Re: attachment and e-mail where to report these security issues?

From: D.Currie (dmbcurrie.nospam_at_hotmail.com)
Date: 03/26/04 

Date: Fri, 26 Mar 2004 13:56:09 -0700

I guess I wasn't being clear the first time and I'm making it worse. One
more time.

I'm sorry. I read and understood the post, but then went about doing other
things before I again went back to the post and replied, so what I was
thinking about at the time was a bit off from what I was replying to. If
you've never had a thought go astray so that you answer what hasn't been
asked, then you're a much better person than I am.

My original thought was that most people are only going to look at the
sender's name and not realize that the person listed there is not the actual
source of the message. And while the information posted was quite helpful to
those inclined to follow links and read more about it, I was just trying to
make it clear to those who weren't so inclined that the sender's name on the
email is not the person to "blame." I phrased my reply poorly. My intention
was to clarify, not to disagree.

As far as the "looking up" I was referring to looking into the headers. I
deal with "normal" users every day, and I can guarantee you that very few
have an idea that the message headers exist, much less what the information
means.

In order for them to actually do anything useful, they'd need to read the
very good information in that previous post to figure out how to see the
headers, how to figure out the originating ISP to send the information to,
and how to handle the information. As you said, unless they include the
complete header, it's pretty much a waste of time.

In other words, they're going to need to do a bit of research before they
act. I didn't mean that they'd have to track down the individual, but that
they'd have to do a bit of legwork and not just use the name that's listed
as the sender of the email. So now we're back to the beginning. In short,
the address listed as the sender is not likely to be the actual sender.
That's really all I wanted to say, although I got there by a convoluted
route.

"Phil Weldon" <notdisclosed@example.com> wrote in message
news:1x_8c.1844$Dv2.81@newsread2.news.pas.earthlink.net...
> No, you still don't get it. The receiver need not "look up" ANYTHING....
> they really can't in most cases. THAT is why the ENTIRE headers should be
> sent to the originating ISP, so the ISP can look up the correct
originating
> account. Also be aware that one of the ways the swen worm spreads is to
> send a fake "infected email received from you" messages that contain the
> infective package as an attachments purporting to be the rejected message.
> Responding to that type of message is, of course a waste of time. Some
> organizations and ISP's DO have antivirus scanning of email, unfortunately
> some of these scanners are set to notify the harvested email address
rather
> than the originating ISP. And certainly no ISP will act on a report that
> does NOT include the headers... it is hard enough to get them to acto on a
> report that DOES include the headers.
>
> --
> Phil Weldon, pweldonatmindjumpdotcom
> For communication,
> replace "at" with the 'at sign'
> replace "mindjump" with "mindspring."
> replace "dot" with "."
>
> "D.Currie" <dmbcurrie.nospam@hotmail.com> wrote in message
> news:c40hsq$2be6gs$1@ID-193095.news.uni-berlin.de...
> > If somebody wants to go through the trouble of looking up the sender
> > properly, that's one thing, but most folks aren't going to bother with
> much
> > more than the name it's coming from. Why bother with messy headers when
> they
> > can simply report the person to their ISP? And if the viruses are coming
> en
> > masse like swen did, few people are going to bother with much more than
> > cleaning out the junk.
> >
> > Like people who bounce spam back, not realizing that the return
addresses
> > are often fake.
> >
> > Of course, you're correct that the instructions were the right way to
> report
> > the virus, but I doubt most people will go through all of that for every
> > virus email they get.
> >
> > If you read the way the OP phrased it -- wanting to report the "twit"
who
> > sent it, you can see that people tend to want to blame the person whose
> name
> > is on the email, rather than understand that the sender is also a
victim,
> > and the name is likely to be false.
> >
> >
> >
> >
> > "Phil Weldon" <notdisclosed@example.com> wrote in message
> > news:lvO8c.1150$Dv2.840@newsread2.news.pas.earthlink.net...
> > > No, you don't understand. These infected messages use harvested
> email
> > > addresses in the "From" field in the headers, but the IP address in
> the
> > > headers is the actual IP address the infected system used for its
> > connection
> > > to the internet. If you follow the directions Veronica Loell gave,
the
> > ISP
> > > will have the information necessary to locate the account with the
> > infected
> > > system, even if the IP address were dynamically assigned. And if
the
> > > "From" email address WERE correct (which it never is - after all the
> virus
> > > writers don't want the infected systems tracked down), then it would
be
> a
> > > GOOD a thing, not a bad thing, to let the ISP know. After all, if
> someone
> > > has an infected system, don't you think they would like to know about
it
> > and
> > > get help? Think about it; if your system were spreading a virus you
> would
> > > like to know about it as soon as possible, I hope.
> > >
> > > --
> > > Phil Weldon, pweldonatmindjumpdotcom
> > > For communication,
> > > replace "at" with the 'at sign'
> > > replace "mindjump" with "mindspring."
> > > replace "dot" with "."
> > >
> > > "D.Currie" <dmbcurrie.nospam@hotmail.com> wrote in message
> > > news:c4087c$2dserh$1@ID-193095.news.uni-berlin.de...
> > > > Unfortunately, if you report the sender, you're either reporting
some
> > poor
> > > > fool whose computer is infected (and he's either fighting it or
> doesn't
> > > know
> > > > he has it) or you're reporting some innocent third party whose
address
> > is
> > > > being spoofed by the virus because the infected computer has that
name
> > in
> > > > the address book. Most likely it's going to be the innocent third
> party
> > > > because that's the way most of the newer viruses work these days.
> > > >
> > > > So not only does it do no good, it also can harm an innocent person
if
> > the
> > > > ISP does take some action and/or it ties up the ISP who get these
> > reports.
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: attachment and e-mail where to report these security issues?
    ... THAT is why the ENTIRE headers should be ... sent to the originating ISP, so the ISP can look up the correct originating ... report that DOES include the headers. ... >> has an infected system, don't you think they would like to know about it ...
    (microsoft.public.security.virus)
  • Re: Blocking messages from certain IP address?
    ... Do a traceroute to that sender's host and report the abuse to their ... expose the sender to undue punishment beyond what action their ISP ... Also check the headers of the abusive e-mail. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: attachment and e-mail where to report these security issues?
    ... Perhaps you could give us a button, "Forward to sender's ISP provider"? ... THAT is why the ENTIRE headers should be ... > sent to the originating ISP, so the ISP can look up the correct originating ... > report that DOES include the headers. ...
    (microsoft.public.security.virus)
  • Re: Spoofed e-mailings.
    ... > the sending ip address and report the worm to the isp ... a friend in common with the O.P. The headers will only identify the IP ... The ISP of the infected source would have to check their connection logs to ...
    (microsoft.public.security.virus)
  • RE: Spam email tool
    ... Given that the headers on most spam messages do not provide information about ... spoof the sender address. ... > Click the message you want to report, ...
    (microsoft.public.outlook.general)