Cecil Bankston wrote:
I am receiving spam or scam messages, consisting of only a shortened link, from the e-mail address of a friend. If the messages actually originate in the friend's computer, should they always be found in the friend's sent folder? If the from address is being spoofed, is there an easy way to distinguish that?
As noted separately, if your friend is in the habit of sending links, encourage him to include text that will positively identify himself. And if there's no identification, he should know that you will assume that they're spam (even if legitimate).
I suppose you could go the route of replying to the message, quoting verbatim (although munging the URL slightly, so that it can't be clicked on, if it's malicious), with a query of "is this from you?"
It's not impossible that your friend could be malware-infected, but when that kind of thing happens, malware normally uses its own infrastructure to send. Unless it's something like the LoveBug worm of years ago, where Outlook was automatically executing scripts (and replicating by scanning the victim's address book and sending to all those addresses), malware is very unlikely to actually touch the victim's mail client.
One of the things that I see a lot is where a message has a distribution list of about 10-12 addresses, in alphabetic order. Often, several of the addresses may be ones that I recognize, and may even have some in my address book. When that happens, it's likely that either the purported sender (or somebody that that person knows) has gotten malware-infected, and that the malware has harvested the victim's contact lists. From there, the sending mechanism segments the harvested list into batches of about 10 addresses each. By not using Bcc: addressing, that helps with delivery in several ways: recipients who work from servers where an address in an address book is whitelisted, recipients who recognize other addresses in the distribution list, and getting around servers that may stall or reject messages that have no distribution lists (i.e., all the addresses are Bcc:). For actual sending, use of botnets is common, where there are multiple victims. The mailing is sent to the first victim's contacts, but where the actual point of injection to the Internet begins with additional victims, whose computers are in botnets that include rogue mail servers.
It's generally pretty easy to identify a spoof -- all you have to do is to use CTRL-U to look at the message headers, and see Received: lines from domains that don't match the domain in the From: line. For the major freemail providers, Gmail, Yahoo and AOL all have DKIM signatures. Hotmail/Outlook/MSN isn't currently using DKIM, but a message that shows an Outlook.com return address will have Received: headers that show hotmail.com.
In this layout, you may see a message that purports to show your friend's email address in a From: line (say, at Yahoo), and where distribution list may include several people or addresses you recognize. However, a check of the message headers shows no indication of Yahoo servers (especially Yahoo's DKIM signature), and that the message traveled through a server in Poland or South Korea.
If you're really into digging, it's not hard to find the IP address of where the message was injected, and if you know how to run a Whois check or a traceroute, you can identify the ISP where the message originated.
For the messages that are junk (or you suspect are junk), mark them as Junk, and let Seamonkey put them into the Junk folder.
For junk handling, it's important to understand that the filtering system is based on Bayesian logic (where, if something is designated as junk, other stuff that's sufficiently similar is also designated as junk -- and the same way for not junk). The Mozilla implementation of Bayesian is not nearly as elaborate as with SpamAssassin, but it's generally workable.
The other thing to know is that if a message has been designated as junk or not junk, that's based on the entire message, the combination of headers, body and attachments, not just the From: line. Thus, if you designate a forged message that has your friend's email address as junk, a legitimate message will be sufficiently different that it's unlikely to get tagged as junk.
From there, you do have to pay attention to the Junk folder. Bayesian filters get better if they have more examples of knowing what's junk and what's not. Therefore, if you find a legitimate message in the junk folder, make sure you tag it as not junk, rather than just moving it back to your inbox. That will help the filters learn how to differentiate between what you consider to be junk and what you consider to be legitimate.
Smith _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
