• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Spoofed mail headers.

Rat

Not bored. Never bored.,
Rat
Joined
May 19, 2003
Messages
10,629
Location
Leicester, UK
So I'm starting to receive those viruses that not only pick an address from the infected party's address book to send to, but also another to used as the spoofed sender address. They're not a worry, as I don't get viruses and never will.:p

I'm wondering though. I don't know who has me on their address book, and I have no easy way of finding out. I could, of course, just send out mail to everyone I know from whom I have received genuine mail in the past, telling them all to sort out their machines and stop sending all the crap to me.

But how easy is it to spoof mail headers? I don't really know about this sort of thing. I'm not running my own mail server, so I can't look at the logs of that, but I'm not sure if it would help if I could? Is there really nothing I can do to ascertain who's (accidentally and unwittingly, indeed half-wittedly) sending it all to me?

Cheers,
Rat.
 
I have, in the last three or four weeks, had virus laden emails returned by ISPs or bounced from lists that don't accept attachments. The sender was supposed to be me. Which is impossible as I use Linux and, in any case, the headers revealed that the virus emails were sent from a Windows system.

I'd like to know how it's done too. Did somebody who got the virus (a version of Netsky) have me in their address book? Or was my address picked up from some web site? Or just randomly generated?

Also interested in the etiquette for asking people who might have you in their addressbook (and there is no knowing just who has if you are a member of a mailing list for instance, or contribute to a site that gives your email address without the @) to check to see if they have a virus....

Very keen to hear from somebody who knows about these things.
 
Spoof email headers? Utterly trivial. Email servers just pass things like the 'from' field through. If your mail server says it originally came from 'aol.com', and it's just "relaying" it, the recipient typically just takes its word for it.
 
Just remember that most of these worms and viruses send mail based on these rules:

1) Pick random person from address book. This is the FROM field.
2) Pick random person from address book. This is the TO field.

So when you recieve a virus-laden mail from jim@isp.net, it is not neccessarily from him.

There are some really bad ones out right now. I got one the other day that said "TERRAKT IN AUSTRALIA," which I guess was supposed to mean terrorism, but whatever. The link in the email goes to a site that has some Windows-exploiting script. Did a scan of the originating IP, and of course it's some crap zombied machine from I think Comcast. Comcast sucks. And abuse@comcast.net goes nowhere. RRGH!
 
Too often new variants of worms slip by my university's mail server and infect a few computers before the virus filter is updated.

A few weeks ago, I received a few viral emails with forged sender addresses from our research group.

The virus itself had been stripped out by the university mail server, but I suspected that one of our group's Windows machines had already been infected since it would be improbable otherwise that all the forged From addresses would be from our group.

I looked at the full headers and got the actual originating IP address and discovered that the viral emails were coming from my advisor's computer. I ran a virus scan on it and disinfected it. It had a variant of the Bagle worm.
 
Two things:

1) Get an anti-virus program (update it often or automatically). I use Norton Anti-virus.

2) Get a spam filtering program. I use Spampal (www.spampal.org).

All email with viruses are cleaned by Norton and sent right to my SPAM folder by Spampal.

I also have a couple of rules setup to take care of fake bouncebacks and any attachments which may contain viruses.

In fact, I'm averaging 20-40 spams (or virus emails) a day with just one getting through the filters in the past 2 weeks.

Now if I could just overcome that feeling of receiving 15 new emails and having all of them be spam!
 
Nothing to be done about this.

Lots of viruses also looks in the internet cache in the infected machine for email addresses. What this means is that you can receive viruses from people that has never sent you any legitimate email, they have merely surfed a site where your email address was exposed.

In short: Nothing to do other than to protect yourself in your end.
 
mroek said:
Lots of viruses also looks in the internet cache in the infected machine for email addresses. What this means is that you can receive viruses from people that has never sent you any legitimate email, they have merely surfed a site where your email address was exposed.
Click to expand...

Huh. I did not know that! How clever.
 
LFTKBS said:


Huh. I did not know that! How clever.
Click to expand...

That's why you NEVER EVER post your real email address on the internet.

I won't even use it for business transactions. I use one for chat rooms, bulletin boards, etc. and one for ordering things online.

My REAL email address is for friends and family only.
 
But how easy is it to spoof mail headers?

--

As has been said, it's the easiest thing in the world. I could send an e-mail right now and make it look like it came from anyone or anywhere I please.

If you're concerned about security, now is the time to get in the habit of digitally signing your e-mails and now is the time to get your friends used to seeing the same, so they can tell for sure what's you and what's not. It's best to have security in place long before a problem occurs. Last time I was in the market for that kind of security, PGP was the new hotness. I'd assume it still is...
 
You must log in or register to reply here.

Back
Top Bottom