This page is an attachment to mail179, and deals with an incident referred to in view179. The incident began when I received:

 

 

 

V I R U S A L E R T

Our viruschecker found the

W32/Nimda@MM

virus(es) in your email to the following recipient(s):

-> shanec@datapro.co.za

Please check your system for viruses, or ask your system administrator to do so.

For your reference, here are the headers from your email:

------------------------- BEGIN HEADERS ----------------------------- Return-Path: <jerryp@jerrypournelle.com> Received: from NMKSCHULZ ([196.41.8.155]) by puma.datapro.co.za (8.9.3/8.8.7) with SMTP id GAA12842 for <shanec@datapro.co.za>; Thu, 22 Nov 2001 06:27:10 +0200 Date: Thu, 22 Nov 2001 06:27:10 +0200 From: jerryp@jerrypournelle.com Message-Id: <200111220427.GAA12842@puma.datapro.co.za> Subject: Øòdesktopdesktop MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 -------------------------- END HEADERS ------------------------------

The real header, though, was this:

Return-Path: <postmaster@puma.datapro.co.za> Delivered-To: jpournel-jerrypournelle:com-jerryp@jerrypournelle.com X-Envelope-To: jerryp@jerrypournelle.com Received: (qmail 21943 invoked from network); 22 Nov 2001 04:29:29 -0000 Received: from phantom.datapro.co.za (HELO puma.datapro.co.za) (root@196.41.0.2) by zortzi.pair.com with SMTP; 22 Nov 2001 04:29:29 -0000 Received: (from root@localhost) by puma.datapro.co.za (8.9.3/8.8.7) id GAA12895; Thu, 22 Nov 2001 06:27:21 +0200 Date: Thu, 22 Nov 2001 06:27:21 +0200 From: postmaster@puma.datapro.co.za Message-Id: <200111220427.GAA12895@puma.datapro.co.za> To: jerryp@jerrypournelle.com Subject: VIRUS IN YOUR MAIL

NOTEL THIS IS FROM ZAIRE, so you can be sure there is something wrong!! [OK, so it was from South Africa, see below.] The point is that I never sent them any such message.

Shortly after, I got (WARNING: do not visit the indicated web site until you have read all this):

A virus has been detected in your e-mail. The infected attachment has been processed in terms of the Scan Information below, and the e-mail has been delivered to the intended recipient(s). For more information on this service, and for advice on how to remove this virus from your PC, please visit: http://antivirus.mweb.co.za

--- Scan information follows ---

Result: Virus Detected Virus Name: W32.Nimda.A@mm (dr) File Attachment: Unknown03B9.data Attachment Status: deleted

--- Original message information follows ---

From: <jerryp@jerrypournelle.com> To: technic@mweb.co.za Date: Thu, 22 Nov 2001 06:30:54 +0200 Subject: Øòdesktopdesktopdesktopdesktopsamplesampledesktopdesktop Message-Id: <M2001112206305320421@nav1-cpt.mweb.co.za> Received: (from NMKSCHULZ [196.41.8.155]) by nav1-cpt.mweb.co.za (NAVGW 2.5.1.14) with SMTP id M2001112206305320421 for <technic@mweb.co.za>; Thu, 22 Nov 2001 06:30:53 +0200

But once again, the real header was:

Return-Path: <Norton_AntiVirus_Gateways@mweb.co.za> Delivered-To: jpournel-jerrypournelle:com-jerryp@jerrypournelle.com X-Envelope-To: jerryp@jerrypournelle.com Received: (qmail 22079 invoked from network); 22 Nov 2001 04:31:13 -0000 Received: from supermail.mweb.co.za (196.2.53.171) by zortzi.pair.com with SMTP; 22 Nov 2001 04:31:13 -0000 Received: from [196.2.42.20] (helo=nav1-cpt.mweb.co.za) by supermail.mweb.co.za with smtp (Exim 3.22 #1) id 166lQu-0005Nx-00 for jerryp@jerrypournelle.com; Thu, 22 Nov 2001 06:25:52 +0200 From: Norton_AntiVirus_Gateways@mweb.co.za To: jerryp@jerrypournelle.com Subject: Virus detected Date: Thu, 22 Nov 2001 06:31:00 +0200 Message-Id: <M2001112206310018837@nav1-cpt.mweb.co.za>

Note that I have never sent any messages to these people that I know of. I did take the trouble to update my Norton Anti-Virus and run it: as I thought, there are no viruses on my machine. I suspect that if I went to that web site and did whatever that wants me to, I would have a virus...

