By "get" I mean "recieved". Beagle-h or something. I was impressed at the social engineering that went into it. It said, "There have been large numbers of emails going out from your account, blahblahblalh, and it was spoofed from "Umanitoba.ca staff", and was about removing a virus, we're sending you a free virus sender.
Sadly, whoever did it forgot to
a) spoof the reply-to address (so when I looked at the header I found the address of the infected person and warned him)
b) they made several spelling mistakes, which is pretty atypical of an automated administration message.
c) they had it from "Umanitoba.ca", but my school ALWAYS uses "UManitoba.CA".
It was pretty convincing, anyway, but I find it more fun to just virus scan it and laugh.
My mom received that as well, only it was from
[email protected] or something like that. Luckily I found it first and deleted it, else she would have downloaded it I'm sure. I'm assuming it was the same thing since it said I had a complaint about a large number of emails; however, I don't recall it offering a free virus scan. Anyway, I'm sure they're related :).
Quote from: iago on March 08, 2004, 05:49 PM
a) spoof the reply-to address (so when I looked at the header I found the address of the infected person and warned him)
The reply-to address probably
was spoofed -- what I've found is that when a worm infects your computer, it looks at your address book, claims to be from someone else on your address book, and sends it to other people from there.
My mom got one from
[email protected].
Quote from: Myndfyre on March 08, 2004, 06:59 PM
Quote from: iago on March 08, 2004, 05:49 PM
a) spoof the reply-to address (so when I looked at the header I found the address of the infected person and warned him)
The reply-to address probably was spoofed -- what I've found is that when a worm infects your computer, it looks at your address book, claims to be from someone else on your address book, and sends it to other people from there.
My mom got one from [email protected].
It was in the email header from the server. The "From" header was "
[email protected]", which was obviously spoofed. Plus, I don't keep an address book, so even if it HAD gotten onto my computer, it wouldn't have been able to make it appear to come from one of my friends (perhaps some email address from temp internet files, but that would be pretty random)
Quote from: iago on March 08, 2004, 05:49 PM
By "get" I mean "recieved". Beagle-h or something. I was impressed at the social engineering that went into it. It said, "There have been large numbers of emails going out from your account, blahblahblalh, and it was spoofed from "Umanitoba.ca staff", and was about removing a virus, we're sending you a free virus sender.
At least they were honest.
Quote from: Grok on March 08, 2004, 08:55 PM
Quote from: iago on March 08, 2004, 05:49 PM
By "get" I mean "recieved". Beagle-h or something. I was impressed at the social engineering that went into it. It said, "There have been large numbers of emails going out from your account, blahblahblalh, and it was spoofed from "Umanitoba.ca staff", and was about removing a virus, we're sending you a free virus sender.
At least they were honest.
Scanner* :P
Did your scanner find it?
It might havebeen after variant.H I think it was variant.K that they started coming through in a password protected encrypted attachment. AV programs couldn't open the file to scan it.
Quote from: crashtestdummy on March 09, 2004, 12:40 AM
Did your scanner find it?
It might havebeen after variant.H I think it was variant.K that they started coming through in a password protected encrypted attachment. AV programs couldn't open the file to scan it.
Yes, it was in a password protected zip, and it was filtered out at the school's pop3 server. I didn't believe it anyway, but that's not the point :)
Quote from: iago on March 08, 2004, 05:49 PM
(so when I looked at the header I found the address of the infected person and warned him)
Sources of these e-mails are not always as they seem -- the From address is gleaned by many viruses from Outlook Express' contact list. This becomes especially apparent when your e-mail address is widely available.