[Date Prev][Date Next][Thread Prev][Thread Next] - [Date Index][Thread Index][Author Index]

Re: Off topic: what are these strange emails I get?


I think I can shed a little light on a few of your questions.  The first 
type of message you ask about with the .pif/zip/doc attachment is almost 
always a virus of some sort.  A PIF file is a Program Information File 
that is supposed to used to tell windows how to run a dos program.  
Unfortunately they can be used an engine for more nefarious activities 
as well.  Some modern viruses also zip themselves up (often with a 
password) when attached to an email.  When a file is zipped, the bytes 
in the file are changed from the original as part of the 
compression/password encryption algorithms.  This is designed to defeat 
mail server virus scanners which generally are not able to detect the 
(now mutated) virus code in the zip file.  Finally, office documents 
have the ability to embed visual basic macros which can be programmed to 
do all sorts of fancy things including infecting your computer.

About the random words in your email messages:
Most modern spam filters use a "bayesian" filter algorithm.  This 
algorithm essentially notes keywords and context of legitimate and spam 
emails as it is "trained" and then applies this context information to 
decide whether incoming email is spam or not.  The random words are 
called filter poison as they are designed to throw off the rule tables 
used by the bayesian  filter.  Oftentimes in html email these junk 
keywords will be set to the same color as the background so that the 
user doesn't see them.  When the user tells the filter that the message 
is junk, the filter builds these common words into its rulesets along 
with the spam keywords.  As a result these filters quickly lose their 
effectiveness.  A variation on this technique is to misspell common 
"spam keywords" like p0rn, sotware or downloable.

Hope that satisfies your curiosity a bit,
David Carr

Ed Krome (K9EK) wrote:

>Email gurus:
>        Really apologize for the bandwidth, but, being the curious sort,
>this is driving me a little batty, so I thought I would turn to the
>         Amidst the usual torrent of Viagra, mail-order meds and porno ads
>(and we really need more Internet bandwidth? How about less trash?), I get
>the following 3 types of messages and have no clue what they are. But they
>are so common, they must be something pretty wacky. First, let me explain
>that my email client is Compuserve Classic, which I keep because of the
>wonderful property of being completely ignorant of html and incapable of
>automatically executing any attached file (or picture). So all I get is
>text, including headers and formatting instructions. I don't worry about
>viruses or any auto-executable; I'd have to download it and run it myself
>to get it. In that case, I would deserve it. Duh.  (Of course, Norton AV,
>IP, AdAware and Spybot run all the time, too). So, rather than running the
>durn things to find out what they are, I thought I'd ask.
>        Anyway, can anybody tell me what the following are all about?
>1) Messages that start "Re: (your order, our email, could be most
>anything)" that have a comforting "checked for viruses; OK" text then an
>attached .pif file (usually, though I have seen .zip and .doc), always
>about 29834 bits in length. Could this be a worm or a trojan of some sort?
>Sometimes they come from other hams, sometimes from completely random
>sources. But always about 29K long. What about those that have the .doc
>extension? An executable in a .doc file?? Lord help us.
>2) Messages with random strings of real words. No formatting commands, just
>words, almost like something designed to be found by a search engine. I
>find these especially puzzling. Usually a short, nameless file of some sort
>attached, but I can't read it since I would have to download it, name it,
>save it, then read it. Nope.  Here is a string I got this evening.
>kiss he'd schultz barney 
>contort monk reef duncan assumption veal 
>atreus ascomycetes prosecutor puppet recession brevet
>3) Messages supposedly from eBay, that always have a bunch of formatting
>commands in the body and then sentences "How much to ship to Utah (or
>anywhere else)." But no large attachment. Interesting since I haven't used
>eBay in a couple of years. I forward these to spoof@ebay.com, and they
>write back and say, yup, it didn't come from us. When you dig into the
>routings in the header, they come from all kinds of strange places, though
>ebay is in there someplace, it's obviously not the origination point. I get
>similar junk allegedly from paypal. Which I don't use either.
>Once again, thanks for reading and many thanks to the person who can tell
>me what in the world I am seeing.
>Regards and with appreciation:
>Ed K9EK
>Sent via amsat-bb@amsat.org. Opinions expressed are those of the author.
>Not an AMSAT member? Join now to support the amateur satellite program!
>To unsubscribe, send "unsubscribe amsat-bb" to Majordomo@amsat.org

Sent via amsat-bb@amsat.org. Opinions expressed are those of the author.
Not an AMSAT member? Join now to support the amateur satellite program!
To unsubscribe, send "unsubscribe amsat-bb" to Majordomo@amsat.org