As Alex observes, the ultimate mail filter is an aware human being. Be alert. I then began to get mail on the subject:

Dr. Pournelle,

In today's mail (Thur., 11/22) you wrote:

<snip> >postmaster@puma.datapro.co.za Message-Id: ><200111220427.GAA12895@puma.datapro.co.za> To: jerryp@jerrypournelle.com >Subject: VIRUS IN YOUR MAIL > >NOTEL THIS IS FROM ZAIRE, so you can be sure there is something wrong!!

Actually, the ".za" top-level domain name is the country code for South Africa, not Zaire. Here's the output from a WHOIS lookup of "za" over at Network Solutions' website:

Centralnic Ltd (ZA21-DOM) ZA.COM South Africa (Republic of) top-level domain (ZA-DOM) ZA

As I'm a DNS admin for a living, I had to nitpick this one time ;)

Best regards,

David Huff david @ dhuff.org

Thanks! OK. so is it South Africa, rather than Zaire. The explanation for all this is here:

Jerry,

I had a look at the site. http://www.mweb.co.za - which is a South African registration, not Zambian incidentally.

It appears on the surface to be a fairly run-of-the-mill web-based virus scanning service, and their page on what to do about Nimda infection is very sensible.

My guess is that someone who was sending you mail subscribes to the mweb service and tried to send you an infected email. I believe Nimda is one of the viruses that hijacks the victim's address book and auto-distributes itself that way, so it's possible that someone who has you in their address book got infected. I agree that the message they sent you is rather silly.

>>As Alex observes, the ultimate mail filter is an aware human being.

Couldn't agree more. Most people get viruses because they're careless, though Nimda is one where just having unpatched software can get you infected.

The following text is copied from the Mweb website.

Probably not a scam imho. :->

All the best.

Craig Arnold

**************************** ****Start of copied text**** ****************************

How to protect yourself: · Be aware of suspicious e-mail attachments, delete them immediately. · Protect your computer by installing the latest software updates (see below).

Home users:

To prevent infection from email, update Internet Explorer with one of the following: · The patch provided in Microsoft Security Bulletin MS01-020 · Internet Explorer 5.01 Service Pack 2. · Internet Explorer 5.5 Service Pack 2. · Internet Explorer 6 · Also visit Microsoft's Windows Update service regularly.

System Administrators:

STEP 1 Prevent the Code Red Worm II from infecting your system and use our tool to repair systems that have been infected. Please note: Code Red Worm II leaves a 'back door' that Nimda exploits. STEP 2 Block the 'Web Server Folder Traversal' vulnerability by applying or installing any of the following:

· Applying the patch provided in Microsoft Security Bulletin MS00-057 · Applying the patch provided in Microsoft Security Bulletin MS00-078 · Applying the patch provided in Microsoft Security Bulletin MS00-086 · Applying the patch provided in Microsoft Security Bulletin MS00-026 · Applying the patch provided in Microsoft Security Bulletin MS01-044 · Installing Windows 2000 Service Pack 2 · Installing the Windows NT 4.0 Security Roll-up Package · Running the IIS Lockdown Tool in its default mode · Installing the URLScan tool with its default ruleset.

STEP 3 Prevent spread through file shares by locking down permissions on all computers.

How it works

Infection via e-mail: One of the ways Nimda arrives is by e-mail with random text in the subject line, no body text, and an attached file called readme.exe. The worm then spreads via e-mail by sending a copy of itself within a mail that exploits the security vulnerability discussed in Microsoft Security Bulletin MS01-020. As the bulletin describes, the vulnerability lies in Internet Explorer, but is exploited via email. Simply opening the email itself would be sufficient to infect the machine it would not be necessary to open an attachment.

Anti-virus vendors are currently developing updated scanning tools that will detect and disarm mails sent by the virus. But even in the absence of these tools, patches and updated versions of IE have been available for some time to eliminate the vulnerability. Customers who have installed any of the updates listed above should be at no risk from Nimda.

For more details, read the following Microsft security article: click here

Infection via Internet websites: The other way Nimda spreads is via Internet scan. From an infected IIS Web server, Nimda scans other Web servers looking for other systems vulnerable to the Unicode Web Traversal.

Once Nimda gains access to a Web server, it may display a Web page prompting users to download an infected file, allowing it to spread via e-mail to Windows PCs. Microsoft has already announced patches for most of the vulnerabilities that Nimda exploits.

