Re: strang e-mail message supposedly from microsoft

From: Hector Santos (nospam_at_nospam.com)
Date: 08/16/03 

Date: Sat, 16 Aug 2003 06:34:42 -0400

"Richard" <rldc1_2000@yahoo.com> wrote in message
news:081101c363a9$4071d290$a101280a@phx.gbl...

> I received this message but I do not remember ever giving
> my e-mail address to microsoft. this is the message that I
> received. the only possibility was when I downloaded the
> XP patch for my father in-law because his computer would
> not let him do it. I forwarded it to my yahoo to see if
> there was a virus in it. I just wanted to verify that this
> came from microsoft.

If you never joined the Microsoft Security announcement newsletter mailing
list, then what you got wasn't from them.

However, more importantly, I just wanted to note you don't have to give
your email away in order to get it from your computer. If you use the
Microsoft Internet Explorer and you have downloaded files, the odds are
very high your email address was passed on to the remote site.

Its a minor security flaw in Internet Explorer's WININET FTP operations that
allows for web sites that offer downloadable files to get your email address
with absolutely no effort or programming on their part. IE sends your email
address as the PASSWORD to an FTP anonymous login.

So if a WEB SITE offers a file to download with a URL such as:

                  ftp://ftp.remotesite.com/file.zip

when you download that file, IE must login to the ftp server in amonymous
mode by using the word "ANONYMOUS" for the user name. The password is the
problem.

Historical, FTP servers will request your email password for the password
for anonymous logins. For example, here is what you see when you connect to
our Wildcat! FTP server, at ftp.winserver.com:

220-Wildcat! FTP Service (v5.6.450.8 Sat, 16 Aug 2003 06:13:40 -0400) ready.
220
User (FAMILY:(none)): anonymous
331-Anonymous user, please enter your E-Mail address for your password.
Password:

You will see the same thing when you connect to the Microsoft FTP server:

220 main1 Microsoft FTP Service (Version 5.0).
User (main1:(none)): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:

So by tradition, most ftp servers will request the email address for the
anonymous login password.

HOWEVER, it is NOT required. You can type anything there, junk if you like
and you are still allowed in. It is not a requirement to have a valid
password because it is not possible to validate it and also make the
anonymous FTP concept work without hassle. It is only for recording
purposes. If the FTP site did not allow anonymous logins, then a real user
name and password is required.

So IE's WININET.DLL component follows through and automatically sends your
EMAIL address for anonymous logins by grabbing your default EMAIL address.
Go FIGURE!

There is no option in IE to disable this (not that I see).

This is what I called "POOR" programming. No social engineering vision
whatsoever by the designer of WININET.DLL. In any case, This is
contributing to the SPAMMER problem. I recommend to Microsoft that they
immediate add an option for their next IE update or service pack that
addresses this problem. A simple option in the TOOLS setup:

      FTP anonymous password to use: __________________ (BLANK BY DEFAULT)

If it becomes a problem during a FTP connection, the IE browser is already
smart up to detect a LOGIN error and popup a LOGIN box for FTP operations.

In the mean time, before you download files always look at the URL by
hovering over the link. If it is a FTP site, you can decide to not
download the file or temporarily change your default EMAIL account to
something else prior to performing the download or do what I do:

Do not use IE to download FTP files. Instead, record the FTP url and open a
DOS window and use the FTP console utility to login anonymously, providing
your own fake password and then download the file. 

-- 
Hector Santos
WINSERVER "Wildcat! Interactive Net Server"
support: http://www.winserver.com
sales: http://www.santronics.com

Relevant Pages

  • RE: SBS 2003 Premium: how to allow FTP .EXE downloads
    ... Disable the problematic client XP firewall, ... click to check the "Hide All Microsoft Services" ... Is the FTP server on SBS? ... Download the file from the following URL: ...
    (microsoft.public.windows.server.sbs)
  • RE: FTP downloads to server timeout after 60 seconds
    ... Please download a big file via IE browser from Internet, ... Please make a clean boot on SBS server to make sure the problem is ... Click Services tab and select Hide All Microsoft Services and Disable ... Send the .cab file directly to v-robeli@xxxxxxxxxxxxx with subject: FTP ...
    (microsoft.public.windows.server.sbs)
  • Re: FTP downloads to server timeout after 60 seconds
    ... After 11 minutes the download is successfully. ... Microsoft CSS Online Newsgroup Support ... As far as I know, there haven't been any changes to the server, ... go to an ftp site and attempt a large download (100+ ...
    (microsoft.public.windows.server.sbs)
  • Internet Explorer WININET FLAW contributes to email spam problem
    ... The IE WININET component has a security flaw during FTP anonymous ... If I have to do if put a FTP url on my web site to download ... FTP server, at ftp.winserver.com: ... If the FTP site did not allow anonymous logins, ...
    (microsoft.public.security)
  • Re: Internet Speed Bad-HELP needed
    ... The ADSL guide and many other speed tests use java or javascript to measure ... speed test routines are wrote using automated scripts on some Microsoft OS, ... However do a raw download test and things are different. ... ftp then open ftp.gbnet.net login with ...
    (alt.os.linux.suse)