 
| Sender: |
|
| Date: |
Thu, 21 Aug 2003 21:39:06 +0100 |
| Reply-To: |
|
| Subject: |
|
| From: |
|
| Content-Type: |
TEXT/PLAIN; charset=US-ASCII |
| In-Reply-To: |
|
| MIME-Version: |
1.0 |
| Comments: |
|
| Parts/Attachments: |
|
|
Jill:
Presumably they didn't send back the "Full Header" reading (as they
should)? If you had this it would almost certainly show that the message
never came from your IP address - even though the text "From" header
showed this.
When the W32/Sobig-F worm-type virus infects a Windows PC (or a mail
server) it searches out EVERY e-mail address it can find on file - in the
Address Book and in files of read & saved e-mails received - an recognises
these as valid e-mail addresses. It then mails out the disguised virus to
every address but puts a fake "From" at the top of each.
So I'm pretty sure that what's happened in your case is that someone who
has your address on file or in a "mail received" message has been
infected, and your (healthy and uninfected) Mac-resident address like my
UNIX one is then being substituted for the true address, so your address
si now being shown as the apparent origin of the fake e-mail.
As I said in my previous posting on this, if you get the full headers you
can check out the numerical IP address that actually sent it, and
cross-check this against your own IP. Unfortunately too many of the
automatic virus screening systems that send out "you have a virus"
warnings don't do this, so you can't check back in this way.
Patrick Boylan
====================
On Thu, 21 Aug 2003, Jill Lasker wrote:
> I just got the message pasted below and now I'm a bit confused.
> 1--I'm on a Mac so my machine (supposedly) cannot be infected
> 2--I've opened NO attachments
> 3--I sent nothing out with an attachment in recent days and certainly not to
> this person
> 4--Is [log in to unmask] someone on this list? Because it's not someone in
> my address book
> 5--I've updated my Virex definitions this week!
>
> Given the above, how would it have accessed my address book? or forged my
> name? Any idea?
>
> > Sender Note - Inbound Virus Found
> >
> > Attention: Virus detection software has found a virus infected message
> > from: <[log in to unmask]> recently routed to our location. The
> > message was dropped and will not be delivered. To help facilitate
> > delivery of your messages to our location please take necessary steps
> > to clean the virus and then resend the message. For details on this
> > infected e-mail see the attached message headers and virus message
> > information.
> > Virus Scanner found the
> > W32/Sobig.f@MM virus
> > in the attached file: your_document.pif
>
> ----------------------------------------------------------------------------
>
> Jill Lasker
> Writer/Editor/Researcher
> Medicine/Bioscience/History
> http://home.earthlink.net/~laskerj/
>
> =========================================================
> Important Subscriber Information:
>
> The Museum-L FAQ file is located at http://www.finalchapter.com/museum-l-faq/ . You may obtain detailed information about the listserv commands by sending a one line e-mail message to [log in to unmask] . The body of the message should read "help" (without the quotes).
>
> If you decide to leave Museum-L, please send a one line e-mail message to [log in to unmask] . The body of the message should read "Signoff Museum-L" (without the quotes).
>
=========================================================
Important Subscriber Information:
The Museum-L FAQ file is located at http://www.finalchapter.com/museum-l-faq/ . You may obtain detailed information about the listserv commands by sending a one line e-mail message to [log in to unmask] . The body of the message should read "help" (without the quotes).
If you decide to leave Museum-L, please send a one line e-mail message to [log in to unmask] . The body of the message should read "Signoff Museum-L" (without the quotes).
|
|
|
