Hi all. I have just received an e-mail from [email protected] . It contains an attachment called screen_doc and is a ZLO file. It is 51 kb. Norton anti-virus didn't get it but my zone-alarm has quarantined it saying...

" A shortcut to MS-DOS Programme is a program that could cause damage to your computer files, violate your privacy, or infect others with a dangerous virus. "

I assume its a virus and if it is then how can Microsoft send this kind of thing? :confused: Anyone else had anything like this?

It wasn't sent by MS - just someone pretending to be them. See BBC news item (http://news.bbc.co.uk/1/hi/technology/3040247.stm) . I don't know much more than that - Symantec (aka Norton) does not seem to have anything on it.

It's not actually from Microsoft, and it is a virus. More details here:

http://news.bbc.co.uk/1/hi/technology/3040247.stm

jethro15

Thanks chaps. Just what are these w****rs trying to prove.... :mad:

I received one yesterday but without any attachment - just deleted it.

It really is time that ISPs were forced to do more about this sort of thing. Surely the offending source can be traced?

"Surely the offending source can be traced?"

I wish, Beags! I am getting quite a few now with incomplete return addresses whixh make bouncing with 'Mailwasher' impossible and tracing difficult. The 'Earthlink' ISP is coughing up a few right now. It becomes very time consuming sending to each ISP each time. We need robust legislation NOW!

'FL' where are you?

The difficulty with legislation is that the spam/e-mail virus problem is global - the e-mail may be sent in China and come to you via a relay in Burkina Faso. You could say that it's the ISPs problem and they should block it, but should they really decide what e-mail you do or do not receive? What is their role? If they should scan it, should the post office censor your post? There's no quick-fix that I can see.

Why cannot those emails that have 'incorrect' return addresses be hit? The 'earthlink' example I mentioned had a r/a 'xxx@earthlink' whereas the full address should be '[email protected]'.

Big Red 'L' - I think they're trying to prove what L33T H4X0R5 they are and how many B0X3N they can 0WNZ to fuel their pathetic little egos as none of them will ever do anything good or worthwhile in their entire lives.

BEagle - The problem is that the virus sends out more copies of itself, so the odds are the person who sent it to you doesn't actually know they're doing it, because they ran the attachment when they got the mail from some other, possibly equally innocent, person. Tracing it back would be incredibly complicated. The person who started it off probably used an anonymiser to cover his tracks (and it almost certainly was a him - some pale spotty geek who needs to get out more).

BT Openworld now do virus checking on all mail passing through, and this has caught a lot of viruses before they've ever got to me. They also do spam checking too, although a lot still gets through. If all ISPs did virus checking, in close support from anti-virus companies, and blocked any viruses passing through them, it would do a lot to curb the spread of these email viruses.

How did he get away with sending an e-mail with the address of [email protected] ? Is there a programme that does that kind of thing?

This new virus has been traced to Holland so says the report. If thats the case, why can't they trace the isp and find out who it is?

Dop I agree. As these people are annonymous then who gives them the glory they crave doing things like this? Its like graffitti artists. No-one knows who they are and they change thier tags a lot so who are they trying to impress :confused: Beats me to see what the point is at the end of the day really when no one can praise you for what you have done. :confused:

As for Btopenworld blocking them, mine came through the BTinternet address that I have.

And me too. Deleted before opening even though checking the Header confirmed that the sender's apparent address was [email protected]. Then I came here and found all you other folks in the same boat. So we are getting smarter about this - at least in this slice of the population.

But it came to my personal e-mail address that is not published here. But then I do get a lot of Spam there anyway. The spam coming to my fobotcso address is consistent; 6-10 a day of delete before reading stuff.

BTOpenworld's anti-spam only stops about ½ the stuff coming to my personal account. It lets through e-mails with the most bizarre titles and senders' names. Often composed of random characters that have no meaning. Still, at least its better than nothing.

{Edit} The e-mail system is in its infancy so we must hope for a fix one day but what? If we all had to pay one penny for every e-mail address we e-mailed to it wouldn't break the bank and it would turn off all the broadcast spammers who send 500-1000 at a time. I have no idea how you would implement this in China, however!

Have to say I can't recommend Mailwasher enough. It checks the messages on your server and shows you the content without downloading to your computer. You can then delete from your mailbox or bounce it back as if you don't exist. Either way, I found this same message, toyed briefly with the idea of downloading it in OE but then used MW to delete it - looks like I chose wisely (for a change).

See http://www.mailwasher.net

You can make a message look like it's come from someone else by changing your own email address under the tools menu

Grr.... Been toying with the idea of MailWasher for a while. Been running at a rate of 40:1 Spam to Genuine for the last couple of months - someone must have finally got me on one of those "Buy a million e-mail addresses!" lists. Been drivin' me crazy.

