This page is an attachment to mail179,
and deals with an incident referred to in view179.
The incident began when I received:
V I R U S A L E R T
Our viruschecker found the
W32/Nimda@MM
virus(es) in your email to the following recipient(s):
-> shanec@datapro.co.za
Please check your system for viruses, or ask your system administrator
to do so.
For your reference, here are the headers from your email:
------------------------- BEGIN HEADERS -----------------------------
Return-Path: <jerryp@jerrypournelle.com> Received: from NMKSCHULZ
([196.41.8.155]) by puma.datapro.co.za (8.9.3/8.8.7) with SMTP id GAA12842
for <shanec@datapro.co.za>; Thu, 22 Nov 2001 06:27:10 +0200 Date:
Thu, 22 Nov 2001 06:27:10 +0200 From: jerryp@jerrypournelle.com
Message-Id: <200111220427.GAA12842@puma.datapro.co.za> Subject:
Øò�desktopdesktop MIME-Version: 1.0 Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_====" X-Priority: 3
X-MSMail-Priority: Normal X-Unsent: 1 -------------------------- END
HEADERS ------------------------------
The real header, though, was this:
Return-Path: <postmaster@puma.datapro.co.za> Delivered-To:
jpournel-jerrypournelle:com-jerryp@jerrypournelle.com X-Envelope-To:
jerryp@jerrypournelle.com Received: (qmail 21943 invoked from network); 22
Nov 2001 04:29:29 -0000 Received: from phantom.datapro.co.za (HELO
puma.datapro.co.za) (root@196.41.0.2) by zortzi.pair.com with SMTP; 22 Nov
2001 04:29:29 -0000 Received: (from root@localhost) by puma.datapro.co.za
(8.9.3/8.8.7) id GAA12895; Thu, 22 Nov 2001 06:27:21 +0200 Date: Thu, 22
Nov 2001 06:27:21 +0200 From: postmaster@puma.datapro.co.za Message-Id:
<200111220427.GAA12895@puma.datapro.co.za> To: jerryp@jerrypournelle.com
Subject: VIRUS IN YOUR MAIL
NOTEL THIS IS FROM ZAIRE, so you can be sure there
is something wrong!! [OK, so it was from South Africa, see below.] The point
is that I never sent them any such message.
Shortly after, I got (WARNING: do not visit the
indicated web site until you have read all this):
A virus has been detected in your e-mail. The infected attachment has
been processed in terms of the Scan Information below, and the e-mail has
been delivered to the intended recipient(s). For more information on this
service, and for advice on how to remove this virus from your PC, please
visit: http://antivirus.mweb.co.za
--- Scan information follows ---
Result: Virus Detected Virus Name: W32.Nimda.A@mm (dr) File Attachment:
Unknown03B9.data Attachment Status: deleted
--- Original message information follows ---
From: <jerryp@jerrypournelle.com> To: technic@mweb.co.za Date:
Thu, 22 Nov 2001 06:30:54 +0200 Subject:
Øò�desktopdesktopdesktopdesktopsamplesampledesktopdesktop
Message-Id: <M2001112206305320421@nav1-cpt.mweb.co.za> Received:
(from NMKSCHULZ [196.41.8.155]) by nav1-cpt.mweb.co.za (NAVGW 2.5.1.14)
with SMTP id M2001112206305320421 for <technic@mweb.co.za>; Thu, 22
Nov 2001 06:30:53 +0200
But once again, the real header was:
Return-Path: <Norton_AntiVirus_Gateways@mweb.co.za> Delivered-To:
jpournel-jerrypournelle:com-jerryp@jerrypournelle.com X-Envelope-To: jerryp@jerrypournelle.com
Received: (qmail 22079 invoked from network); 22 Nov 2001 04:31:13 -0000
Received: from supermail.mweb.co.za (196.2.53.171) by zortzi.pair.com with
SMTP; 22 Nov 2001 04:31:13 -0000 Received: from [196.2.42.20] (helo=nav1-cpt.mweb.co.za)
by supermail.mweb.co.za with smtp (Exim 3.22 #1) id 166lQu-0005Nx-00 for
jerryp@jerrypournelle.com; Thu, 22 Nov 2001 06:25:52 +0200 From:
Norton_AntiVirus_Gateways@mweb.co.za To: jerryp@jerrypournelle.com Subject:
Virus detected Date: Thu, 22 Nov 2001 06:31:00 +0200 Message-Id:
<M2001112206310018837@nav1-cpt.mweb.co.za>
Note that I have never sent any messages to these
people that I know of. I did take the trouble to update my Norton
Anti-Virus and run it: as I thought, there are no viruses on my machine. I
suspect that if I went to that web site and did whatever that wants me to,
I would have a virus...
