www.BlackViper.com: E-Mail Filtering Guide


Image 1.5


5) Attachment reporting. (Image 1.5)

Not one of these E-Mails, sorted by size, reports having an attachment. Now, understand that an E-Mail that is 180KB is a rather large amount of typing. This should give you the first clue about the origin of these E-Mails and the destructive intent. However, some E-mail programs, if using "HTML" stationery and such, do not report attachments of .jpg and .gif's if they are part of the layout. For example, a background picture and a .jpg signature block. Take note: Out of 8400 E-Mails in the last year, only 16 of those have had "large" images (over 50KB worth) included with them as "normal" E-Mails. Please, for the love of dial-up users around the world... Do not send 295KB picture as a "normal" part of your E-Mail. For the sake of time, I now bounce all E-Mails that are larger than 50KB.

Can you confirm that this E-Mail is a virus without "opening" it? Yes, and I will show you how following this short disclaimer:

ABSOLUTELY, NEVER, EVER double click these files to open them! You WILL be infected.

This method is NOT intended to substitute a virus scanner with the eyes of an average user. However, my network has never been infected by a virus. Ever. What AV software do I run daily? None. I do not visit "questionable" web sites, I utilize a hardware firewall and never open an attachment sent via E-Mail. What is the best defense anyone can have? Common sense.

Update November 17, 2003:

This deals with yet another mass mailing worm with its purpose in life to steal PayPal account information.

This discovery was prompted by one E-Mail that fits the Symantec description perfectly:

The subject line contains "YOUR PAYPAL.COM ACCOUNT EXPIRES" and comes from the address of "Do_Not_Reply@paypal.com." It arrived at my inbox at 11:41 AM PST today.

This information was posted November 14, 2003 by Symantec and the virus signatures were updated that day:

http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.i@mm.html

However, just a few messages up (more recent), I received about the same message at 12:16 PM PST with a slightly different subject line. This one is "IMPORTANT <several spaces and then random characters>". It also comes from the address of "Do_Not_Reply@paypal.com."

This particular message, fitting the bill with another scam to steal PayPal account information, was posted on November 17, 2003. Yes, today:

http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.j@mm.html

This one tipped me off because it has the exact type of subject line of a previous virus that I am sent often (12 times yesterday, 3 today) for several months. That particular variant comes from the address of "admin@<what ever domain the email is sent to.com>" with the subject line of "your account <several spaces and then random characters>".

More information on that particular virus is here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html

What I am trying to get across is that people could find viruses in their E-Mail box before virus signatures can be updated. I fail to remember the "default" amount of time or "how often" the automatic update service runs for Norton Anti-Virus, but 24 hours is not a guess far from the truth, I am sure.

What this means is that I could have been infected 3 times (by the amount of separate E-Mails) before the signatures could have been updated. Of course, by the time the automatic update is performed, it could be too late.

Knowledge is power. Period. I knew these E-Mails contain viruses without even thinking about it from past experience with known subject lines. I looked them up because my curiosity sometimes overwhelms me and discovered that "I could have received it before they fixed it."

Being careful with the "automatic" actions you perform daily by checking E-Mail and knowing "what is good and what could be bad" is much more powerful than any virus scanner available. Knowing an E-Mail's intent before even opening it has much more power then "assuming" a person is safe just because an Anti-Virus program is running.

Do I own AV software? Yes. When do I scan the network? Before anything major, like an OS install or massive hardware change. That way, I know that all of my backed up data has been scanned with the latest virus protection and clear of anything up to that date. I then install the OS clean and retrieve my safe data and continue as usual without AV software sucking up resources 24/7.

Another reason I have avoided infection is I use a computer strictly for E-Mail. That's it. If anything should happen, such as unexplained memory, hard disk activity, network activity or many other ways to spot a malicious program, I can stop it before catastrophe hits. This also greatly reduces the chance of "important" files being infected across the network because the system that I use for "normal" activities has NO shared resources.

AGAIN: I will always recommend my readers use a virus scanner daily and keep it up to date. There is no reason not to. If you have a single system directly connected to the internet you WILL have virus and firewall protection installed. Security is no laughing matter. Enough said.