We
are receiving a lot of questions regarding the recent flurry of weird
emails. We understand the concerns so I’d like to address them.
Please read the following carefully and hopefully you will find all the
answers. It’s VERY long but I tried to address all the issues in
detail. If you’re
really curious about what’s going on you should find few minutes
and read this :o) I have simplified some things to keep it as short as
possible.
There
are basically three kinds of those emails.
1. Spam. Unsolicited emails. Anything from legitimate
(still unwanted) commercial advertising to not-so-legitimate offers.
Mostly harmless,
but annoying and often offending. Just keep deleting, do not reply! Asking to
be removed from their mailing lists will most likely get you more spam instead! Keep
in
mind that spammers buy bulk address lists not really knowing if they’re
valid or not. By responding in any way you’ll confirm that your address
is
valid and they’ll send you even more spam.
Only legitimate vendors will honor removal requests, such as Apple, CompUSA,
banks,
etc. Someone who’s trying to sell you… er… you-know-what-I-mean,
will not bother and actually spam you some more.
2. Scams and Phishing. Dangerous! They want your personal information! Birth
dates, social security and credit card numbers,
or just sell you something that doesn't exist, get your dollars and disappear.
These vary from obvious things like laundering money for former African dictator
to eBay and banks scams (phishing). Be extremely cautious! Don’t reply. If you follow
a
link
verify its validity. If not sure ask us. The rule of thumb is not to follow any
links from an email, period, unless you know 100% what it is. Even if you have
the slightest doubt don't follow the link. If
the
email
looks
like
it
came
from
eBay
or
a
bank and asks you to go verify your personal info it's most likely a scam. always
go
to
auctions, banks, etc by manually typing a link in a web browser or using your
own bookmarks. Links in emails can be easily spoofed, web addressess can be forged or made confusing and most people can be fooled.
These
institutions never send you emails like that. Read more about phishing hrere. Phishing has grown into multimilion dolar "business". There are ways to prevent from becoming a phishing victim: not clicking on links in emails, changing your passwords periodically, using latest web browsers that feature antiphishing protection (IE7 and Firefox 2 for example), signing up for credit report monitoring service.
3. Virus and worm generated emails. These are the “failed
delivery” error
messages
and weird emails coming from strangers or even people you know. These are generated
by malicious programs and may contain viruses and worms. Read on to find out
more. This could be very dangerous too: they can cause data loss or be a tool for phishing. FAQs:
What's the difference between a worm and a virus? They're pretty
much the same as far as the threats are concerned but the main differences lay in the way they replicate. A virus
attaches
itself
to a file or a program. So a virus remains dormant most of the time. When you
run
infected
program
or
open
an infected
file
the
virus runs too infecting more files and programs and possibly doing other things
as well such as erasing your hard drive or sending a copy of itself to everyone
in your addrss book.
Viruses,
therefore,
enter
your
system
with
file
downloads
and
file transfers and email. Worm is always active, on the other hand. It
runs
in
the
background often disguised as a system service
and tries
to replicate itself via network resources, either by using email or file sharing
or security holes in Windows or even by infected web pages. It scans network
for
points
of
entry
to
other
Windows
computers. It will jump between systems by itself without user's interaction. Personal software firewalls can stop worms (Zone Alarm, Comodo). Windows Firewall is not particularly effective agains worms.
What is a Trojan Horse? Most trojan horses are not viruses nor
worms per se but
can be bery destructive.
Many are simply spyware but like worms and viruses they can be damaging or used by phishers. You can download trojans from a website by clicking on a
link
or
via file sharing programs, or it may be installed by a worm. It does exactly
what
the
Trojan Horse
did: it enters your teritory under a cover of a harmless program and once inside
it starts performing its not-so-harmless actions. These are often used by hackers and spammers
to compromise one's PC and use it as a node (zombie) to serve porn or sent out spam. They
also look for personal information and send it to some site in a foreign country (phishing).
Many Trojans are not detected by antivirus software. The best way to stop Trojans
is to use software firewall such as Zone Alarm (free
version available), Comodo or
Norton Internet Security (commercial
product) or
run AdAware or SpyBot (both
have free
versions). Just be aware that ZA, Comodo and NIS wil laffect your ability to connect to
other computers by default. You will need to do some reading to learn how to
"train" and configure these programs. Normal network firewalls often don't stop
Trojans
since
they enter your system through legitimate channels: web sites, email, ftp, file
sharing, P2P.
So now back to weird emails, spam and attachments issues...
It looks like I’m sending email messages! I’m
receiving returned emails that apparently I have sent to someone.
Is my Mac
infected with a virus?
ANSWER:
No, if you have a Mac your computer is not sending these emails. As of now (and
hopefully it'll stay this way) these worms and viruses infect only Windows PCs
and usually those poorly maintained ones. Please, just keep deleting them. If
you have a PC, yes it may be infected so it’s worth checking but not necessarily.
The FROM address is easy to spoof. Just because you have received an error email
that there was a message FROM YOU that failed to be delivered it doesn't mean
you've actually sent it.
This is basically how it works: suppose there is a person, say Bob, who has your
and my email addresses in his address book. Bob's PC gets infected because he
failed to run Windows updates and/or had old, outdated or no antivirus software...
The worm looks into Bob's address book on his PC and starts picking people at
random. It also starts picking chunks of Bob's emails and attachments at random
and sending them to the people it picked using another address from his address
book as the spoofed FROM address.