As Alex observes, the ultimate mail filter is an
aware human being. Be alert. I then began to get mail on the subject:
Dr. Pournelle,
In today's mail (Thur., 11/22) you wrote:
<snip> >postmaster@puma.datapro.co.za
Message-Id: ><200111220427.GAA12895@puma.datapro.co.za> To:
jerryp@jerrypournelle.com >Subject: VIRUS IN YOUR MAIL > >NOTEL
THIS IS FROM ZAIRE, so you can be sure there is something wrong!!
Actually, the ".za" top-level domain name
is the country code for South Africa, not Zaire. Here's the output from a
WHOIS lookup of "za" over at Network Solutions' website:
Centralnic Ltd (ZA21-DOM) ZA.COM South Africa
(Republic of) top-level domain (ZA-DOM) ZA
As I'm a DNS admin for a living, I had to nitpick
this one time ;)
Best regards,
David Huff david @ dhuff.org
Thanks! OK. so is it South Africa, rather than Zaire.
The explanation for all this is here:
Jerry,
I had a look at the site. http://www.mweb.co.za -
which is a South African registration, not Zambian incidentally.
It appears on the surface to be a fairly
run-of-the-mill web-based virus scanning service, and their page on what
to do about Nimda infection is very sensible.
My guess is that someone who was sending you mail
subscribes to the mweb service and tried to send you an infected email. I
believe Nimda is one of the viruses that hijacks the victim's address book
and auto-distributes itself that way, so it's possible that someone who
has you in their address book got infected. I agree that the message they
sent you is rather silly.
>>As Alex observes, the ultimate mail filter
is an aware human being.
Couldn't agree more. Most people get viruses because
they're careless, though Nimda is one where just having unpatched software
can get you infected.
The following text is copied from the Mweb website.
Probably not a scam imho. :->
All the best.
Craig Arnold
**************************** ****Start of copied
text**** ****************************
How to protect yourself: · Be aware of suspicious
e-mail attachments, delete them immediately. · Protect your computer by
installing the latest software updates (see below).
Home users:
To prevent infection from email, update Internet
Explorer with one of the following: · The patch provided in Microsoft
Security Bulletin MS01-020 · Internet Explorer 5.01 Service Pack 2. ·
Internet Explorer 5.5 Service Pack 2. · Internet Explorer 6 · Also visit
Microsoft's Windows Update service regularly.
System Administrators:
STEP 1 Prevent the Code Red Worm II from infecting
your system and use our tool to repair systems that have been infected.
Please note: Code Red Worm II leaves a 'back door' that Nimda exploits.
STEP 2 Block the 'Web Server Folder Traversal' vulnerability by applying
or installing any of the following:
· Applying the patch provided in Microsoft Security
Bulletin MS00-057 · Applying the patch provided in Microsoft Security
Bulletin MS00-078 · Applying the patch provided in Microsoft Security
Bulletin MS00-086 · Applying the patch provided in Microsoft Security
Bulletin MS00-026 · Applying the patch provided in Microsoft Security
Bulletin MS01-044 · Installing Windows 2000 Service Pack 2 · Installing
the Windows NT 4.0 Security Roll-up Package · Running the IIS Lockdown
Tool in its default mode · Installing the URLScan tool with its default
ruleset.
STEP 3 Prevent spread through file shares by locking
down permissions on all computers.
How it works
Infection via e-mail: One of the ways Nimda arrives
is by e-mail with random text in the subject line, no body text, and an
attached file called readme.exe. The worm then spreads via e-mail by
sending a copy of itself within a mail that exploits the security
vulnerability discussed in Microsoft Security Bulletin MS01-020. As the
bulletin describes, the vulnerability lies in Internet Explorer, but is
exploited via email. Simply opening the email itself would be sufficient
to infect the machine it would not be necessary to open an attachment.
Anti-virus vendors are currently developing updated
scanning tools that will detect and disarm mails sent by the virus. But
even in the absence of these tools, patches and updated versions of IE
have been available for some time to eliminate the vulnerability.
Customers who have installed any of the updates listed above should be at
no risk from Nimda.
For more details, read the following Microsft
security article: click here
Infection via Internet websites: The other way Nimda
spreads is via Internet scan. From an infected IIS Web server, Nimda scans
other Web servers looking for other systems vulnerable to the Unicode Web
Traversal.
Once Nimda gains access to a Web server, it may
display a Web page prompting users to download an infected file, allowing
it to spread via e-mail to Windows PCs. Microsoft has already announced
patches for most of the vulnerabilities that Nimda exploits.
