Tag: viruses

Posted on
by

By way of Justin Mason and the SpamAssassin mailing list comes this post about writing add-ons for Outlook.

Seth Goodman writes of Outlook’s contact list:

This feature was apparently added for the convenience of virus writers, who it appears were one of the key groups that set the design requirements for this product

Ronald F. Guilmette replies:

So if I want source code for a software tool that can extract addresses from a personal Outlook address book, I guess that I should just go out and hire a virus writer! Hummm. I would have no problem with that. At least this would give them some honest work for a change… keeping them off the streets and out of trouble for a short while.

So now, where does one post a ‘HELP WANTED’ ad for a virus writer?

Posted on
by

A new virus has been running around today, hiding in files like price08.zip, new_price.zip, etc. We got a call from a customer asking what this [Defanged] notice was all about, at which point I looked at the logs and found a lot more instances. By the time our virus definitions were updated to recognize it (currently ClamAV identifies it as Trojan.JS.RunMe. Edit: McAfee and F-Secure identify it as a new Bagle variant – either W32/Bagle.aq@MM or Bagle.al), about 45 copies had made it through virus scanning but were caught by MIMEDefang, which found the attachment suspicious anyway.

The moral of this part of the story: relying on virus signatures isn’t enough. By the time Norton, McAfee, F-Secure, ClamAV, etc. has identified a signature and your scanner has grabbed the updated files, it’s too late. Some copies have gotten through.

The next part is kind of interesting: This virus is clearly harvesting addresses from the web or from browser caches, because we’re seeing hits to our spamtraps. The really weird part: half of those hits claim to be from our other spamtraps!

But it is kind of odd for a new outbreak to hit the day I read this article: Security expert Q&A: The virus writers are winning.

Posted on
by

More “You sent a virus!” garbage going around. It’s gotten to the point where I don’t even look at most delivery failure notices, which means I could easily miss errors about mail I really did send.

I got ticked off enough this time that I wrote back to the return address on the warning, matching the tone and structure of their message as closely as possible:

An invalid virus notice was found in an Email message you sent. Your Email scanner recognized a virus as W32/MyDoom-O but did not take into account the fact that this virus always uses a fake sender address.

Please update your virus scanner or contact your IT support personnel as soon as possible as you are sending bogus virus warnings to third parties whose systems are not infected with the virus. This runs the risk of causing unnecessary concern among the less tech-savvy (and extra calls to tech support about the nonexistant virus they fear they have). I would recommend reading up on the phrase “crying wolf” as well.

Posted on
by

I regularly get bogus bounces from clueless virus scanners that don’t realize the sending address is fake 99% of the time, but this takes the cake:

Sometime last night I received three copies of the same notice from some system in Brazil. They had written their virus warning in Microsoft Word, saved it as HTML without cleaning up all the extra junk, and made it the only part of the message… in Base64 encoding!

If you’re going to send any kind of diagnostic notice by email, you want it to be as simple and widely readable as possible. That means plain text (not HTML or Base64, and certainly not both!) It also means if you do want to use HTML, at least clean it up and include a plain-text alternative. For all you know it’s going to be read by some admin logging into a GUIless server through SSH over a modem connection on a hotel phone line!

Posted on
by

Here are several humor articles that have been posted to the SpamAssassin discussion list over the past week:

The TechWeb Spin: All spam is true! (Fredric Paul, Internet Week, June 29, 2004): Yes, you read it here: it’s all true! The author explains about all the money he’s gotten from deposed Nigerian dictators, the software discounts, the combined advantages of certain pharmaceuticals and dating services, and more! [Edit: Sadly the article was deleted before the Internet Archive got to it.]

It’s true, I read it on the Net! (author unknown): I remember seeing this way back when, under the title “The Ultimate Chain Letter.” It’s kind of like the parody of the Good Times Virus (remember that one?) in that it combines everything. All the urban legends about stolen kidneys, rats at KFC, needles in pay phones, and satanic business leaders. All the email hoaxes about Bill Gates giving you money and dying kids asking for email. All the typical chain letter threats about not breaking the chain.

Spam is out of this world (Adam Turner, Syndey Morning Herald, April 1, 2004): An April Fools’ piece about the Mars Spirit rover being crippled by spam traffic: “The rover’s limited onboard artificial intelligence was foolish enough to apply for an shonky online marketing diploma. Soon after offers of cheap WD40 and antenna enlargements began clogging the link between Mars and NASA’s Deep Space Network.” It goes on to explain that Beagle was taken down by a Martian Nigerian scam.

Welcome to Spam University: a parody of a school site with ridiculously low entry requirements (At least four years of elementary school, No more than three felony convictions), course descriptions (Harvesting Addresses, Covering Your Tracks, Spamming Ethics – Canceled), alumni testimonials and more!