This message might look a little technical, but bear with me, I think
you'll find it will pay off if you get to the end - make sure you've got
your favourite drink near by...
On Mon, 2004-03-15 at 02:41, one subscriber wrote:
> I sent the e-mail address of the mail I got that was trying to put a
> virus in my works to hotmail.com. Unfortunately I only sent the
> e-mail address and not the whole message.
The above is but one quote of many seen on this (and other lists) that
attempt to deal with email viruses. The approach taken is more than most
would have, and I must commend the author for trying, but I have some
bad news.
This is a complete waste of time because the account that the message
came from is very likely to be made up. Most email viruses theses days
do the following things in more or less sophisticated manner:
* Search for email addresses
* Generate a new email address that looks plausible - regularly
they are based on the email addresses gathered above
* Send a copy of the virus to each address using one of the
generated return addresses
The only way you can detect where the virus comes from is from the
headers of the email. I'll include a full header in this message and
show you where it shows up. Also note that I've replaced anything that
refers directly to me or my email address with "<obfuscated>", because I
really get enough spam as it is and I don't really need spam hunters to
go through the archive and find more ways of getting spam to me...
Now, the typical email header looks a little like the tangled mess
below. It is made visible if you choose "Show Headers" in your email
programme - in what ever way it supports that...
Below I'll explain how to read this mess... (For this explanation, I've
added an empty line between each email line, otherwise it would look
quite overwhelming.)
Received: from localhost ([127.0.0.1]) by <obfuscated> with
esmtp (Exim 3.36 #1 (Debian)) id 1AmR99-0007XM-00 for
<obfuscated> Fri, 30 Jan 2004 15:54:51 +1030
Received: from hedgehog.highway1.com.au [203.7.224.11] by
localhost with POP3 (fetchmail-6.2.4) for <obfuscated>
(single-drop); Fri, 30 Jan 2004 15:54:51 +1030 (CST)
Received: from perth.highway1.com.au (ns.highway1.com.au
[203.7.224.10]) by hedgehog.highway1.com.au (8.12.10/8.12.10)
with ESMTP id i0U5NSWT018710 for <obfuscated> Fri, 30 Jan 2004
13:23:28 +0800 (WST)
Received: from mail4.highway1.com.au (mail4.highway1.com.au
[203.7.224.12]) by perth.highway1.com.au (8.12.10/8.12.10) with
ESMTP id i0U5NSar020463 for <obfuscated> Fri, 30 Jan 2004
13:23:28 +0800 (WST)
Received: from khe.siemens.de
(ppp-225-20-29.friaco.access.uk.tiscali.com [80.225.20.29]) by
mail4.highway1.com.au (8.12.10/8.12.10) with ESMTP id
i0U5MlAt009055 for <obfuscated> Fri, 30 Jan 2004 13:23:03 +0800
(WST)
Message-Id: <[EMAIL PROTECTED]>
From: <obfuscated>
To: <obfuscated>
Subject: Mail Delivery System
Date: Fri, 30 Jan 2004 05:22:10 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0000_0CEED3F8.CB587976"
X-Priority: 3
X-MSMail-Priority: Normal
Let me explain what is happening.
Before we begin, note that lines in the email header start with a word
and a colon. The key-words in these headers are: "Received: Message-Id:
From: To: Subject: Date: MIME-Version: Content-Type: X-Priority:
X-MSMail-Priority:"
The lines we care about are ones marked: "Received:"
You should know that every time an email message is sent to another
computer, another "Received:" line (or header as it's normally called)
is added to the top of the message.
This means that a new email message has no "Received:" header, and the
one that gets to you has at least one, but more likely more of those.
When an email is created, it is sent to a computer on the Internet which
adds first "Received:" header (the one closest to the message, or in
this example, the one that starts with: "Received: from khe.siemens.de"
Received: from khe.siemens.de
(ppp-225-20-29.friaco.access.uk.tiscali.com [80.225.20.29]) by
mail4.highway1.com.au (8.12.10/8.12.10) with ESMTP id
i0U5MlAt009055 for <obfuscated>; Fri, 30 Jan 2004 13:23:03 +0800
(WST)
When a computer connects to another computer on the net, both computers
have an address, (an IP address), and some of them have a name too. The
header above is the "smoking-gun" if you like.
The header states (in more or less English) the following information:
At this time, I received an email from a computer that claimed
it was called Simon, but was actually called Peter. The message
was intended for Onno.
Where:
Simon is the Siemens computer.
Peter is the Tiscali computer.
Onno is the <obfuscated> final recipient of the email.
So using the actual information with the same formatting we get:
On Fri, 30 Jan 2004 at 13:23:03 +0800 (WST) the computer
mail4.highway1.com.au received an email from a computer claiming
to be "khe.siemens.de", but was actually
"ppp-225-20-29.friaco.access.uk.tiscali.com" which has an IP
address of "80.225.20.29". The identifier for this message was:
"i0U5MlAt009055" and the message was sent to "<obfuscated>"
So, if you're still reading, the challenge lies in that the siemens
computer is actually a tiscali computer and the siemens name likely came
from the address book of the user of the tiscali computer.
On the face of it, we could generate an email to [EMAIL PROTECTED] and
be done with it.
The problem is that while this message was a virus, others that look
exactly the same are not. So you cannot generate a virus warning based
on such a mismatch alone.
You might well ask: "In what circumstance can we see the same header
behaviour where this is perfectly fine?"
My computer sends and receives email. It is connected to the Internet
via Optus Satellite. My domain is hosted with Highway1. All email I
receive comes to the Highway1 computers, but all email I send leaves via
Optus.
If I were to send an email to you directly (not via the list) you'd
notice that the last received header (the first one added) shows the
same behaviour - one computer claiming to be one thing, but actually
being another. (In my case you'd see: latte.internal.itmaze.com.au
actually being OptusSatelliteServices.22bjc76f09.optus.net.au or
61.88.171.38.)
So, now that you know how to read the headers of an email, what can you
do with it?
If the message you receive is a virus, you can send a polite message to
the ISP informing them that it is possible that they have an infected
machine on their network and could they please do something about it.
(Make sure you give them all the headers, not just a message saying:
"You've got an infected machine.")
Note that the above message may attract spam because some ISPs actively
gather email addresses and yours just got added to their list.
Another thing you can do with this is see if you can figure out how the
message got to you. For example, I have a friend who works with a
company called "Ampac", now I know that he is the only one I know with
that relationship, so if a virus arrives claiming to be from Ampac,
odds-on it's from my friend and not from Ampac.
So, now you're armed with a little more information, you can understand
why this email thing is so complicated, why we still have spam and why
there are email viruses.
I'm sorry I don't have any more information to impart...
Onno Benschop
Connected via Optus B3 at S41°18'23" - E146°49'07" (Holwell, Tas)
--
()/)/)() ..ASCII for Onno..
|>>? ..EBCDIC for Onno..
--- -. -. --- ..Morse for Onno..
Proudly supported by Skipper Trucks, Highway1, Concept AV, Sony Central, Dalcon
ITmaze - ABN: 56 178 057 063 - ph: 04 1219 8888 - onno at itmaze dot com dot au
