Re: WARNING: Bogus Update emailed out in Microsoft's Name

From: Alun Jones (alun@texis.com)
Date: 02/24/03

  • Next message: chris@nospam.com: "Re: Advice on Secure Web Servers" 
    From: alun@texis.com (Alun Jones)
Date: Mon, 24 Feb 2003 15:29:44 GMT

    In article <b3bgbg$2gr$1@panix2.panix.com>, adykes@panix.com (Al Dykes) wrote:
    >This message crawled into my inbox a few minutes ago and
    >it's a very professional looking update notice, especially
    >in html.
    >
    >There was a file called 386patch.exe attached.

    It's a virus. Delete it.

    >There really is a machine called newsletters.microsoft.net. I can't believe
    > that MS would send out an unsolicited security update by email.

    They didn't - the "From" address is not reliable. For example, my email
    program even lets me edit it to whatever I want. Want me to send you an email
    that says it comes from the Cookie Monster? No problem! [But I swear, I am
    _not_ the Cookie Monster]

    >I have no idea where else to report this.
    >
    >--------------------- Begin Message Text ----------------------
    >Subject: Internet Security Pack
    >From: "Microsoft Public Support"
    > <codwmbitj_186377@newsletters.microsoft.com>
    >Date: Sun, 23 Feb 2003 19:47:13 +0100
    >To: "Microsoft Customer" <>
    >X-UIDL: 59e60ab5e0560300
    >X-Mozilla-Status: 0001
    >X-Mozilla-Status2: 10000000
    >Received: by mail3.panix.com (mbox adykes) (with Cubic Circle's cucipop
    > Sun Feb 23 14:58:10 2003)
    >X-From_: ida0644@yahoo.com Sun Feb 23 14:54:38 2003
    >Return-Path: <ida0644@yahoo.com>
    >X-Original-To: adykes@panix.com
    >Received: from ns.ranet.sk (utopia.maniac.sk [195.146.17.12])
    > by mail3.panix.com (Postfix) with ESMTP id CC63C98289;
    > Sun, 23 Feb 2003 14:54:26 -0500 (EST)
    >Received: From fgjldk (telecom-213-195-39.telecom.sk [213.81.195.39])
    > by ns.ranet.sk (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1)
    > with SMTP id TAA15964; Sun, 23 Feb 2003 19:47:13 +0100
    >Message-ID: <200302231847.TAA15964@ns.ranet.sk>
    >MIME-Version: 1.0
    >Content-Type: multipart/mixed; boundary="MRhTLXWKJeLhOlaE"

    These headers give you something to go on - but not much. First, note that
    almost any of the headers that you receive in an email could have been created
    by the program or user sending the message. The exception is the _first_
    "Received" header, which is generated by your ISP's mail server, when it
    receives the message. That's the only one that you can rely on.

    In this case, however, it looks like the email came to panix from a Swedish
    system. You might get somewhere by emailing the postmaster at that site and
    asking him to install virus checking software.

    Alun.
    ~~~~

    [Please don't email posters, if a Usenet response is appropriate.] 

    -- 
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT.