Since this latest swarm of medium-threat viruses started
, I've gotten a fair number of e-mail messages claiming I sent someone a virus. Well, I didn't. Not only do I have a corporate gateway to stop incoming viruses, my desktop also runs an enterprise version of an antivirus program.
I've become a victim of what I call "viral-borne identity theft," a.k.a. spoofing
. Here's what e-mail spoofing is
and what you should be aware of. But I'll warn you up front: there's not a whole lot you can do to stop spoofing except minimize your exposure.
How viruses steal e-mail addresses
Once upon a time, you could trust the return address on a given e-mail message. In most cases, that's still true today, but with the advent of computer viruses and spam, the name after the "From:" is sometimes spoofed. The sender disguises him or herself to be someone else, someone you might know, in an attempt to get you to open the e-mail.
There's not a whole lot you can do to stop spoofing except minimize your exposure.
In my case, here's what happened: My e-mail address here at CNET Networks appears on just about every story I write. When you read my work, your Internet browser caches a copy of the page on your hard drive for fast retrieval should you want to read it again. If your computer should become infected with a virus, that virus might parse the cached HTML pages and pull out any e-mail addresses it finds. It also culls addresses from your Outlook contacts and various other documents stored on your hard drive. Newer viruses also have the ability to attach common names to stock domains, such as .aol, .msn, .yahoo, and those used by several antivirus vendors, thereby guessing e-mail addresses on the fly (but a lot of these created addresses fail, of course).
The virus then sends copies of itself. To do so, it uses its own SMTP engine to bypass your e-mail client and any built-in safeguards your e-mail client may have. Not only will the virus try to send me a copy of the virus, for example--and, later, plenty of spam, thank you very much--the virus might also attempt to use my e-mail address as the sender's return address to infect others.
How enterprise antivirus systems add to Internet traffic
But wait, it gets worse. Even if friends and family understand that I likely did not send them a virus, some enterprise antivirus program with built-in return messages will state emphatically that I have a virus. Here's how that works: As the forged e-mail enters their enterprise system, that system bounces it back to the apparent sender with a message that authoritatively states, "You are infected with XXX
virus." I have hundreds of these bounced e-mail messages claiming that my PC is infected with MyDoom.f, Netsky.d, or Bagle.c. It's not.
In the middle of an e-mail virus outbreak, messages such as these--originally intended to provide a useful service--only add to the Internet traffic jam. Brian Martin, a.k.a. Jericho at Attrition.org, wrote a thorough critique of the current methods being used
, complete with examples. His conclusion? System administrators need to turn off this "helpful" feature if they haven't already.
With a little finesse, almost anyone can manipulate the header information on e-mail to disguise its true origin.
Unfortunately, the spoofing problem itself lies deep under the hood of the Internet, within SMTP, or Simple Mail Transfer Protocol, the Internet protocol used for sending e-mail. SMTP was created many years ago and lacks a modern method for verifying the authenticity of the sender. With a little finesse, almost anyone can manipulate the header information on an e-mail message to disguise its true origin and make it appear as though someone else sent you a message.
Bill Gates has started talking up Microsoft's idea to charge "postage" for e-mail
, a program that's specifically aimed at reducing spam but would work for e-mail-borne viruses as well. I honestly don't think putting postage on e-mail would fly. So the only lasting solution would be to revamp SMTP, but that's years away from fruition.
In the meantime, there's not much you can do to stop e-mail spoofing, except minimize your chances of contributing. If you have a Web site or regularly post to online forums, consider keeping your e-mail address off the site--this includes the code mailto:firstname.lastname@example.org
buried within the HTML. And if you really need to post it, consider putting the e-mail address within a JPEG so that the virus can't parse out the information. But no matter how careful you are, you can't stop the latest virus from stealing your address out of a friend's in-box (although you can tell your friends that they really need to install some form of antivirus protection).