If a Windows PC user opens the attached e-mail file,
the worm will use Mailing API (MAPI) functions to read the user's e-mail
address book and send out copies of itself to all of the addresses.
The following helpful tips, supplied by ZDNet,
should help you steer clear of nasty bugs and viruses. Removal Antivirus
software companies are still analyzing this worm and are in the process of
updating their signature files to include Nimda. For more information on
removing Nimda from your system, see Central Command, McAfee, Sophos,
Symantec, and Trend Micro.
Prevention is better than cure!
1. Windows PC users: If you haven't already
installed it, download the Outlook 98 Security Patch or the Outlook 2000
Security Patch. Please note that these patches do not include Outlook
Express. Click here for more information regarding security
vulnerabilities and patches. 2. Don't open attachments! One of the best
ways to prevent virus infections is not to open attachments, especially
when viruses such as this one are actively circulating. Even if the e-mail
message is from a known source, be careful. A few viruses take mailing
lists from an infected computer and send out new messages with its
destructive payload attached. Always scan any attached files for viruses,
and unless the attachment is a file or an image you are expecting, delete
it.
3. Stay informed. Did you know that there are virus
and security alerts almost every day? Keep up-to-date on breaking viruses
and solutions by personalising M- Web Computing's Virus alerts. Click here
to automatically add this module
4. Get protection. If you don't already have
virus-protection software on your machine, you should. If you're a home or
individual user, it's as easy as downloading a top-rated anti-virus
software. If you're on a network, check with your network administrator
first.
5. Scan your system regularly. If you're loading
antivirus software for the first time, let it scan your entire system.
It's better to start with your PC clean and free of virus problems. Many
antivirus programs can be set to scan on periodically or each time the
computer is rebooted. Some will scan in the background while you are
connected to the Internet. Make it a regular habit to scan for viruses.
6. Update your antivirus software. Now that you have
virus protection software installed, make sure it's up-to-date. Some
antivirus protection programs have a feature that will automatically link
to the Internet and add virus detection code whenever the software vendor
discovers a new threat.
************************** ****End of copied
text**** **************************
Which makes it curiouser and curiouser. Perhaps this is
a legitimate company with odd marketing practices.
Jerry,
ZA is South Africa, not Zaire.
I checked mweb.co.za and it is a legitimate ISP in
Randburg, South Africa.
They *may* have received a virus-infected file from you…anything
is possible.
I went to their site and they are selling a Norton
program, so it seems legit to me.
Send a note to their technical support and ask what this
is all about.
++++++++++++++++++++++++++++++++++++++++++++++++++
http://www.mweb.co.za/win/specialoffers/virusalert/default.asp
(4) Visit the M-Web Virus Centre For more information
about viruses and how to get them off your PC, visit the M-Web Virus Centre.
(5) Terms and conditions of the M-Web Anti-Virus Service
M-Web utilises virus scanning technology on its e-mail platform. This is done by
way of a licensing agreement with the Symantec Corporation to use their Norton
AntiVirus Software. Although M-Web, in conjunction with the Symantec
Corporation, shall endeavour to detect all viruses and/or repair all affected
email attachments in your mailbox, M-Web and the Symantec Corporation accept no
liability whatsoever for any loss, whether direct, indirect or consequential
arising from any damage of whatsoever nature caused directly or indirectly by
any failure of the anti-virus service to detect any virus and/or repair affected
e-mail attachments.
Well, it may be spam rather than scam, but I certainly
don't intend to do business with them. Having an outfit in South Africa do my
virus scanning is carrying .NET a bit far even if they are legitimate.
Incidentally, if you go to their web site they have some very odd information in
their Q&A section.
Here is a much longer analysis:
HTML'ed, so you oughta read it that way. Ha! Best viewed with
Lynx!
Jerry said:
@>- Note that I have never sent any messages to these people
that I
@>- of. I did take the trouble to update my Norton Anti-Virus and
run it:
@>- as I thought, there are no viruses on my machine. I suspect
that if I
@>- went to that web site and did whatever that wants me to, I
would have
@>- a virus...
@>- As Alex observes, the ultimate mail filter is an aware human
being.
@>- Be alert.
I use Eudora Light 3.0.6 - it sends mail on Win 9x and Win 3.x
off the same server directory, which is all I need for Windows -
and Netscape 3.04 with Java and Javascript off when I can get away
with that. It renders fastest and none of that Active-X crap. I
will install lots of MS software for people who need that...except
for Outlook/Express. I flat refuse to take a perfectly good machine
that I've spent hours working on and install a virus magnet on it,
just so someone can be like everybody else. No. Screw that.
