Fog Creek Software
Discussion Board




Spamm 'o Ramma - from JoS

Just got email from myself, to myself from JoS.  As agent Smith says "the great thing about being me..."


Received: from mailx.myrio.com ([10.128.0.61]) by mail0.myrio.com with Microsoft SMTPSVC(5.0.2195.5329);
     Fri, 23 May 2003 08:56:46 -0700
Received: from mail.myrio.com ([10.128.0.135]) by mailx.myrio.com with Microsoft SMTPSVC(5.0.2195.5329);
     Fri, 23 May 2003 08:56:46 -0700
Received: from hobbes.fogcreek.com (hobbes.fogcreek.com [66.199.177.116])
    by mail.myrio.com (Postfix) with ESMTP id 759B3176142
    for <xxxx@myrio.com>; Fri, 23 May 2003 08:54:46 -0700 (PDT)
Received: from hobbes [127.0.0.1] by hobbes.fogcreek.com
  (SMTPD32-7.14) id A5031041418; Fri, 23 May 2003 11:57:55 -0400
thread-index: AcMhRBLsFqc5PqO/RHGfXY5gY3g9mQ==
Thread-Topic: MS to buy Unix from SCO
From: "Nat Ersoz" <xxx@myrio.com>
To: "Nat Ersoz" <xxx@myrio.com>
Subject: MS to buy Unix from SCO
Date: Fri, 23 May 2003 11:57:55 -0400
Message-ID: <000201c32144$12ec13a0$74b1c742@fogcreek.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Exchange 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Return-Path: xxx@myrio.com
X-OriginalArrivalTime: 23 May 2003 15:56:46.0669 (UTC) FILETIME=[E9DE47D0:01C32143]

??



-------------------------------------------------------------------
This message was sent on behalf of xxx@myrio.com, from
"The Joel on Software Forum" in reply to your posting:
http://discuss.fogcreek.com/joelonsoftware/?cmd=show&ixpost=44806

Your email address is never revealed to the sender.

Nat Ersoz
Friday, May 23, 2003

I got one from support@microsoft.com. There's a PIF attachment. What the freak is a .pif file? All I know is I'm not opening it.

www.marktaw.com
Friday, May 23, 2003

marktaw.com,

See  http://www.theregister.co.uk/content/56/30751.html.


Friday, May 23, 2003

Try again:  http://www.theregister.co.uk/content/56/30751.html


Friday, May 23, 2003

Nat, this is likely the same thing that was happening a few weeks ago.  Some spammer is attempting to use JoS's forums as a spamming mechanism.  The problem is Joel has a limit on the number of emails you can send during a day so its ineffective.

Lou
Friday, May 23, 2003

PIF was a file format used to describe how a DOS application should be loaded in windows. You could specify how much memory to give it, whether it had to run full screen or in a window, etc.

Out of laziness, I guess, Microsoft has a whole bunch of file extensions (.com, .exe., .pif, .scr for screensavers) which are all loaded the same way. The loader looks at the first few bytes in the file itself to decide what to do. So if you have a file foo.pif that is actually an executable file, it will run.

This is a typical spammer/virus technique to avoid filters that just search for .EXEs.

Joel Spolsky
Friday, May 23, 2003

My favorite was the www.yahoo.com executable. Very clever.

Now that I think about it... Could they have sent a binary attachment via the JOS forums? MIME encoding?

They must've gotten my e-mail address somewhere else... Someone on this forum who has me in their address book?

www.marktaw.com
Friday, May 23, 2003

Nat, I'm guessing it was someone who knows who you are, since they knew your email address (they couldn't have figured it out from the forum). I won't go so far as to call it "spam" since only 1 email was sent through the forum from that IP address -- in fact so far today there have only been a total of 2 emails sent through the forum total.

Joel Spolsky
Friday, May 23, 2003

Mark, are you sure your support@microsoft.com email came from our server? It's an email virus; much more likely someone with your email address in their address book opened it.

Joel Spolsky
Friday, May 23, 2003

It is an email virus - I've seen the supposed microsoft message at my work email several times over the past few days. I've never used that email address with this forum, so it's safe to say that it's unrelated to here.

mutt. The e-mail virus killer. ;-)

Wayne Earl
Friday, May 23, 2003

Well, I only use this email address for JOS / Fog Creek stuff. Basically the only people who have it are either from JOS that I've contacted via the forums, and maybe you guys.

The e-mail address is fog@(mydomain).com

It doesn't get much more specialized than that.

www.marktaw.com
Friday, May 23, 2003

OK. It's not from the forums... I was just speculating out loud anyway about whether you could pass a MIME encoded binary through the forums.

