L.D., > I will repeat what I said on the Arachne list, and I would appreciate it > if some of you might pass the word. I have not sent anyone any viruses. > > If people would look up what is written about at least one of the newest > Dozerwarez viruses, not only can the piece of snit software harvest > e-dresses from address books and saved html pages, it also has upgraded > so that the From: can be forged and one of those harvested e-dresses > blamed for the e-mail.
First, let me say that I was not one of the people who accused you of sending anyone virii, nor did I receive any that appeared to be from you. Second, if you are referring to one of the 'Gibe' incarnations, you are correct, the virus does forge several parts of the header, most of the first 2 lines (except for the enclosed DNS), and also the last three lines, including the now famous '(HELO pfuckie)' signature entry. > I use Arachne and only Arachne for processing e-mail. > > Attachments to Arachne do NOT happen secretly, nor is mail sent > secretly. I do not know how Arachne functions, but it does not matter much, relative to this particular virus, because it is hardcoded to work specifically with Outlook/OE programs, and wouldn't know what to do with another mail client, unless the designers had hijacked Microsoft's source code, and used it unaltered. Of course, that would not stop it from dropping other parts of its payload in the infected computer, where those parts were applicable to the OS the computer was running, just from using the mail client to spread itself. > I cannot even *receive* e-mail with viruses attached; my ISP has Amavis > in place, and when an infected e-mail is sent to me it is sent to the > bit bucket and I simply get a notice that e-mail containing such and > such a virus was sent to me by so and so. > > If I attempt to include or attach a virus to outgoing e-mail, it is > *stopped* by my ISP. This presumes that your ISP's (and - or your) virus definitions are up-to-date. The Gibe virus was either self-mutating, or there were at least three (that I know of) variations circulating within the past several days, none of which had the same heuristic recognition pattern, which means that updated virus definitions were being out-dated by new strains of the virus within a matter of hours. This was fairly easy to spot, since the body of the letter had not changed, except for the reference to the attachment, which had also been renamed. > It even stopped my initial reply to Steven's > message because I had quoted the small amount of UUE encoded message he > had attached. That small amount of UUD encoded might have been the virus, or the part of the virus that your ISP's AV software bases recognition on. > Anyone who believes they got infected e-mail from me is invited to tell > *me* and not the world in general ... and, if possible, they should > forward full headers at least, or the message in zipped format password > protected so it can get past the Amavis virus firewall. I agree with you that a person should be notified privately, but it is also reasonable for a virus recipient who recognises the apparent sender as being a member of a particular list, to warn the list, in case other members have received similar emails, which they have not yet opened, hopefully with an attention getting tag in the header, so that it will be read first. As far as forwarding full headers and all that stuff, I do not mess with any of that, especially at the 'getting out the warning' stage. I have a stock message I send people who inadvertently send me virii (since I run a virus list, a lot of my friends and associates deliberately send me virii as well) telling them their machine is infected, what virus it is infected with, and directing them to the Trend Micro free virus-check page, in case they do not have a current subscription to their own AV service. Being incorrectly accused of having disseminated a virus might be a blow to one's ego... but it is only a temporary blow, since in very short order the facts come out, as in the case of a virus having the capability to forge headers. -wittig http://www.robertwittig.com/ to master others is nothing. to master yourself is something. . To unsubscribe from SURVPC send a message to [EMAIL PROTECTED] with unsubscribe SURVPC in the body of the message. Also, trim this footer from any quoted replies. More info can be found at; http://www.softcon.com/archives/SURVPC.html
