Welcome to WebmasterWorld Guest from 126.96.36.199
Forum Moderators: phranque
Is this another kind of spoof?
Anyone from the forum received this kind of email?
From: Microsoft Security Support <email@example.com>
To: Customer <firstname.lastname@example.org>
this is the latest version of security update, the
"September 2003, Cumulative Patch" update which fixes
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
as well as three newly discovered vulnerabilities.
Install now to protect your computer
from these vulnerabilities, the most serious of which could
allow an attacker to run code on your computer.
System requirements: Windows 95/98/Me/2000/NT/XP
This update applies to:
- MS Internet Explorer, version 4.01 and later
- MS Outlook, version 8.00 and later
- MS Outlook Express, version 4.01 and later
Recommendation: Customers should install the patch at the earliest opportunity.
How to install: Run attached file. Choose Yes on displayed dialog box.
How to use: You don't need to do anything after installing this item.
Love them or hate them the people sending the latest lot have gone a bit further than straight emails this time. The design looks like MS, but, as already stated MS dosen't usually send information out in this fashion.
MS Inet Mail Delivery System
MS Security Services
MS Security Support
network email system
The first three indentifies the spoofed attacments
The last one identifies emails where the virus has been removed by the spam/virus filter of a smtp-server (I've received this one both in english and spanish)
There's no reason to try to discover all possible permutations of words in subject or sender neither all possible words.
If the message body contains one of the mentioned three Content-Type it's with 99.99999999% certainty a virus.
I haven't observed a single false positive.
I just filter these messages to trash.
Thrash is set to be automagically emptied when Mozilla is shut down.
When in doubt, never click an email link... instead go straight to the source (in this case, windows update) and see if you need any patching.
Similar: I just got an email telling me to update my EBAY information by clicking the link in the email. I checked the message headers and it did indeed look like it was from ebay. BUT, instead I went to ebay and logged in. Turned out to be a bogus message trying to gather info (credit cards, etc). Glad I went to the source.
when you look at those headers, check the IP numbers as well... the top one is put in by your mail server... that ip number cannot be faked like the domain names can be... spamcop.net is great for these...
also, look at the source and see where the links and submit buttons are taking you... if there's an @ in there, drop everything before it and what follows is the true site you'll be dropping by...
in the above example, you'll be going to 127.0.0.1/whatever... i've had both paypal and ebay messages of similar nature and in both cases, the subterfuge was easy to spot...
in the case of the paypal one, you were dropped by a site that recorded the info from the form variables and then forwarded on to paypal with the necessary ones for the login... this one is called a "man in the middle" attack...
the last thing to remember (maybe the first?) is that microsoft never sends patches out like these emails claim to be... it would be, for one thing, a major traffic load on the network... for another, they don't have everyone's email addresses though they do try to get as many as they can ;)
when you look at those headers, check the IP numbers as well... the top one is put in by your mail server... that ip number cannot be faked like the domain names can be...
When you get these fake paypal, ebay, or whoever emails, I recommend sending a copy with the header to their abuse department. A lot of these big companies will collect evidence, and then go sue the culprits. Microsoft in particular loves suing people but don't send them any of the viruses/worms or they will get really mad at you.
as i said, the top one is added by your mail server... if it doesn't put the ip number in and accepts what the remote connection tells it, then you will get faked stuff all the way thru...
many's the time that i see 5 or 6 received headers and all of them are faked except for the top one which is either the actual culprit or an open proxy that's being abused...
just like here on WW, spamcop.net is full of info on this stuff and what the spammers are doing and how... not only do you learn about that but also how mail servers operate, should (ideally) be configured and how they are abused... i use xnews to access their newsgroup server... there are other methods of joining in on their discussions, too... be careful and wear your asbestos garments... also note that just like here on WW, "competitors" are there as well...