Helping people with computers... one answer at a time.
It's best not to click on spam links. But if you must, there are a few steps above and beyond a sandbox that can add some more protection.
If you truly wanted to check a link contained in a spam email, would accessing your online email account, Gmail, Hotmail, Yahoo, whatever, via a sandboxed browser fully protect you?
In this excerpt from Answercast #40, I look at the protection that a sandbox can give to your machine if you click on a questionable link, but still recommend that you don't.
Fully protect you? I can't really go along with that.
Absolutely, it goes a long way to protecting you:
It does a very good job of protecting your system from malicious downloads or drive-by downloads;
But without knowing the specific sandbox, it's still accessing something that's running on your machine;
And it's very possible that malicious software, running within that sandbox, could still cause problems.
Perhaps it won't cause problems on your machine, but on your network. Or it might do something else that is going to have some negative side effects.
Like I said, it's good – in fact, it's probably very good – but there is no way that I could say, "fully protected," or give you any kind of a hint that you're really totally safe by doing that.
My biggest recommendation, of course, is don't. Don't try and satisfy your curiosity.
If it's been marked as spam, if it's clearly spam;
Then just don't.
Do something else. Get on with your life.
If you must, if you absolutely must, the approach I take (because yes, occasionally in what I do, I do need to investigate things like this) – my approach is to:
I end up firing up a virtual machine that I have specifically configured for this. It's actually running Ubuntu Linux, so I've removed the ability for Windows-based malware to do anything to this virtual machine.
I'll fire up a copy of Firefox (probably with no scripts turned on so all the scripting is not going happen automatically), then (and only then) will I actually try and do something with that link.
If that turns out to be malicious, or if some reason, I feel that I can no longer trust that virtual machine that I had everything installed in – I'll delete it. It's like reformatting your machine all over again, but that's the safest way to protect yourself from malware of this sort.
So, in short:
I really rather you didn't try.
If you must, a sandbox is good, but it's not perfect.
The only way to really get closer to perfect (and even this isn't perfect) is to use something that is:
Not connected to your own local network;
And is a completely throwaway-able machine.
In most cases (because they're easy to clone, easy to copy), it should be
something like a virtual machine-based technology.
Next from Answercast 40 – Could I be getting more spam after my friend's email account was compromised?