Return-Path: fog-bounce@(mydomain).com
Errors-To: fog-bounce@(mydomain).com
Bounce-To: fog-bounce@(mydomain).com
Return-Path: <support@microsoft.com>
Delivered-To: fog@(mydomain).com
X-Apparently-From: support@microsoft.com
Received: (qmail 6315 invoked from network); 23 May 2003 13:41:57 -0000
Received: from unknown (HELO mailshell.com) (10.1.3.212)
  by dev110.mailshell.com with SMTP; 23 May 2003 13:41:57 -0000
Received: (qmail 7533 invoked by uid 99); 23 May 2003 13:41:57 -0000
Message-ID: <20030523134157.13243.qmail@mailshell.com>
Received: (qmail 3608 invoked from network); 23 May 2003 13:41:51 -0000
Received: from unknown (HELO ROCAILRCI) (213.22.2.18)
  by mail.mailshell.com with SMTP; 23 May 2003 13:41:51 -0000
From: <support@microsoft.com>
To: <fog@(mydomain).com>
Subject: Re: My application
Date: Fri, 23 May 2003 14:41:13 +0100
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=_dev110.mailshell.com-6319-1053697317-0001-2"
X-Apparently-To: dev110-fog
X-JUNK1: 3

www.marktaw.com
Friday, May 23, 2003

Hmm. I just had a thought. I'm sure Joel already knows this... e-Mail addresses are actually passwords here... Hidden to everyone but the user & admins. They can be used to seperate the real www.marktaw.com and an imposter.

www.marktaw.com
Friday, May 23, 2003

That email was from somebody who clicked on your name in one of Joel's Forums, and wrote something to you.

A great way to take control of your inbox: http://www.sneakemail.com  - a pleasure and a joy.

Bob
Friday, May 23, 2003

If you have your own domain and a wildcard alias for email addresses in that domain redirected to your email account, then you will almost certainly receive spam email at a variety of addresses at that domain.

Spammers generate random email addresses in a variety of forms (dictionary-word, first-name, first-name.last-name, etc, etc [at] yourdomain.com), as well as harvesting email addresses from a variety of sources. One of these randomly generated email addresses may, by coincidence, match an email address that you used at a site like this - it doesn't necessarily mean that your email address was actually obtained from this site.

Philip Dickerson
Friday, May 23, 2003

Just to clarify, the first-name and last-name used to generate the email addresses (described in my previous entry) are simply picked at random from a huge list of all known names, or something like that. I have nothing to do with generating spam, I am speculating this all based on spam that I have received sent to a variety of email addresses at my own domain (email addresses like "fred.smith" and "valerie.hargreaves" [at] mydomain, etc - email addresses that have never existed or been used anywhere).

Philip Dickerson
Friday, May 23, 2003

I posted this on another thread on Tuesday, but as it's relevant I might as well post it again here.

---"At work today we were still getting the iWorm/Palyh (the one that masquerades as a message from support@microsoft.com)

I forwarded the offending message to our sysadmin with the question "Why isn't Norton on the email server catching this virus?"

Five minutes later he phoned. "Steve, I can't open the attachment you sent me about the virus"

"Oops!".

Stephen Jones
Friday, May 23, 2003

Mark,

Did you change you email when the forum started hiding the addresses.

Could the address have been lifted before that change?

Ged Byrne
Saturday, May 24, 2003

It could've. I'm sorry if I've been ambigious here, I've used this e-mail before the switch over, and have e-mailed people from here with it.

I'm not one of those ultra strict people who would bother to change his e-mail address for every single little thing that happens.

I use a service similar to SneakMail - www.mailshell.com - Despite the sign up lingo, I've been using it free for the past year. 10mb free.

You get @yourname.mailshell.com (or @yourdomain.com) and then generate as many e-mail addresses before the @ as you want. You then create rules for those e-mail addresses.

This way you don't filter on the sender, you filter on the address, so if one starts getting spam, you just tell it to send everything that goes TO that address to the trash.

It's been wildly successful for me, my inbox stays clean, my filtered mail is filtered correctly, and my spam goes to the junk folder, which gets deleted after a week or two. This has been one of the few exceptions.

www.marktaw.com
Saturday, May 24, 2003

someone who sent you mail from here has an email virus. someone you probably responded to.

the email virus went through their sent items or inbox, found your address, and sent off the virus to you, trying to hide its tracks in some way (maybe it even grabbed some heards from the inbox).

remember, security is often defeated by something entirely outside the 'system'.

mb
Saturday, May 24, 2003

People.  It's windows.  It's a virus.

Mike
Sunday, May 25, 2003

*  Recent Topics

*  Fog Creek Home