If a Windows PC user opens the attached e-mail file, the worm will use Mailing API (MAPI) functions to read the user's e-mail address book and send out copies of itself to all of the addresses.

The following helpful tips, supplied by ZDNet, should help you steer clear of nasty bugs and viruses. Removal Antivirus software companies are still analyzing this worm and are in the process of updating their signature files to include Nimda. For more information on removing Nimda from your system, see Central Command, McAfee, Sophos, Symantec, and Trend Micro.

Prevention is better than cure!

1. Windows PC users: If you haven't already installed it, download the Outlook 98 Security Patch or the Outlook 2000 Security Patch. Please note that these patches do not include Outlook Express. Click here for more information regarding security vulnerabilities and patches. 2. Don't open attachments! One of the best ways to prevent virus infections is not to open attachments, especially when viruses such as this one are actively circulating. Even if the e-mail message is from a known source, be careful. A few viruses take mailing lists from an infected computer and send out new messages with its destructive payload attached. Always scan any attached files for viruses, and unless the attachment is a file or an image you are expecting, delete it.

3. Stay informed. Did you know that there are virus and security alerts almost every day? Keep up-to-date on breaking viruses and solutions by personalising M- Web Computing's Virus alerts. Click here to automatically add this module

4. Get protection. If you don't already have virus-protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading a top-rated anti-virus software. If you're on a network, check with your network administrator first.

5. Scan your system regularly. If you're loading antivirus software for the first time, let it scan your entire system. It's better to start with your PC clean and free of virus problems. Many antivirus programs can be set to scan on periodically or each time the computer is rebooted. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.

6. Update your antivirus software. Now that you have virus protection software installed, make sure it's up-to-date. Some antivirus protection programs have a feature that will automatically link to the Internet and add virus detection code whenever the software vendor discovers a new threat.

************************** ****End of copied text**** **************************

Which makes it curiouser and curiouser. Perhaps this is a legitimate company with odd marketing practices.  

Jerry,

 

ZA is South Africa, not Zaire.

 

I checked mweb.co.za and it is a legitimate ISP in Randburg, South Africa.

 

They *may* have received a virus-infected file from you…anything is possible.

 

I went to their site and they are selling a Norton program, so it seems legit to me.

 

Send a note to their technical support and ask what this is all about.

 

++++++++++++++++++++++++++++++++++++++++++++++++++

 

http://www.mweb.co.za/win/specialoffers/virusalert/default.asp

 

(4) Visit the M-Web Virus Centre For more information about viruses and how to get them off your PC, visit the M-Web Virus Centre.

(5) Terms and conditions of the M-Web Anti-Virus Service M-Web utilises virus scanning technology on its e-mail platform. This is done by way of a licensing agreement with the Symantec Corporation to use their Norton AntiVirus Software. Although M-Web, in conjunction with the Symantec Corporation, shall endeavour to detect all viruses and/or repair all affected email attachments in your mailbox, M-Web and the Symantec Corporation accept no liability whatsoever for any loss, whether direct, indirect or consequential arising from any damage of whatsoever nature caused directly or indirectly by any failure of the anti-virus service to detect any virus and/or repair affected e-mail attachments.

Well, it may be spam rather than scam, but I certainly don't intend to do business with them. Having an outfit in South Africa do my virus scanning is carrying .NET a bit far even if they are legitimate.  Incidentally, if you go to their web site they have some very odd information in their Q&A section.

 

 

Here is a much longer analysis:

HTML'ed, so you oughta read it that way. Ha! Best viewed with Lynx!

Jerry said:

@>- Note that I have never sent any messages to these people that I
@>- of. I did take the trouble to update my Norton Anti-Virus and run it:
@>- as I thought, there are no viruses on my machine. I suspect that if I
@>- went to that web site and did whatever that wants me to, I would have
@>- a virus...
@>- As Alex observes, the ultimate mail filter is an aware human being.
@>- Be alert.

I use Eudora Light 3.0.6 - it sends mail on Win 9x and Win 3.x off the same server directory, which is all I need for Windows - and Netscape 3.04 with Java and Javascript off when I can get away with that. It renders fastest and none of that Active-X crap. I will install lots of MS software for people who need that...except for Outlook/Express. I flat refuse to take a perfectly good machine that I've spent hours working on and install a virus magnet on it, just so someone can be like everybody else. No. Screw that.

