Spam and worms
 

I've now gotten two emails from other newsgroup participants about
messages containing a worm or virus with my email address in the "From"
line. One was well-meaning, the other accusatory.

When a worm or virus infects a computer, it commonly sends itself to
addresses in the victim's address book. It forges other addresses from
the address book into the "From" and "Reply-to" lines. One thing you can
*always* count on is that a spam, worm, or virus email *never* comes
from the location in the "From" or "Reply-to" lines of the header. If
you've gotten one which has my address in one or both those lines, it
means simply that both our addresses are in the victim's address book.

Senders of spam also *always* forge return addresses, and sometimes use
a genuine address they've gathered at random, or occasionally use one
purposefully as a means to harass someone. Some time ago, a major
spammer decided to use mine for a while, and I got about 100 bounce
messages per day for a couple of months as a result.

If you want to help stop the spread of the worm, go to
http://www.spamcop.net/anonsignup.shtml. Click the link labeled "Learn
more about what to report and what not to report to SpamCop" and read
the section about viruses. Then sign up to use their automated spam
tool. It's able to parse through a forged header and detect the true
origin of an email message. Follow the directions for "Viruses" at
http://www.spamcop.net/fom-serve/cache/125.html. This will notify the
ISP that one of their customers' machines is infected, and enable them
to identify which machine it is.

Because my email address appears in a lot of address books, I see
infections from time to time in the form of bounce messages resulting
from the worm being sent to invalid addresses. There was a particularly
bad one a while back on some German ham's machine which got me a lot of
bounce mail. This one is apparently in the machine of someone who reads
this newsgroup or at least has occasion to email some of the participants.

Roy Lewallen, W7EL

Spam and worms
 

On Sun, 26 Mar 2006 12:10:08 -0800, Roy Lewallen
wrote:

This one is apparently in the machine of someone who reads
this newsgroup or at least has occasion to email some of the participants.

One of the horde of admirers that Cecil claims fills his in-basket
with congratulations over his admirable work?

And Cecil would have us believe they're such a timid group, too
intimidated to participate, but gleeful at his jests, quick turn of an
equation, and general good clubsmanship.

They must be from MENSA (but still using email? haven't they got it
down to telemailnesis yet? or is it telepostapathy? Sorry, my iq
just isn't up for the game....)

73's
Richard Clark, KB7QHC

Spam and worms
 

Roy Lewallen ) writes:

... If
you've gotten one which has my address in one or both those lines, it
means simply that both our addresses are in the victim's address book.


You have my sympathies, Roy. I know just what you mean. For six years I
was heavily involved with the IARU Intruder Watch and, like you, my
address was in a lot of people's address books, with the expected result
whenever any of those computers became infected. One particularly
embarrassing infection sent an infected message every few days to the U.S.
FCC, and of course I would get the FCC's automatic reply saying that an
"unacceptable attachment" had been deleted from "my" message to them.
This went on for about six months and I was never sure whether it was just
due to some idiot who never ran a virus scanner or was actually malicious.
I suspect the latter. They say education would solve a lot of these
problems but I have often wished there was some silver bullet that could
be sent to the offending computers HI.

Good luck and 73,
.... Martin VE3OAT

ex-IARU Region 2 Monitoring System Coordinator