Fake Microsoft Updates

[Joe]

Just curious about one thing. I posted a message here last week and
have since been bombarded by fake messages in my inbox about security
updates, patches etc supposedly from Microsoft of course all are
viruses

Obviously I learned you can't use your real email address in
newsgroups, not even this one.

But who does this? One person responsible for all or lots of different
idiots. They all have long, stranger and different email addresses

 

[dev]

Joe said:

Just curious about one thing. I posted a message here last week and
have since been bombarded by fake messages in my inbox about security
updates, patches etc supposedly from Microsoft of course all are
viruses

Obviously I learned you can't use your real email address in
newsgroups, not even this one.

But who does this? One person responsible for all or lots of different
idiots. They all have long, stranger and different email addresses

Bogus addresses. Multiple idiots.

 

[mb]

Just curious about one thing. I posted a message here last week and
have since been bombarded by fake messages in my inbox about security
updates, patches etc supposedly from Microsoft of course all are
viruses

Obviously I learned you can't use your real email address in
newsgroups, not even this one.

But who does this? One person responsible for all or lots of different
idiots. They all have long, stranger and different email addresses

Computer programs written specially to go through Usenet postings and
collect e-mail addresses for the spammers. You should either change your
e-mail address in some way, or not use it.

 

[Bruce Chambers]

Greetings --

What you received is either a very common, malicious hoax or the
output of a computer infected by one of several widely publicized,
wide-spread, mass emailing worms. This sort of email has been quite
common for at least the past 8 months. The most widely-known are:

W32.Swen.A_mm
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

W32.Dumaru_mm
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

W32.Gibe_mm
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Microsoft never has, does not currently, and very probably never
will email unsolicited security patches. At the most, if, and only
if, you subscribe to their security notification newsletter, they will
send you an email informing you that a new patch is available for
downloading.

Microsoft Policies on Software Distribution
http://www.microsoft.com/technet/treeview/?url=/technet/security/policy/swdist.asp

Information on Bogus Microsoft Security Bulletin Emails
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/patch_hoax.asp

How to Tell If a Microsoft Security-Related Message Is Genuine
http://www.microsoft.com/security/antivirus/authenticate_mail.asp

Any and all legitimate patches and updates are readily available
at http://windowsupdate.microsoft.com/. (Notice that this is the true
URL, rather than the bogus one that may have been contained in the
email you received.) Any messages that point to any other source(s) or
claim to have the patch attached are bogus.

You're receiving these emails because your email address is in
the address book of someone infected with a worm, and/or because you
posted your real email address somewhere on-line, either in a forum
accessible to the public and spambots, such as Usenet, or on an
untrustworthy web site that subsequently sold your address as part of
a mailing list. One thing you can do is notify _everyone_ with whom
you've ever corresponded via email that one or more of them may be
infected with a mass emailing worm, and should take the appropriate
steps.


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Jeffrey Struyk - MVP]

Just curious about one thing. I posted a message here last week and
have since been bombarded by fake messages in my inbox about security
updates, patches etc supposedly from Microsoft of course all are
viruses

Obviously I learned you can't use your real email address in
newsgroups, not even this one.

But who does this? One person responsible for all or lots of different
idiots. They all have long, stranger and different email addresses

Spammers (and other varied forms of lowlife) use programs to harvest
email addresses from newsgroups and web sites. It's a shame, but you
really can't use your real email address in any public forum and avoid
the inevitable flood of spam/virus attacks.

You can "munge" your address by using a technique called ROT13, where
you rotate each letter by 13 digits (A becomes N, B becomes O, etc.)
This would change the email address of (e-mail address removed) to
(e-mail address removed)


Another munging technique is to add words to your email address. For
example, if my address was (e-mail address removed), I could call it
(e-mail address removed). The NOSPAM is obvious to a human, but a
harvesting program may not see it.

I remember seeing one person using this technique, and their email
address was something like (e-mail address removed). Their signature
contained the instructions, "To reply by email, remove pants." <G>

Again, it's a shame to have to do these protections, but you have
witnessed firsthand what happens if you do not. At least you realized
that the attachments coming to you were NOT sent from Microsoft.

 

[Rob Schneider]

Spammers (and other varied forms of lowlife) use programs to harvest
email addresses from newsgroups and web sites. It's a shame, but you
really can't use your real email address in any public forum and avoid
the inevitable flood of spam/virus attacks.

You can "munge" your address by using a technique called ROT13, where
you rotate each letter by 13 digits (A becomes N, B becomes O, etc.)
This would change the email address of (e-mail address removed) to
(e-mail address removed)


Another munging technique is to add words to your email address. For
example, if my address was (e-mail address removed), I could call it
(e-mail address removed). The NOSPAM is obvious to a human, but a
harvesting program may not see it.

I remember seeing one person using this technique, and their email
address was something like (e-mail address removed). Their signature
contained the instructions, "To reply by email, remove pants." <G>

Again, it's a shame to have to do these protections, but you have
witnessed firsthand what happens if you do not. At least you realized
that the attachments coming to you were NOT sent from Microsoft.


--
Jeffrey Struyk
Microsoft MVP
http://support.microsoft.com
Please direct all replies to the newsgroup.

Jeffrey,

I call this "visual munging"--munged but still recognized by visual
inspection. Based on some experiments using some munged email addresses
pointing to real but "throwaway" email addresses and then watching for
incoming spam ... the results suggest to me that spammers' harvesting
programs are now sophisticated enough to unravel the real email from the
"visually munged" email addresses.

Using the power of regular expressions (REGEX), it's clear that it's
trivial to strip out the "NOSPAM" from an email, and it's also easy to
unravel email munged with the ROT13 algorithm. For that matter, they
can easily go through the variations on ROTn where "n" is any smallish
number. They even can probably afford to hire low-wage labor to do
"visual demunging".

I've concluded it's practically impossible to "visually munge" email
addresses in newsgroup postings.

An era has ended.

 

[Jeffrey Struyk - MVP]

On Sun, 21 Dec 2003 19:21:59 +0000, Rob Schneider

I've concluded it's practically impossible to "visually munge" email
addresses in newsgroup postings.

I've been coming to the same realization myself. I've actually got a
special email address for my MVP work, and for a long time I used this
email address (unmunged) in the newsgroups with absolutely NO spam
making it through the server side filters.

That all ended suddenly, with this account being flooded almost
overnight. I munged the address for a while and added a nice freeware
email filter (www.presorium.com) to clean up the inbox. I eventually
removed my email address from my newsgroup profile completely.

It's a shame, but an unfortunate reality of posting in Usenet these
days.

Anyway, I'm off on a tangent. Munging an address is better than
nothing at all, but I suspect you are correct...it's not foolproof.

Regards,
Jeff

 

[Joe]

What you received is either a very common, malicious hoax or the
output of a computer infected by one of several widely publicized,
wide-spread, mass emailing worms. This sort of email has been quite
common for at least the past 8 months. The most widely-known are:

Half the messages are fake Microsoft updates/patches and the
attachments are all pretty well W32.Swen. Norton antivirus intercepts
and deletes the emails as they are downloaded, but everyday there are
30- 40 new emails.

The other half have messages like "undeliverable message" or "your
message can not be delivered" with unknown email addresses. I don't
know if this means my computer is being used to bombard other computer
users, but Norton Antivirus finds nothing

You're receiving these emails because your email address is in
the address book of someone infected with a worm, and/or because you
posted your real email address somewhere on-line, either in a forum
accessible to the public and spambots, such as Usenet, or on an
untrustworthy web site that subsequently sold your address as part of
a mailing list.

It's from posting my real email in this newsgroup. Lesson learned.