[SC-Help] Re: How can I tell if this is spam?
nobody at devnull.spamcop.net
Mon Aug 2 16:01:40 EDT 2004
"Anon_" wrote in message
> "Wolf" wrote in message
> > Don Wannit wrote:
> > > Not to worry! More comments below quoted article (followups set):
> > >
> > > W.B. Wolf wrote:
> > >
> > >> I received the following today.
> > >> 1) How can I tell if this is spam or a legitimate notice from my
> > >> It got by SC, which makes me wonder. . . .
> > >> 2) If it's legitimate, does this really mean there's a virus on my
> > >>
> > > [snip]
> > >> Please follow our instruction in the attached text file in order to
> > >> keep your computer safe.
> Just my gut feeling - any time an e-mail says to do something 'about an
> attachment (execute, follow instructions therein, etc.) I am extremely
> suspicious. Usually it is a spam or more likely a virus.
> I just contact the sender and ask if it IS from them and is it OK to do
> (Example, got a letter from my son with an attachment - contacted him and
> said he did NOT send it [and he did have a virus].)
> A SpamCop user and forum reader,
> Not Admin
Sounds like a plan, if it happens to be someone you know.
My experience, however, has generally been that the "From:"
is a viral forgery: an addy scavenged from the address book
on the virmsourcing machine, or scavenged from websites
like Google where people may "leave behind" their addy.
I despise malicious code and make it my business to
report it to the ISP responsible for the IP of the virmsourcing
hardware. Before asking anyone I know, "Did you send this?",
I would at least verify that the ISP identified in the forged
"From:" header matches the ISP of the IP found in the
forged "Received:" header. It is accepted that the only thing
about the virm which cannot be forged is the sourcing IP.
If you aren't ready to parse the headers yourself, you may
submit the virm headers, plus a line with <body> to
represent the spambody, to SC. SC will return the valid
source IP and the abuse desk for the ISP. Be sure to
cancel "reports". One may then manually report the IP to the
abuse desk for the ISP, but the specifics for doing so
are a bit different from one ISP to the next.
In my experience the ISP automagically corrects the
problem at the problematic IP. Usually same day, sometimes
the next. Until the security of the virmsourcing hardware
is restored, the security of all addys on that machine is
being compromised and they are susceptible to email
address harvesting by spammers who have devised the
malicious code to serve their objectives.
I have heard that it is considered "safe" to mod all addys
in address books by appending .munged or .garbage
or .removeme, or in some way making all addresses
undeliverable. In the event the machine is compromised
by an email worm, it won't be well received wherever
it sends itself and it won't be bounced back to the
forged sender either. I have seen mixed opinions on
what is "best practice" where the mods are concerned.
On the downside, one must remember to remove the
mod when posting an email. I do not endorse the
practice for anyone in particular, but do think it may
be a worthy consideration in any circumstance for
harware vulnerable to infection, as might happen
when "children" click on email attachments and the
"notme" worm infects the machine.
FWIW, if it gets by SC's virm detection, it could be
a "new" and not yet recognized virm. SC has been
clear that it is not agreeable to being used for virm
reporting: spamitems only are acceptable. If you
wish to report a virmsourcer, you must do that on
your own: use SC to report spamsourcers only.
Disclaimer: Any meaning to be found in anything I
may have said or failed to say, or meant to say
or did not mean to say, is the sole responsibility and
province of anyone receiving and interpreting my
message. No endorsements or recommendations of
any practices are offered or intended. Unsafe handling
of dangerous materials, including virmen, is specifically
can I be less clear? ;)
More information about the SpamCop-Help