From chemistry-request@ccl.net Thu Aug 21 13:50:06 2003 Received: from ccl.net (email.ccl.net [192.148.249.4]) by server.ccl.net (8.12.8/8.12.8) with ESMTP id h7LHo6Yj000619 for ; Thu, 21 Aug 2003 13:50:06 -0400 Received: from krakow.ccl.net (krakow.ccl.net [192.148.249.195]) by ccl.net (8.11.6+Sun/8.11.6/OSC 2.1) with ESMTP id h7LHo6A15805; Thu, 21 Aug 2003 13:50:06 -0400 (EDT) Date: Thu, 21 Aug 2003 13:50:18 -0400 (EDT) From: "Dr. Jan K Labanowski" To: chemistry|at|ccl.net cc: "Dr. Jan K Labanowski" Subject: E-mail worm is going around Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Dear CCL, Since I got few a questions, I will post an answer to the whole list to cool you down... There is a malicious Internet worm going on, which infects the (guess what...) Windows machines. It is an e-mail message which carries a virus with it (so it is about 100kB large to be able to pack the virus executable). It grabs addresses from the victim address book, and resends itself to these addresses, and to make things worse, it also changes its From: (i.e., the address from which the message is supposedly coming from) to some address from the victim's address book. Of course, according to the old saying: "The worse, the better...". Microsoft will sell us upgraders, and improved products, and scoop millions of dollars in consulting hours from people who use their maintainance program. Hopefully events like this will revive economy and create new job opportunities. Obviously, the chemistry|at|ccl.net is in many people address books, as well as, my personal address. Many of you got the mail which is supposedly coming from, say, chemistry|at|ccl.net, but it really did not come from this address. If you want to know more about this malice, read on... The e-mail message consist of header and body. The header should contain the information about intended recipients, message origin, path which message traveled (gateways) before it got to you and the information about the type and methods of encoding used for the body of the message. The message body is the actual pay-load of the e-mail message). But make no mistake... Header is not the envelope of your mail. It is not used by mail software (mail transfer agent - MTA) to deliver your mail. Header has only an "informational" (or lately often "dis-informational") value. The problem is that you can put anything you want in the header (beside maybe the top Received: header line, which is usually added by your own computer or mail gateway). The top Received: line (depending on the way your mail is configured) contains the information about the IP address of the machine which had sent you the the message, and the destination of the message (i.e., in most cases it lists your own machine and sometimes your user id, or mail alias). However, beside the first Received: line (or maybe more, if the mail was traveling to you via some trusted gateways as each legitimate MTA should add its Received: line to the header -- SHOULD, but DOES NOT HAVE TO!!!), all other header lines can be set by the mail originators to anything they want. Most importantly: the To:, From:, Cc: do not have to be real, and THESE FIELDS ARE NOT USED IN DELIVERING THE MESSAGE !!!. To be more precise, if you use a legitimate mail composing program, the destination of your mail message will be taken from the To: and/or Cc: lines, and the From: line will point to you, when your message is passed to your own mail transfer agent. BUT THE BAD GUYS DO NOT USE STANDARD AND LEGITIMATE MAIL COMPOSERS AND TRANSFER AGENTS!!! Note that the mail is delivered to your mail server by a special protocol (SMTP), where the recipient's and originator's address is given to your local mail server as a part of delivery process, and THEY DO NOT HAVE TO BE EVEN CLOSE to what is being given on the To: and From: lines of your message. At the same time, what is displayed in your e-mail browsing tool as message origin, is the From: line from header. CURRENTLY, THERE IS NO WAY TO ESTABLISH THE IDENTITY OF THE PERSON WHO HAD SENT MAIL TO YOU!!! The only thing which can be (in most cases!!!, not always!!!) established is the IP address of the machine which forwarded you the message (this can be guessed from inspecting the top Received: line of the header). In most cases the IP address of the originating machine is a TOTALLY USELESS information, since it gives you the pointer to the machine which was: 1) either hacked by spammers, 2) or infected by the virus (i.e., a victim like you), 3) or represents an open relay machine (made an open relay either intentionally or not) We badly need a new electronic mail protocol, where the originator of the mail can be either reliably identified, or the message is not delivered. As always, there are scores of proposed protocols, none of them popular or widely used, and all of them would require some kind of trusted authority (e.g., digital certificate authority) which will verify that a person on a From: line is really an originator of e-mail. Once something of this kind gets adopted (years...) we will: 1) loose our privacy, 2) will need to pay for it, 3) the poor countries will not have money to support needed infrastructure. Some of the older folks on the list remember when we used "finger" to check, if we should call someone at work or at home, and if he/she had read our mail message... So long for "kindler and gentler Internet"... Panta rei, but unfortunately usually down the sewer... Yours, Jan Jan K. Labanowski | phone: 614-292-9279, FAX: 614-292-7168 Ohio Supercomputer Center | E-mail: jkl|at|ccl.net 1224 Kinnear Rd, | http://www.ccl.net/~jkl Columbus, OH 43212-1163 | http://www.ccl.net/ http://asdn.net/