Thanks BN, you just pushed me into downloading and registering MW. Seems to work a treat too. Hopefully if I keep bouncing the deluge will lessen somewhat eventually. F%^&$heads!

Think symantec (norton) might know about this (?) a search of their site comes up with this (which refers to palyh in the alternative names):

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Big Red 'L' - Do you have the virus/spam checking turned on? It's not enabled by default, and really the virus checking at least should be. The spam checking end could be a lot better, and while you can check your spam folders through webmail, there isn't a 'whitelist' option to always allow through certain mails, like mailing lists you're on. But the virus checker does seem to work with known viruses - although any virus checker is only as good as the virus database it runs off, so new viruses would spread until a check is found.

The 'From' address on an email is largely immaterial. You can set it to anything, so I could easily send out mails that would appear to be from '[email protected]' - unless you looked at the header and traced the origin of the message, you wouldn't know.

What I think one of the major problems with the internet as a whole is that when most of the fundamental protocols (TCP/IP, mail, news, etc) were originally developed, nobody gave any thought to security. It was just one big happy family and nobody would ever think to send fraudlent emails or viruses, ever... So very basic protocols have been fraught with security problems for years.

If Email had been designed from day one so that you could not send emails with forged addresses, a lot of this stuff would never happen.

CAA New Zealand received a mass post of the virus today from [email protected] - caught at the door by the MIS boys - well done.

I also have BTOpenworld - and got this virus delivered to me twice :ugh:

One icon for those people who write these things ---> :8 , well actually 2 :mad:

I wrote a very nasty email as a reply - but it was returned to sender.... hmm :hmm:

DOP - the point I was making about the incomplete return address was taken FROM the email header! It missed the '.net' from the end of the address, thereby stopping Mailwasher from bouncing it.

Full agreement on the comments above for MW - there you CAN set up approved and blocked senders.

If Email had been designed from day one so that you could not send emails with forged addresses, a lot of this stuff would never happen.


A little bit of history :)

E-mail as we know it (name @ destination) and the network-of-networks idea that became the internet date back to the early seventies. Simple Mail Transfer Protocol (SMTP) and the sendmail program (still very widely used) date back to 1981. ARPANET switched to TCP/IP, the protocol that the internet still uses, in 1982. Back then the idea of spam, e-mail nasties, DoS attacks and forged addresses were inconceiveable - the infant internet was a tightly-knit collection of (mainly American) official networks. Why should they have thought of designing a secure forgery-resistant e-mail protocol? Or SYN-attack resistant IP? Every extra byte cost a lot of computing and network power. E-mail and the internet itself was designed to be as simple as they could get away with.

The problem is that there is a huge amount of inertia in the system - so much so that 20 years later we're still using essentially the same software and protocols, and they're no longer good enough. However, fundamental changes are very hard to make - suddenly networks become isolated from each other due to different protocols and we are temporarily back in the 70s. People have been trying to get IPv6 adopted for years,
and that's a fairly trivial change designed mainly to open up a larger number of IP addresses - the current IPv4 system doesn't really have enough to go around. Developing and rolling out a globally-secure digitally-signed e-mail protocol is a much harder problem to solve.

Solutions? There isn't an easy one. Best bet may be to build a whole new system from the ground up and roll it out in some way. Backwards compatibility is probably the wrong idea, but it makes the migration of millions of non-technical users to "Internet v2.0" a huge problem. Make it backwards compatible and you leave the prospect of all the old holes. It's a problem for someone smarter than me :)

20/20 hindsight is a wonderful thing. Evo explained the background very succinctly, but to expand a little... it's just a tad disingenuous to suggest that "they" should of thought of security at the time. It was difficult enough just getting all those different brands of computers and operating systems to talk to each other in the first place, let alone devising ways to stop them... :rolleyes: This is a little difficult to imagine if you've been brought up in a world that only knows of Pee Cees running Micro$oft... ;)


Solutions? There isn't an easy one. Best bet may be to build a whole new system from the ground up and roll it out in some way. Backwards compatibility is probably the wrong idea, but it makes the migration of millions of non-technical users to "Internet v2.0" a huge problem. Make it backwards compatible and you leave the prospect of all the old holes. It's a problem for someone smarter than me


Call me cynical, but I wouldn't be at all suprised to discover that Bill hasn't secretly embedding the "Micro$oft Secure Mail Application" inside Windoze products for years. One day, he'll announce that he has the "answer" to spam, switches it on, and everybody (who uses Micro$oft) is "protected." Oh, forgot to mention that if you don't use Micro$oft, you won't be able to read any email from the MSMA using any non-M$ mail client. And you have to trust M$ to be the final arbiter of what constitutes spam then... Of coure, I'm probably being excessivley cynical... :rolleyes:

Cynical? Haven't you just described "trusted computing" (http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html)? Now that's worrying... :(

Ahh, good old Ross. Always good value, ever since he debunked the cashpoint card/PIN security myth... :)

Yes, I suppose what I said was. A bit more blatantly than TCI/Palladium, though :(

And yes, Palladium is very worrying... :ooh:

I copped for the little blighter earlier this week. Suspected it, NAV (on auto update but with incoming mail scan disabled) caught it when I moved it to the desktop 'just to see what happened'.