So it will eventually pick my and your email addresses and I will receive weird
email that looked like it came from YOU. Now, many addresses in Bob’s address
book may be longer be valid. So the worm sends an email "from you" to
an invalid email address. YOU will get an "Undeliverable mail" message,
not
Bob, because Bob's email address is nowhere in that email message.
Because of the above, please do not reply to these people because most likely
they did not send these messages and will be confused if you ask them to stop
sending emails to you. Some of the emails may be very private or even offending and disturbing
but do resist hitting that Reply button because you will only add to the email
mess and confusion. They may even appear as coming from some mailing list...
Please
do not respond:)
Because the worms and viruses often are quite sophisticated (more than commercial
software, sadly...) they can hide their origins pretty well. Even if we can track
where they came from it'll just lead us to some anonymous DSL or dialup IP address
on some Verizon, Comcas, AT&T or any other network.
QUESTION:
Why did you remove the mail attachment that my (insert here: mother,
sister, brother, girlfriend, buddy, colleague, teacher, school,
government, bank,
etc.) sent to me?!
ANSWER:
The attachment was virus so it was stripped. It might have been
a legitimate file
too but in a dangerous format, such as Windows executable archive or script.
Besides,
it's possible that person did not actually send it to you. It’s possible that his/or her computer
got infected and is sending copies of the worm/virus to all people in their
address book. In such case it may be wise to let them know so they can have
someone look
at their computer. However, it’s possible that your and their name names
were randomly picked from an address book as in the example above.
Here is a list of Windows file name extensions, that dot-three-letter suffix
of
file name, that are considered unsafe and are (should be) removed:
No one should have a legitimate reason to send you one of those. They’re
executables, scripts, software installers, standalone internet links and system files.
If you do receive any of these – do not open them! If you double click
on these in Windows they will perfom some kind of a task: install software
(Trojan horse!), run a program, take you to some website, etc.
Often, the worm/virus is trying to hide the real extension from the user
to make the attachment look harmless. This exploits the fact that by default
many Windows versions actually hide the real filename extension from the
user. For instance a file called Birthday.jpg will appear as Birthday in
Windows. So, if I have a malicious script (.scr) I will name the file Birthday.jpg.scr.
The .scr will be hidden so the user will see Birthday.jpg and will assume
this a harmless picture file! If this comes from a person you know it will
make you open the file!!! It’s called social engineering, lowering
your defenses by making things look safe and familiar ;o) Lucky, Macs will
usually show Windows filename extensions so you can see the real name. Besides,
these files will not run on a Mac! But there is a danger of you forwarding
them to other people!
QUESTION:
But the attachment was a .ZIP file? That’s safe right?
Why was it removed?
ANSWER:
Wrong. The mail gateway runs a Sophos virus scan on incoming emails. It can scan
inside compressed attachments and detect viruses. So very likely the compressed
.ZIP file contained a virus. However, there is a possibility that if the malicious
attachment was sent from a computer on the campus, it may not be detected! Therefore,
be extremely careful when opening attachments! Use common sense. Ask yourself
if that given person would really send a file like that? It may be unlikely.
If
the sender is a stranger, a person you haven’t heard from in a long time
or someone who generally doesn’t
send you emails then most likely it is a virus. I mean, file name like My Document.zip
sounds suspicious. Most people tend to name their files descriptively. Don’t
fall
for the trick that the file came with an official email from a government institution
from your country or another institution you’re familiar with or from some
important person you had dealings with, the Deans Office or from IT Support or
from Microsoft. Again, common sense is often your only defense. IT people or
computer
vendors such as Microsoft never send attachments to people unless requested!
Also scanning of zip files may sometimes lead to removal of valid attachments
as well but it's rare.
QUESTION:
The emails says has a note inserted that this is possibly
a spam but it’s
not!
And if it is a spam why wasn’t it just deleted? I don’t want
it anyway!
ANSWER:
We run software called Spam Assassin on Saturn that scans incoming emails and
analyses the content. Email coming into Saturn is scored based on its content. Unfortunately
the spammers change the content (and the way the email is written and formatted)
in
order
to
get around content based scoring as soon as their emails get filtered out so its a never ending catch-up race.
The program looks at wording, layout, formatting, mail headers, etc and assigns
points for different things like: word “viagra” found, the
email uses large red letters, the subject says “Urgent!” etc. If
the
message
gets a score over a certain value it is flagged as possible spam! You can tell
your
email client to dump such email to trash and I can show you how if
you’d like. Basically, if you use Entourage or Outlook you can create a
new rule: if any header contains SpamAssassin says this is SPAM then "insert
action here", preferrably move to trash, don't just delete the email because
it may after all be a legitimate message, read on. In Eudora, I believe it's
called
a
filter. Read more about Spam Assassin here.
However, this is just a guess and there can be false-positives. After all someone
may send you a seminar notice that has large red letters and uses words that
may
belong to a spam message. We can’t just delete these emails because legitimate
emails may be lost! The scoring system can’t be changed either for the
same
reason: valid emails can be flagged as spam.
QUESTION:
Can anything be done to stop this flood of junk from coming?!?!
ANSWER:
No. Most of spam detection tools are not perfect and spammers are flexible and
quick to adapt and change their ways to go around spam detection techniques.
Strict
spam filtering will lead to loss of legitimate email messages and we can’t
afford that. This is basicaly because when email was invented back many years
ago it didn't occur to anyone that it may be misused to such degree so no safeguards
were built in to the mail standards.
However, by using the Spam Assassin flag you can create a filter in your email
client as described above.