Anyways, the site you were complaining about coughed up this
(for Netscape 2.2):
(1) Why the need for Virus Scanning?
The spread of malicious viruses poses a major threat to any
Internet user. M-Web’s new Anti-Virus Service automatically detects
and eliminates fast-spreading, email-borne viruses before they
reach your mailbox, and have a chance to infect your PC.
(2) How our service will actually work
Our service makes use of Norton AntiVirus software, recognised
worldwide as one of the leading products of this type. This
software resides on the M-Web mail servers and requires no
installations or configuration on your PC. Better still, this new
service is absolutely FREE and represents yet another valuable
addition to our existing range of e-mail services e.g. Speechmail,
Airmail and Screen Names.
In future, any e-mail that you send or receive will be scanned
for known viruses. If any are detected either they will be
repaired, or the infected attachment will be deleted. Then the
e-mail will continue to its intended destination. In all instances
the sender will be notified if a virus has been detected and
processed. In the case where the infected attachment has to be
deleted, the recipient will receive notification of this.
(3) FAQs
Q: I have a Macintosh, will this service apply to me as well?
A: Yes, it applies to all Operating Systems, and e-mail programs.
[Yes, but Mac users DON'T NEED IT! BAHAHAHA.]
BLANK
[Indeed!]
Q: Can I choose not to make use of this service?
A: No, M-Web has installed this service on all of its mail servers
and
it will apply to all e-mail sent through these servers.
[Blink. Ah. Ok, so it's worded so it looks like I HAVE to use their
mail service. Right. I remember this one.]
Q: Is this service an invasion of my privacy i.e. are you
reading my e-mail?
A: Absolutely not, this service automatically scans the content of
the e-mail to look for viruses. There is no human intervention in
the process and no-one can see the content of your e-mail.
[End quote.]
Oh, no, of course not. Nobody. Nope. Never.
Anyways, I've seen this one before and somebody else had a
similar service...what you got wasn't an illegal scam, really. It
was SPAM. Akin to all that other stuff we all get. Well, the stuff
I get, anyways. They just sorta forgot the 'If you don't sign up
with us now, this could be YOU!' bit that indicates it isn't real.
It's run of de mill schtuff.
Now the interesting bit is here, since it applies to why
Earthlink clamped down on mass mailings:
Return-Path:
Appended by the originating SMTP server, so that bounces can be
sent back somewhere. Required by RFC2822.
Delivered-To:
jpournel-jerrypournelle:com-jerryp@jerrypournelle.com
That looks like they trolling through the j's at
jerrypournelle.com - which address they presumably got from a web
page email scavenger bot. That is, your page has your email address
on it, and of course, somebody snagged it from there.
X-Envelope-To: jerryp@jerrypournelle.com
This line is the one telling a filter to rip off the old header,
append it to the actual mail, and then generate the new mail. Which
is why the 'bogus' header was added.
Received: (qmail 22079 invoked from network); 22 Nov 2001
04:31:13 -0000
Somebody sent this remotely. Another words, somebody used
Microsoft Outlook to send spam mail VIA BCC: to a set of addressess
that had been pull via web bot. Common. In fact, once MS let
Outlook/Express out the door, spam went through the ceiling. That
was the point that admins started using Cleanfeed on Usenet and
suchlike.
Received: from [196.2.42.20] (helo=nav1-cpt.mweb.co.za) by
supermail.mweb.co.za with smtp (Exim 3.22 #1) id 166lQu-0005Nx-00
for jerryp@jerrypournelle.com; Thu, 22 Nov 2001 06:25:52
+0200
Supermail is the primary spam server, so it goes from the local
machine to the Unix box (Exim seems to be a unix-only program - it
is also the server program earthlink uses), and then is relayed on
to...
Received: from supermail.mweb.co.za (196.2.53.171) by
zortzi.pair.com with SMTP; 22 Nov 2001 04:31:13 -0000
This, FYI, is the SMTP wrapper (envelope) that the pair.com mail
server slapped onto the mail when it recieved it. SMTP servers
don't care about the internal contents of the mail or the contents
of the headers that the clients add in. All they care about is
getting data set X from point A to point B.
And now we come to the fairly truthful header the client attached.
