-servers.net.

    IP Address: 192.0.34.43

    Nameserver: b.iana-servers.net.

    IP Address: 193.0.0.236

    Nameserver: c.iana-servers.net.

    IP Address: 139.91.1.10

This shows us that example.com is actually owned and managed by the IANA (the folks who "run" the internet) as a working example domain name.  If instead our suspicious domain didn't return useful information using whois on the name,  (or if you're just looking for more info), it may also be useful to try whois on the IP itself:

$ whois 192.0.34.166

Internet Assigned Numbers Authority RESERVED-192 (NET-192-0-0-0-1)

                                  192.0.0.0 - 192.0.127.255

ICANN

c/o Internet Assigned Numbers Authority ICANN (NET-192-0-32-0-1)

                                  192.0.32.0 - 192.0.47.255

ICANN

c/o Internet Assigned Numbers Authority ICANN (NET-192-0-34-0-1)

                                  192.0.34.0 - 192.0.36.255

# ARIN WHOIS database, last updated 2007-02-04 19:10

# Enter ? for additional hints on searching ARIN's WHOIS database.

Doing it this way often will show the "upstream" of the remote server, that is, the information is more general because it belongs to a service or bandwidth provider that provides connectivity to the entity that actually hosts content on the remote server. 


All of this so far is checking DNS records -- you've done nothing to actually try to communicate with the server which may or may not be operating at the other end (which may be important to you if you're trying not to let the sender of a spam that you've read that spam).

At this point, if you don't mind potentially alerting the site owner that a specific spam got through, you can use links (or lynx) to view what's on the server (by visiting the full URL that was in the email).  By saving local versions of the files fetched from the server with these command-line webbrowsers, it should be possible to scan the files with AV progs and check text files for exploits.  I suppose that in order to investigate cross-site scripting or potential redirects, it may also be helpful to use a tool that can record the entire http transaction as the site is browsed.  Sorry I don't have a  specific recommendation other than it'd be a good programming challenge to try to write your own in the language of your choice :-]