[extropy-chat] META: viral spam

Alan Eliasen eliasen at mindspring.com
Tue Apr 6 20:46:20 UTC 2004


Robert J. Bradbury wrote:
> It seems possible that someone could figure out how to
> actually "join" the list.  As we are using a standard
> list management package it is probably only a matter of
> time before the hackers figure out a way to automate this
> process (which is going to make things really difficult).
> So the message could come from a newly subscribed member
> that we haven't kicked off for sending SPAM.

   Can't members simply be put on "probation" and have their posts moderated
until they've proven that they're real humans?  This is a common feature in
most mailing list software.

> The other possibility is that an already subscribed member
> has a machine that has been corrupted by a virus and has
> the ExI list address in their mailbox.  I suspect that is
> probably what happened here.  The machine got corrupted
> and then attempted to email the virus to the list.

   The way most e-mail viruses spread is to pick random addresses from an
address book (or more commonly these days, from HTML files, text files, and
other files you may have on your system) and send messages both to and from
these random addresses, thus attempting to obscure their origin.

   Many viruses fake a mail failure, especially to try to get you to open an
attachment to see "what was this mail that supposedly bounced?"  This is what
the Netsky.P virus, as noted by BillK, does.  From the text of the message,
that's what this was.  (And yes, I just checked all my systems to be very sure
they don't have it.)

> Everyone should consider that there is some minimal size
> required for any kind of sophisticated virus.  The ones
> going around now are running from 30-45K bytes.  People on
> the ExI list *rarely* write messages that are 30-45K in size
> (2-5K is more typical).  If a message has any substantial
> size it is probably not a good idea to even look at it
> unless you *really* believe you can trust the sender.

   It's not necessary to spread unfounded panic.  Unless you have a criminally
insecure mail client, you *can't* be infected with a virus by displaying an
e-mail on the screen.  Outlook is the only client I know that's ever allowed a
hole that bad.  No other e-mail client will allow infection just from
*viewing* the text of any e-mail (opening an attachment, yes, but that's
something you should always do with extreme care with any e-mail client, and
only after scrutinizing the attachment type.)

   I've written secure, spam-filtering e-mail clients myself, and I know you'd
actually have to go out of your way to intentionally make an e-mail client as
insecure as Outlook is.  It's actually surprising the lengths they went to to
make their client infectable.  If anyone's still using it, and you value your
data and time and reputation, and that of your friends and contacts, change now.

> If I'm interpreting things correctly the source of the message
> with the problem appears below.

   The only way that we'll know where Rafal's mail came from will be if he
forwards the original message with *all* headers, and even then it can be
difficult to trace.  He can send it to me directly, to avoid further waste of
everyone's time.

   I dislike having my name on the e-mail list of someone who doesn't protect
that information, and allows their system to forge my identity, send viruses
that purport to be from me, and make me look bad, so I want to get this fixed.

-- 
  Alan Eliasen                 | "You cannot reason a person out of a
  eliasen at mindspring.com       |  position he did not reason himself
  http://futureboy.homeip.net/ |  into in the first place."
                               |     --Jonathan Swift



More information about the extropy-chat mailing list