[meteorite-list] OT: Virus early warning system
From: Matson, Robert <ROBERT.D.MATSON_at_meteoritecentral.com>
Date: Thu Apr 22 10:04:49 2004 Message-ID: <AF564D2B9D91D411B9FE00508BF1C86901B4E153_at_US-Torrance.mail.saic.com> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1FC39.2E35FCB0 Content-Type: text/plain; charset="iso-8859-1" Hi All, Sorry for the off-topic post, but I wanted to pass along this little trick. Add some diagnostic, fake addresses to your address books -- e.g. "%trap" or "JJJfilter", and give them a non-working email address like " Virus_at_Warn.Me" <mailto:Virus@Warn.Me> . Using a % or ! to begin at least one of your fake address names is good because it will alphabetize to the top of your address book, and many of the simpler worms will start by sending themselves to the first address in your address book. Since this address is fake, it will bomb, and in many cases terminate an unsophisticated worm. Better yet, you'll get an error in your Inbox indicating that a message was sent out and it was undeliverable, thus tipping you off. Some worms are smart enough to ignore the first address in your book (for exactly this reason), and taking this a step further -- a truly sophisticated worm would select addresses at random. To help defeat these, you can scatter fake addresses periodically through the alphabet as traps: "DDD", "HHH", "LLL", etc., all with bad email addresses. Obviously this won't prevent you from getting the worm in the first place, but it stands a good chance of warning you that you are propagating it yourself. Cheers, Rob ------_=_NextPart_001_01C1FC39.2E35FCB0 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 5.00.3315.2870" name=GENERATOR><!--IncrdiXMLRemarkStart> <IncrdiX-Info> <X-FID>FLAVOR00-NONE-0000-0000-000000000000</X-FID> <X-FVER>2.0</X-FVER> <X-CNT>;</X-CNT> </IncrdiX-Info> <IncrdiXMLRemarkEnd--> <STYLE></STYLE> </HEAD> <BODY background="" bgColor=#ffffff scroll=yes style="BACKGROUND-POSITION: 0px 0px; FONT-FAMILY: Arial; FONT-SIZE: 10pt; MARGIN: 1px" ORGYPOS="0" X-FVER="2.0"> <DIV><SPAN class=668344217-15052002>Hi All,</SPAN></DIV> <DIV><SPAN class=668344217-15052002></SPAN> </DIV> <DIV><SPAN class=668344217-15052002>Sorry for the off-topic post, but I wanted to pass along this</SPAN></DIV> <DIV><SPAN class=668344217-15052002>little trick. Add some diagnostic, fake addresses to your</SPAN></DIV> <DIV><SPAN class=668344217-15052002>address books -- e.g. "%trap" or "JJJfilter", and give them</SPAN></DIV> <DIV><SPAN class=668344217-15052002>a non-working email address like "<A href='mailto:Virus_at_Warn.Me"'>Virus@Warn.Me"</A>. Using a</SPAN></DIV> <DIV><SPAN class=668344217-15052002>% or ! to begin at least one of your fake address names is</SPAN></DIV> <DIV><SPAN class=668344217-15052002>good because it will alphabetize to the top of your address</SPAN></DIV> <DIV><SPAN class=668344217-15052002>book, and many of the simpler worms will start by sending</SPAN></DIV> <DIV><SPAN class=668344217-15052002>themselves to the first address in your address book.</SPAN></DIV> <DIV><SPAN class=668344217-15052002></SPAN> </DIV> <DIV><SPAN class=668344217-15052002>Since this address is fake, it will bomb, and in many cases</SPAN></DIV> <DIV><SPAN class=668344217-15052002>terminate an unsophisticated worm. Better yet, you'll get</SPAN></DIV> <DIV><SPAN class=668344217-15052002>an error in your Inbox indicating that a message was sent</SPAN></DIV> <DIV><SPAN class=668344217-15052002>out and it was undeliverable, thus tipping you off.</SPAN></DIV> <DIV><SPAN class=668344217-15052002></SPAN> </DIV> <DIV><SPAN class=668344217-15052002>Some worms are smart enough to ignore the first </SPAN><SPAN class=668344217-15052002>address</SPAN></DIV> <DIV><SPAN class=668344217-15052002>in your book (for exactly this reason), and taking this </SPAN><SPAN class=668344217-15052002>a step</SPAN></DIV> <DIV><SPAN class=668344217-15052002>further -- a truly sophisticated worm would select addresses</SPAN></DIV> <DIV><SPAN class=668344217-15052002>at random. To help defeat these, you can scatter fake</SPAN></DIV> <DIV><SPAN class=668344217-15052002>addresses periodically through the alphabet as traps:</SPAN></DIV> <DIV><SPAN class=668344217-15052002>"DDD", "HHH", "LLL", etc., all with bad email addresses.</SPAN></DIV> <DIV><SPAN class=668344217-15052002></SPAN> </DIV> <DIV><SPAN class=668344217-15052002>Obviously this won't prevent you from getting the worm in</SPAN></DIV> <DIV><SPAN class=668344217-15052002>the first place, but it stands a good chance of warning you</SPAN></DIV> <DIV><SPAN class=668344217-15052002>that you are propagating it yourself.</SPAN></DIV> <DIV><SPAN class=668344217-15052002></SPAN> </DIV> <DIV><SPAN class=668344217-15052002>Cheers,</SPAN></DIV> <DIV><SPAN class=668344217-15052002>Rob</SPAN></DIV></BODY></HTML> ------_=_NextPart_001_01C1FC39.2E35FCB0-- Received on Wed 15 May 2002 01:51:46 PM PDT |
 StumbleUpon del.icio.us reddit Yahoo MyWeb
|