No Mas – No Mas

No mas – No mas

I’m sure you’ve heard about the SoBig virus. This isn’t the one the big boned kid from Minnesota got arrested over (he’s with one of the variants of Blaster). SoBig is one of those virii that penetrates your email and then tries to propagate itself by emailing itself to everyone in your address book.

What makes SoBig particularly nefarious is that it spoofs where it’s coming from. So, if you were infected, you might send out hundreds… maybe thousands of emails, but they wouldn’t have your return address, they’d have someone elses… like mine!

As far as I can tell, that’s just what’s happening. If it weren’t such a huge pain in the ass, the funny part would be that the messages bouncing back to me (which I didn’t send) are coming from my direct business competitor, WFSB.

Here’s a short sample of what I’ve gotten hundreds of times already:

This message was created automatically by mail delivery software.

Message violates a policy rule set up by the domain administrator

Delivery failed for the following recipients(s):

newsdesk3@wfsb.com

—– Original Message Header —–

Received: by mail1-haw (MessageSwitch) id 1062729730176807_24713; Fri, 5 Sep 2003 02:42:10 +0000 (UCT)

Received: from L-39C (mail.jcj.com [216.224.41.148])

by mail1-haw.bigfish.com (Postfix) with ESMTP id E51C011659E

for ; Fri, 5 Sep 2003 02:42:07 +0000 (UCT)

From:

To:

Subject: Re: That movie

Date: Thu, 4 Sep 2003 22:42:07 –0400

X-MailScanner: Found to be clean

Importance: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MSMail-Priority: Normal

X-Priority: 3 (Normal)

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary=”_NextPart_000_01AB1BB8″

Message-Id: <20030905024207.E51C011659E@mail1-haw.bigfish.com>

So, what can we learn from this?

First, the network administrators for WFSB (who are listed in Internet directories as actually being from their parent company Meredith) ought to know that SoBig spoofs return addresses and stop sending these bounces. Most other companies have followed that policy of benign neglect.

Yes, bounces are important in normal times, because people would like to know when mail they sent didn’t arrive. But, with this virus, it is obvious from the contents that this isn’t a ‘real’ message.

Second, the headers show that the mail is coming through the mail server at jcj.com, a Hartford, CT architectural firm. It would be nearly impossible to spoof jcj.com because there is a ‘handshake’ with information traded back and forth when the WFSB server gets the mail. If the address were spoofed, there’d be no response and the transaction would end before the mail was sent. Jcj.com shouldn’t be letting this message pass their server… which seems to be happening dozens and dozens and dozens of times.

I sent a letter to the WFSB mail admiinistrator a few days ago. Nothing. Maybe I should let them know I’ll start charging for my services should they send any more of these my way, I wrote jcj.com tonight. It’s too early to expect a response, but they should have nipped this a long time ago..

Meanwhile, it’s another waste of time. Thanks.