Edmund A. Hajim  School of Engineering and Applied Sciences

UR School of Engineering

Viruses, SPAM, and Mail Forgeries

The Computing and Networking Group has been handling a lot of complaints lately that are all similar to

"I just got mail from a remote place that says my mail to a user there was infected with a virus. I never sent mail to that person - is my computer infected, or did someone break into my account?".

Alternatively, they may complain that they've received mail identified as returned (bounced back) as undeliverable (no virus warning) - and again, they claim they never sent mail to that person/place.

There are two common causes of these problems: spammers forging email addresses, and virus/worms - not even at this location - forging mail to spread the infection.

Typically, with these two latest (Jan 25-26, 2004) very nasty worms/viruses, an infected machine will be scanned for email addresses. Those addresses are used both as a 'To:' address - to spread the virus further, and as a 'From:' address (i.e., the From address is forged) in an attempt to hide the real origin of the message. Thus someone who knows you probably has your address in one of their address books on an infected computer somewhere. The message - unless your machine was infected - did not originate on your machine, although the message was forged to make it look like that. Since the particular message was undeliverable (the mail server at the destination rejected it because it had a virus) the remote server tried to send it back to the sender - and it gets that from the 'From' address - which was forged to look like it came from you. For every one that bounces back like this one, there are probably thousands that are delivered. (nope - we have no way of stopping this from happening; none - or very little - of the activity is taking place here).

In addition, many spammers "harvest" email addresses - from web sites you visit where you fill out forms, from spyware inserted on your machine when you visit unethical web sites, from sites that exchange "cookies" with your host when you are web browsing and a variety of other means (e.g., they run an automated scan through web servers, inhale all the text they find, and then extract mail addresses). Once they have a huge database of addresses, they use the same forgery techniques to send mail to/from the address they harvested, hiding their origin. And again, you never know about it unless the mail they forged with your address as the 'From' address bounces - and it can only bounce back to you (the forged address) because that is all that is available in the original message. Think of some of the vile spam you receive; now think about people receiving those messages (apparently) from you...

As I said in my message earlier this week (01/26/2004) about the new viruses that are attacking the UR, never have your mail program automatically open attachments, and never open attachments unless you know who they are from and now - since mail is being forged so often - open only if you were expecting an attachment from that person (and write to them to confirm that they did indeed send an attachment). And alway - always - have the best AV you can get. Remember too that virus fixes and definitions appear only after the viruses have been discovered - so there may be several hours between the release of a virus and the availability of an update to Trend (or Norton/Symantec/F-Prot...) that will protect you from that virus.

You may want to also look at our web page on SPAM protection to minimize the amount of SPAM you receive (and to maybe even make your address less harvestable).

Last modifed: Thursday, 15-Jun-2006 13:39:15 EDT