'From' addresses can be faked
Don't assume that an email is really from the address listed in the 'From' line. 'From' addresses are so easily faked they are practically worthless as a means of positive ID.
A typical trick is for spammers and virus authors - and these two groups are now synonymous - is to get a victim's compromised machine to scan itself for anything that looks like an email address.
The virus software looks in the victim's address book, any locally cached web pages and their email archive amongst other places, extracting and remembering the email addresses it finds.
It then starts sending out virus-laden email to the addresses it's found, faking the 'From' address as it goes.
In order to try and trap the unwary, the virus on the sending machine is clever enough to try to use 'To' and 'From' addresses in permutations that a recipient might believe.
So if the victim ever in the past received a legitimate email to victim@domain.com from me@mydomain.com the virus will probably try sending itself to me@mydomain.com with a faked 'From' address of victim@domain.com - hoping that I will mistake it for a genuine message.
Should I be worried?
If you start getting a load of complaints that you're sending spam or viruses to people, there are a couple of possible reasons:
1) You really are doing it.
2) You're not, but the 'From' address on the email the other people got has been faked to be your address, and they're just replying blindly to what they believe is the real sender.
Many automated virus scanning programs bounce infected mail back to the apparent originator, with an alert that the mail wasn't delivered because it was infected. Unfortunately, since most (all?) of these automated systems seem to rely on the 'From' address being genuine, all that happens is they squirt useless alerts at the wrong target. Ironic eh?
I want to complain/inform...
OK, so you've got anti-virus software installed, it's up to date and you've had an alert pop up saying such and such an email was infected with some virus or other.
If you really want to do something about it (other than junk the infected email and forget about it), you'll need to know a lot more about email than this little article is going to tell you.
You'll need to know how to get at the full email header lines, be able to understand what they are telling you, know which of these headers can be faked and which can't, and then know how to track down the actual originator so you can tell them their machine is compromised.
Conclusion
As long as 'From' addresses can be faked and people (and software) don't fully appreciate this fact, we'll all get email from time to time that claims either we're infected, or our email system is infected, or that we're bad people for sending spam.
Whether we really are or not depends on the measures we each take to protect our individual systems from being compromised by the real culprits.
--
Simon Banton
Webmaster, Shout99.com
|