Anyways, the site you were complaining about coughed up this (for Netscape 2.2):

(1) Why the need for Virus Scanning?

The spread of malicious viruses poses a major threat to any Internet user. M-Web’s new Anti-Virus Service automatically detects and eliminates fast-spreading, email-borne viruses before they reach your mailbox, and have a chance to infect your PC.

(2) How our service will actually work

Our service makes use of Norton AntiVirus software, recognised worldwide as one of the leading products of this type. This software resides on the M-Web mail servers and requires no installations or configuration on your PC. Better still, this new service is absolutely FREE and represents yet another valuable addition to our existing range of e-mail services e.g. Speechmail, Airmail and Screen Names.

In future, any e-mail that you send or receive will be scanned for known viruses. If any are detected either they will be repaired, or the infected attachment will be deleted. Then the e-mail will continue to its intended destination. In all instances the sender will be notified if a virus has been detected and processed. In the case where the infected attachment has to be deleted, the recipient will receive notification of this.

(3) FAQs
Q: I have a Macintosh, will this service apply to me as well?
A: Yes, it applies to all Operating Systems, and e-mail programs.

[Yes, but Mac users DON'T NEED IT! BAHAHAHA.]
BLANK

[Indeed!]

Q: Can I choose not to make use of this service?
A: No, M-Web has installed this service on all of its mail servers and
it will apply to all e-mail sent through these servers.
[Blink. Ah. Ok, so it's worded so it looks like I HAVE to use their mail service. Right. I remember this one.]

Q: Is this service an invasion of my privacy i.e. are you reading my e-mail?
A: Absolutely not, this service automatically scans the content of the e-mail to look for viruses. There is no human intervention in the process and no-one can see the content of your e-mail.
[End quote.]

Oh, no, of course not. Nobody. Nope. Never.

Anyways, I've seen this one before and somebody else had a similar service...what you got wasn't an illegal scam, really. It was SPAM. Akin to all that other stuff we all get. Well, the stuff I get, anyways. They just sorta forgot the 'If you don't sign up with us now, this could be YOU!' bit that indicates it isn't real. It's run of de mill schtuff.

Now the interesting bit is here, since it applies to why Earthlink clamped down on mass mailings:

Return-Path:
Appended by the originating SMTP server, so that bounces can be sent back somewhere. Required by RFC2822.
Delivered-To: jpournel-jerrypournelle:com-jerryp@jerrypournelle.com
That looks like they trolling through the j's at jerrypournelle.com - which address they presumably got from a web page email scavenger bot. That is, your page has your email address on it, and of course, somebody snagged it from there.
X-Envelope-To: jerryp@jerrypournelle.com
This line is the one telling a filter to rip off the old header, append it to the actual mail, and then generate the new mail. Which is why the 'bogus' header was added.
Received: (qmail 22079 invoked from network); 22 Nov 2001 04:31:13 -0000

Somebody sent this remotely. Another words, somebody used Microsoft Outlook to send spam mail VIA BCC: to a set of addressess that had been pull via web bot. Common. In fact, once MS let Outlook/Express out the door, spam went through the ceiling. That was the point that admins started using Cleanfeed on Usenet and suchlike.
Received: from [196.2.42.20] (helo=nav1-cpt.mweb.co.za) by supermail.mweb.co.za with smtp (Exim 3.22 #1) id 166lQu-0005Nx-00 for jerryp@jerrypournelle.com; Thu, 22 Nov 2001 06:25:52 +0200
Supermail is the primary spam server, so it goes from the local machine to the Unix box (Exim seems to be a unix-only program - it is also the server program earthlink uses), and then is relayed on to...
Received: from supermail.mweb.co.za (196.2.53.171) by zortzi.pair.com with SMTP; 22 Nov 2001 04:31:13 -0000
This, FYI, is the SMTP wrapper (envelope) that the pair.com mail server slapped onto the mail when it recieved it. SMTP servers don't care about the internal contents of the mail or the contents of the headers that the clients add in. All they care about is getting data set X from point A to point B. And now we come to the fairly truthful header the client attached. From: Norton_AntiVirus_Gateways@mweb.co.za
To: jerryp@jerrypournelle.com
Subject: Virus detected
Date: Thu, 22 Nov 2001 06:31:00 +0200
Message-Id:

None of those lines are actually dealt with by the servers, unless the client fails to add From: or To: or Message-id: lines, in which case the server creates them. All other headers that aren't those and aren't SMTP wrapper lines, are written by the clients, including BCC: and CC: both of which do not actually exist as far as SMTP servers are concerned. If you put a TO: to one address and a CC: to another, when the client talks to the server, it just says
To:
To:

...and so on. (What happened to earthlink was that is that it would do DNS lookups for the domains on those mail address, and those lookups would fail, and it would reject the address. And then the client would then not skip to the next address but instead just bail. The Mindspring servers, OTOH, are using Sendmail instead of Exim and Sendmail doesn't do the lookups. All of this lookup crap become neccessary when every drooling idiot with a new PC decides to mail everybody in the world with ...marketing... for his new book of fart jokes, as started to happen rather a lot in '96-'97.)

[And to explain your Hour 25 friend's problem - when you use BCC: in Outlook Express, it adds <;;undisclosed.recipients> to the TO: header. Exim is parsing those headers, and rejecting badly formed addresses. Such as the Microsoft Product improperly adds on. No other client does that. Microsoft should have used an X- header instead, which would match the spec. Note that parsing the actual TO: line in the client header is allowed under the spec (RFC2821). So if he changed his mailer, he'd be fine.]

On to the appended 'bogus header':
Return-Path:
This is either a mail sent from them (as you) to them, to make it appear it came from you. Or, the original mail generated was sent bogusly to the filter and then the filter generated the correct To: and From: lines. Hard to say.
Received: from NMKSCHULZ ([196.41.8.155]) by puma.datapro.co.za (8.9.3/8.8.7) with SMTP id GAA12842 for ; Thu, 22 Nov 2001 06:27:10 +0200
Fake return-path or not this is where the mail REALLY came from: 196.41.8.155, which tracert's to somewhere in .za. They're peered off of alter.net. No surprise there. Datapro is probably the hosting service handling mweb.co.za, which is here: http://www.datapro.co.za/. Complain to them, since they will be the upstream provider for the mweb. That'll put a bee in their bonnet.

All this below is just client noise:
Date: Thu, 22 Nov 2001 06:27:10 +0200
From: jerryp@jerrypournelle.com
Message-Id: <200111220427.GAA12842@puma.datapro.co.za>
Subject: Øòdesktopdesktop
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
Hi there!
X-Unsent: 1
Uh-huh.

Anyways. So the way I figure they try to work this gig, is they send out this spam that freaks people out about viruses, then they are supposed to go to that page, and sign up with the service, since those people kindly helped them detect this dangerous virus.

So, do they then virus you? NOOOOO. No money in THAT.

No, what they do is they get you to hook up your pop3 account to their mail server, then they filter it. Handy, right? In return for this service (which could be had by setting up your own email scanning), they 'occasionally' send you 'helpful emails about useful products and services' and/or attach advertisements to the filtered email.

Another words, once they have a live address, they spam the s*** out of you. Of course, you never realize that they harvested your address, (a premium address because it is guaranteed LIVE), since none of the spam originates on their servers. They just scan your mail, ever so helpfully.

If they're competent. If they're competent, you'll never get a virus, on account they want to keep you live and on the hook. If they're incompetent, of course, you'll get virused anyways, as a free added bonus.

Call now. Operators are standing by!

Anywho, this IS a scam, albeit a legal one, but I doubt any viruses were harmed or even came anywhere near anybody during the production of this ASCII pork product.

As an added bonus, hopefully ya'll can decode headers reel gud now.

ash

['Tra-la-la-la-la-la.La.'] "Try to say sumpin' funny, Joe." _________________________________________________________________ limitinfinitesetsweusedtohavelegitimatepresidentsimadeyoureadthis sigisnowstalkingyouifyoudontlikethesepostsyoucanblowmerepeatseter Riven against the Black Sun Six ...that which we are, we are.

And from Joel Rosenberg:

Email scam:

FWIW, I browsed to the web page -- running under Linux, I'm perhaps insufficiently worried about getting viruses via web browsing -- and a quick (and entirely amateur) examination of the source code suggests that ash has it right: it's just an obnoxious marketing technique/scam, rather than something more.

I'm beginning to love the Scoring feature in gnus, which I now use to read my mail, most of the time. (It handles html very primitively, and doesn't do much of anything interesting with it, which is my preference.) When I see an obvious spam message, I just hit L, then set up a substring filter to lower the score of messages with similar titles, or from similar countries. (Nothing from Taiwan, frex.)

In any event, that is enough for this venture...