From: Norton_AntiVirus_Gateways@mweb.co.za
To: jerryp@jerrypournelle.com
Subject: Virus detected
Date: Thu, 22 Nov 2001 06:31:00 +0200
Message-Id:
None of those lines are actually dealt with by the servers, unless
the client fails to add From: or To: or Message-id: lines, in which
case the server creates them. All other headers that aren't those
and aren't SMTP wrapper lines, are written by the clients,
including BCC: and CC: both of which do not actually exist as far
as SMTP servers are concerned. If you put a TO: to one address and
a CC: to another, when the client talks to the server, it just says
To:
To:
...and so on. (What happened to earthlink was that is that it
would do DNS lookups for the domains on those mail address, and
those lookups would fail, and it would reject the address. And then
the client would then not skip to the next address but instead just
bail. The Mindspring servers, OTOH, are using Sendmail instead of
Exim and Sendmail doesn't do the lookups. All of this lookup crap
become neccessary when every drooling idiot with a new PC decides
to mail everybody in the world with ...marketing... for his new
book of fart jokes, as started to happen rather a lot in '96-'97.)
[And to explain your Hour 25 friend's problem - when you use
BCC: in Outlook Express, it adds <;;undisclosed.recipients> to the
TO: header. Exim is parsing those headers, and rejecting badly
formed addresses. Such as the Microsoft Product improperly adds on.
No other client does that. Microsoft should have used an X- header
instead, which would match the spec. Note that parsing the actual
TO: line in the client header is allowed under the spec (RFC2821).
So if he changed his mailer, he'd be fine.]
On to the appended 'bogus header':
Return-Path:
This is either a mail sent from them (as you) to them, to make it
appear it came from you. Or, the original mail generated was sent
bogusly to the filter and then the filter generated the correct To:
and From: lines. Hard to say.
Received: from NMKSCHULZ ([196.41.8.155]) by
puma.datapro.co.za (8.9.3/8.8.7) with SMTP id GAA12842 for
; Thu, 22 Nov 2001 06:27:10 +0200
Fake return-path or not this is where the mail REALLY came from:
196.41.8.155, which tracert's to somewhere in .za. They're peered
off of alter.net. No surprise there. Datapro is probably the
hosting service handling mweb.co.za, which is here:
http://www.datapro.co.za/. Complain to them, since they will be the
upstream provider for the mweb. That'll put a bee in their bonnet.
All this below is just client noise:
Date: Thu, 22 Nov 2001 06:27:10 +0200
From: jerryp@jerrypournelle.com
Message-Id: <200111220427.GAA12842@puma.datapro.co.za>
Subject: Øò�desktopdesktop
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
Hi there!
X-Unsent: 1
Uh-huh.
Anyways. So the way I figure they try to work this gig, is they
send out this spam that freaks people out about viruses, then they
are supposed to go to that page, and sign up with the service,
since those people kindly helped them detect this dangerous virus.
So, do they then virus you? NOOOOO. No money in THAT.
No, what they do is they get you to hook up your pop3 account to
their mail server, then they filter it. Handy, right? In return for
this service (which could be had by setting up your own email
scanning), they 'occasionally' send you 'helpful emails about
useful products and services' and/or attach advertisements to the
filtered email.
Another words, once they have a live address, they spam the s***
out of you. Of course, you never realize that they harvested your
address,
(a premium address because it is guaranteed LIVE), since none of
the spam originates on their servers. They just scan your mail,
ever so helpfully.
If they're competent. If they're competent, you'll never get a
virus, on account they want to keep you live and on the hook. If
they're incompetent, of course, you'll get virused anyways, as a
free added bonus.
Call now. Operators are standing by!
Anywho, this IS a scam, albeit a legal one, but I doubt any
viruses were harmed or even came anywhere near anybody during the
production of this ASCII pork product.
As an added bonus, hopefully ya'll can decode headers reel gud
now.
ash
['Tra-la-la-la-la-la.La.']
"Try to say sumpin' funny, Joe."
_________________________________________________________________
limitinfinitesetsweusedtohavelegitimatepresidentsimadeyoureadthis
sigisnowstalkingyouifyoudontlikethesepostsyoucanblowmerepeatseter
Riven against the Black Sun Six ...that which we are, we are.
And from Joel Rosenberg:
Email scam:
FWIW, I browsed to the web page -- running under
Linux, I'm perhaps insufficiently worried about getting viruses via web
browsing -- and a quick (and entirely amateur) examination of the source
code suggests that ash has it right: it's just an obnoxious marketing
technique/scam, rather than something more.
I'm beginning to love the Scoring feature in gnus,
which I now use to read my mail, most of the time. (It handles html very
primitively, and doesn't do much of anything interesting with it, which is
my preference.) When I see an obvious spam message, I just hit L, then set
up a substring filter to lower the score of messages with similar titles,
or from similar countries. (Nothing from Taiwan, frex.)
In any event, that is enough for this venture...