No Mas - No Mas

By
Geoff Fox
on 09/04/03 10:53 PM |

No mas - No mas

I'm sure you've heard about the SoBig virus. This isn't the one the big boned kid from Minnesota got arrested over (he's with one of the variants of Blaster). SoBig is one of those virii that penetrates your email and then tries to propagate itself by emailing itself to everyone in your address book.

What makes SoBig particularly nefarious is that it spoofs where it's coming from. So, if you were infected, you might send out hundreds... maybe thousands of emails, but they wouldn't have your return address, they'd have someone elses... like mine!

As far as I can tell, that's just what's happening. If it weren't such a huge pain in the ass, the funny part would be that the messages bouncing back to me (which I didn't send) are coming from my direct business competitor, WFSB.

Here's a short sample of what I've gotten hundreds of times already:
This message was created automatically by mail delivery software.

Message violates a policy rule set up by the domain administrator

Delivery failed for the following recipients(s):
newsdesk3@wfsb.com

----- Original Message Header -----
Received: by mail1-haw (MessageSwitch) id 1062729730176807_24713; Fri, 5 Sep 2003 02:42:10 +0000 (UCT)
Received: from L-39C (mail.jcj.com [216.224.41.148])
by mail1-haw.bigfish.com (Postfix) with ESMTP id E51C011659E
for ; Fri, 5 Sep 2003 02:42:07 +0000 (UCT)
From:
To:
Subject: Re: That movie
Date: Thu, 4 Sep 2003 22:42:07 --0400
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_01AB1BB8"
Message-Id: <20030905024207.E51C011659E@mail1-haw.bigfish.com>

So, what can we learn from this?

First, the network administrators for WFSB (who are listed in Internet directories as actually being from their parent company Meredith) ought to know that SoBig spoofs return addresses and stop sending these bounces. Most other companies have followed that policy of benign neglect.

Yes, bounces are important in normal times, because people would like to know when mail they sent didn't arrive. But, with this virus, it is obvious from the contents that this isn't a 'real' message.

Second, the headers show that the mail is coming through the mail server at jcj.com, a Hartford, CT architectural firm. It would be nearly impossible to spoof jcj.com because there is a 'handshake' with information traded back and forth when the WFSB server gets the mail. If the address were spoofed, there'd be no response and the transaction would end before the mail was sent. Jcj.com shouldn't be letting this message pass their server... which seems to be happening dozens and dozens and dozens of times.

I sent a letter to the WFSB mail admiinistrator a few days ago. Nothing. Maybe I should let them know I'll start charging for my services should they send any more of these my way, I wrote jcj.com tonight. It's too early to expect a response, but they should have nipped this a long time ago..

Meanwhile, it's another waste of time. Thanks.


Email this page

Email Geoff

My Bio

My Resume

Weather/Environment

Time Lapse Photography

Archives

Search

About this Entry

This page contains a single entry by Geoff Fox published on 09/04/03 10:53 PM.

Monday Night Football was the previous entry in this blog.

Norwich Bulletin is the next entry in this blog.

As of 06/06/08 at 11:30 PM, I have published 2944 individual entries and received 3902 comments. The counter at the very bottom of the screen shows the total pages served.

For the most recent entries, click the main index. You can see a full listing of every entry since the beginning in the archives.