I keep explaining this on every non-technical messageboard I visit whenever a member gets a virus. Rather than keep typing it out every time, I decided to do it up really nice one final time.

How to track down the true source of an email

This guide shoud let just about anyone figure out how to analyze the virus and spam emails they get to find the true source, and what to look at to help figure out whose PC it is that’s sending out this garbage. I hope this helps someone out there learn a little more, and I hope it helps stop some of the needless blame that innocent victims get when their email address is spoofed as the sender (note that it just as easily could’ve been your address that the email was “from” and the other person’s address that it was sent to).

I’m also going to rant a bit about stupid mail server AV programs. I know that every Netsky virus mail has a spoofed sender address. I know that every Bagle email has a spoofed sender address. Everybody knows that these (and other) email worms use spoofed addresses. So why do these “state of the art” AV programs tell the mail server to bounce the message back to the “from” address? If an attachment infected with CIH is detected, alert the sender. CIH is a file virus – it spreads between files on one PC. If the attachment has CIH, then other files on that PC have CIH also. Bouncing the message back to the sender lets them know they have a virus.

However, bouncing a Netsky/Bagle message back to the “sender” address only tells the person that somewhere a PC with their email address on it has a virus. It’s possible that an infected PC could send out an email with the owner’s address as the “from” address, but it’s just as possible for any other PC to send it out as being from that address. Alerting the “sender” of the email most likely will just confuse an innocent bystander whose PC isn’t infected. Vendors, add a simple check in your super-duper AV program that says “if detectedvirus.type == spoofing, then don’t bounce email”. That’s all it takes, just one little check. I don’t think I’m that much smarter than you guys, but I guess I could be…

Super Mario Reloaded

Allsum. Perhaps even better than the original movie?

Search for Microsoft updates

That link will take you to a search page showing all the updates since WinXP SP1. For some reason, the supercede option doesn’t like to work in the URL. You may have to manually check the box and run the search again to remove obsolete patches from the results. This is an update of the URL I posted a while back. MS seems to have changed its location…

Comcast cutting off spam ‘zombies’

Sweet. Comcast is starting to disable cable connections of PCs infected with mass-mailing worms. While I’m sure it won’t completely stop spam, many spammers are now using zombified PCs to do their dirty work, and Comcast is known for its huge numbers of clueless users. This will help those of us getting bombarded with all this spam, and hopefully these users will learn that failing to secure their PCs does lead to unwanted consequences. Maybe these consequences will even make them realize that they really are affecting others with their actions (or lack thereof).

Wow, this is a really bloody version of the Pinguin game I posted before. It’s the same concept, but it involves spikes, landmines, explosions, and flying heads. Give it a shot sometime if you like the first ones.

I just added a link to Habeas there on the left. They use a unique approach to guarantee that your email makes it through spam filters. If you agree not to spam, you can license their poem. You put this in your mail headers. Many spam filters are configured to recognize the Habeas poem, so they let the email pass through. That’s great, you say, but can’t anyone just put the poem in their email headers to get it past filters? That’s where Habeas’ power lies. Their poem is a copyrighted work. If you use it against their licensing terms, they sue you under existing and proven copyright laws for devaluing their work. No worries about how judges will interpret the technical side of things, or if they’ll even have any clue about it. Spamming is stopped via existing, proven, understood laws. As you can see, it’s a unique way to handle the issue, and it works.

Businesses and email providers can sign up to have all of their outgoing mail tagged with the headers by having their users agree to the Habeas terms. Individuals can get a personal license for free. Once you do that, you can configure your mail client or mail server to embed the headers in each email you send. You can also download a proxy for Windows. Your mail client sends all mail to the proxy and the proxy sends it to the actual mail server after embedding the headers.

A new setting has been added to Mozilla (including Thunderbird) to embed custom headers in each email. The easiest way to add the proper settings is to install chromEdit. Once you’ve got that installed, just pick Edit User Files on your Tools menu, click on the user.js tab, and add the following:

// Add Habeas headers to outgoing mail
user_pref("mail.identity.id1.headers","habeas1,habeas2,habeas3,habeas4,habeas5,habeas6,habeas7,habeas8,habeas9");
user_pref("mail.identity.id1.header.habeas1", "X-Habeas-SWE-1: winter into spring");
user_pref("mail.identity.id1.header.habeas2", "X-Habeas-SWE-2: brightly anticipated");
user_pref("mail.identity.id1.header.habeas3", "X-Habeas-SWE-3: like Habeas SWE(tm)");
user_pref("mail.identity.id1.header.habeas4", "X-Habeas-SWE-4: Copyright 2002 Habeas (tm)");
user_pref("mail.identity.id1.header.habeas5", "X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this");
user_pref("mail.identity.id1.header.habeas6", "X-Habeas-SWE-6: email in exchange for a license for this Habeas");
user_pref("mail.identity.id1.header.habeas7", "X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant");
user_pref("mail.identity.id1.header.habeas8", "X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this");
user_pref("mail.identity.id1.header.habeas9", "X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.");

Click Save and that’s it. Mozilla will now add those lines to every outgoing mail automatically. The setting is per-account, so if you have multiple email accounts you’ll need to add a copy of that for each account, but changing id1 to the proper id# corresponding to the mail account. With this tidbit of code and taking the time to fill out the app linked above, you’ll be guaranteeing that your legitimate mail makes it through just about every mail filter out there.

I don’t know anything about Habeas’ business licensing, but the personal one is free, so I figure it can only help. Many common filters already recognize the Habeas poem, and Habeas seems to be doing a good job of enforcing its use (which keeps it worthwhile).