[meteorite-list] OT: Virus early warning system

From: Matson, Robert <ROBERT.D.MATSON_at_meteoritecentral.com>
Date: Thu Apr 22 10:04:49 2004
Message-ID: <AF564D2B9D91D411B9FE00508BF1C86901B4E153_at_US-Torrance.mail.saic.com>

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C1FC39.2E35FCB0
Content-Type: text/plain;
        charset="iso-8859-1"

Hi All,
 
Sorry for the off-topic post, but I wanted to pass along this
little trick. Add some diagnostic, fake addresses to your
address books -- e.g. "%trap" or "JJJfilter", and give them
a non-working email address like " Virus_at_Warn.Me" <mailto:Virus@Warn.Me> .
Using a
% or ! to begin at least one of your fake address names is
good because it will alphabetize to the top of your address
book, and many of the simpler worms will start by sending
themselves to the first address in your address book.
 
Since this address is fake, it will bomb, and in many cases
terminate an unsophisticated worm. Better yet, you'll get
an error in your Inbox indicating that a message was sent
out and it was undeliverable, thus tipping you off.
 
Some worms are smart enough to ignore the first address
in your book (for exactly this reason), and taking this a step
further -- a truly sophisticated worm would select addresses
at random. To help defeat these, you can scatter fake
addresses periodically through the alphabet as traps:
"DDD", "HHH", "LLL", etc., all with bad email addresses.
 
Obviously this won't prevent you from getting the worm in
the first place, but it stands a good chance of warning you
that you are propagating it yourself.
 
Cheers,
Rob

------_=_NextPart_001_01C1FC39.2E35FCB0
Content-Type: text/html;
        charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">


<META content="MSHTML 5.00.3315.2870" name=GENERATOR><!--IncrdiXMLRemarkStart>
<IncrdiX-Info>
<X-FID>FLAVOR00-NONE-0000-0000-000000000000</X-FID>
<X-FVER>2.0</X-FVER>
<X-CNT>;</X-CNT>
</IncrdiX-Info>
<IncrdiXMLRemarkEnd-->
<STYLE></STYLE>
</HEAD>
<BODY background="" bgColor=#ffffff scroll=yes
style="BACKGROUND-POSITION: 0px 0px; FONT-FAMILY: Arial; FONT-SIZE: 10pt; MARGIN: 1px"
ORGYPOS="0" X-FVER="2.0">
<DIV><SPAN class=668344217-15052002>Hi All,</SPAN></DIV>
<DIV><SPAN class=668344217-15052002></SPAN>&nbsp;</DIV>
<DIV><SPAN class=668344217-15052002>Sorry for the off-topic post, but I wanted
to pass along this</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>little trick.&nbsp; Add some diagnostic,
fake addresses to your</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>address books -- e.g. "%trap" or
"JJJfilter", and give them</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>a non-working email address like "<A
href='mailto:Virus_at_Warn.Me"'>Virus@Warn.Me"</A>.&nbsp; Using a</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>% or ! to begin at least one of your fake
address names is</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>good because it will alphabetize to the top
of your address</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>book, and many of the simpler worms will
start by sending</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>themselves to the first address in your
address book.</SPAN></DIV>
<DIV><SPAN class=668344217-15052002></SPAN>&nbsp;</DIV>
<DIV><SPAN class=668344217-15052002>Since this address is fake, it will bomb,
and in many cases</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>terminate an unsophisticated worm.&nbsp;
Better yet, you'll get</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>an error in your Inbox indicating that a
message was sent</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>out and it was undeliverable, thus tipping
you off.</SPAN></DIV>
<DIV><SPAN class=668344217-15052002></SPAN>&nbsp;</DIV>
<DIV><SPAN class=668344217-15052002>Some worms are smart enough to ignore the
first&nbsp;</SPAN><SPAN class=668344217-15052002>address</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>in your book (for exactly this reason), and
taking this&nbsp;</SPAN><SPAN class=668344217-15052002>a step</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>further -- a truly sophisticated worm would
select addresses</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>at random.&nbsp; To help defeat these, you
can scatter fake</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>addresses periodically through the alphabet
as traps:</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>"DDD", "HHH", "LLL", etc., all with bad
email addresses.</SPAN></DIV>
<DIV><SPAN class=668344217-15052002></SPAN>&nbsp;</DIV>
<DIV><SPAN class=668344217-15052002>Obviously this won't prevent you from
getting the worm in</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>the first place, but it stands a good chance
of warning you</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>that you are propagating it
yourself.</SPAN></DIV>
<DIV><SPAN class=668344217-15052002></SPAN>&nbsp;</DIV>
<DIV><SPAN class=668344217-15052002>Cheers,</SPAN></DIV>
<DIV><SPAN class=668344217-15052002>Rob</SPAN></DIV></BODY></HTML>

------_=_NextPart_001_01C1FC39.2E35FCB0--
Received on Wed 15 May 2002 01:51:46 PM PDT


Help support this free mailing list:



StumbleUpon
del.icio.us
reddit
Yahoo MyWeb