Like others have said, if Norton can catch it, why can't reputable ISP's do the same?

Tim

Like others have said, if Norton can catch it, do the same?

You're comparing apples with oranges... ;)

If the question is really "why can't reputable ISP's all run Nroton [or equivalent] ?" then that's a separate issue, to which there are two parts:

1. Performance. Virus/anti-spam filtering consumes huge amounts of compute power. It is very expensive to build a resilient infrastructure that has adequate performance to do this. And many ISP will reason that it's more effective to have hundreds of their customers all complaining to the sender, rather than one ISP saying we've stopped a hundred copies of this virus/spam. Plus it's cheaper ;)

2. Privacy vs. efficay. When I recently surveyed my user population (who are a very diverse bunch), by far the two most common responses I got were:

I Do anything you like as long as you stop the spam. I dont' even care if your block legitiamte email.

II How dare you intercept my mail. It is utterly unacceptable that there is even the faintest possibility that legitmate email may get blocked.

Of course, I got almost equal numbers supporting each position and I suspect that this would apply to most ISPs :rolleyes:

Since it is not possible to satisfy both at the same time, many service providers take the easy option of not intercepting. Although it is the easy way out, it's not entirely obvious that it's the wrong thing to do. The issue of false positives (that is incorrectly identifying legitimate email as a spam or virus) is a significant one.

It's not at all obvious which is the right thing to do here. Perhaps it would be illuminating to run a poll on I and II to see what Pruners think... ?

RTFM,

My ISP filters spam with Spam Assassin, but as others have indicated, a lot gets through presumably to ensure that valid mail is not filtered. I can see filtering holes that could be plugged if the user could edit user-level filters.

eg,

- mail from myself - many spams have a "From" entry that consists of all or part of my username. I'd dump them if I could.

- mail with username or part of it in the subject line - that is rarely, if ever, valid mail.

- mail addressed to domains long passed away, but which were forwarded to a new domain at the time of old domain death. You need an option to dump "mail not to me". OK, you'd need a "friends list" as well to allow legitimate mail not personally addressed (eg from a mail-list) to pass.

These are just a few examples of many variable that I can think of, and while suitable for me, might cause problems for others.

So how about a "filter construction kit" as found in Mailwasher and the like, but to be applied at ISP level. Write your own personalised set of filter expressions applicable only to your account and upload it, or do it on an on-line form. Perhaps make the language a bit more understandable than Mailwasher's :O, or like Mailwasher, have available downloadable filter files where the basic hard work has already been done by enthusiasts (or commercial entities who'd sell it - I'd pay!) and all you have to do is tweak it to suit your own username, etc.

It seems basic to me - there must be some reason why it hasn't been done.

AA

AA, your first exclusion condition wouldn't do for me at the moment because, for synchronisation, I always Cc to myself every e-mail I send . I could change that by putting myself in the Primary addressee field.

So, we could then create a Rule in OE to block any messages with our own address as Cc. But No, any of our normal contacts could put us in as Cc Addressees.

But I lke your second idea and am now working on a Rule to block any messages with my own address in the subject title. For safety, I won't delete them, just make them "do not download from Server".

I'm now getting 20-30 junk mails getting through with another 20-30 blocked by BTOpenworld Spam Filter.

[edited to eliminate gibberish]

Cheers, fob

I've found a good solution. I have all my incoming mail routed via Spamcop. That sent me a message yesterday about a virus with a forged "from" address of [email protected] that it had shredded. Several times, in fact.

The Spamcop filter can be "personalised" in a variety of ways, including personal blacklists and whitelists. I have all e-mail from China, Hong Kong, Taiwan, Korea, Brazil and Argentina treated as Spam, as well as verizon.net and some other ISPs of that ilk.

I get very little spam indeed with that setup. Every couple of days I check the "filters" to see if there's anything genuine in there, then "spamcop" the rest.

Sadly, I blacklisted hotmail.com - which meant an e-mail from AerBabe sat in the filters for a day or so :-( She's "whitelisted" now...

Got one today from "microsoft.com" .........re movie,

and as I'd been to the Microsoft website recently to download I thought it might be in connection with that, but my anti virus warned of a worm virus instead !!

No attachment.

With the odd billion dollars at his disposal, I hope that Bill Gates has been told about this abuse of the 'microsoft.com' name and is quietly tracking down the perpetrator.......

In the UK, there are rewards which can be paid to you for turning in the identities of people using pirated software. How about rewards being payable to legitimate ISP operators who track down these spammers, Bill?