> >mail. I don't think there's much percentage in worrying about its
> >source: if you spent time trying to track every bit of hoax e-mail,
> >you'd never get any work done.
> Well, granted, except that depending on the corporate weight of the
> user who gets NaughtyRobot mail and hysterically demands an explanation, I
> wanted to be able to give a more substantive reply than "There there, don't
> worry". [:-]
That's fair comment. I used to have a standard response to this situation,
but the range of hoax alerts hitting my mailbox recently has made it
difficult to produce an automated response. I'd suggest a fairly
lax heuristic along the lines of:
IF (known-hoax) THEN SAY
"Thank you for sharing this with me. It's a known hoax,
but I always appreciate hearing about possible attacks.
Please inform anyone who passes this on to you that it's
a hoax and suggest that they check out the following
"I'm not familiar with this alert, but it doesn't sound
very likely. I'll check it out: in the meantime, please
don't pass the alert on - if it's a hoax, it's going to
create annoyance, and if it isn't, passing the message
on to everyone you know may nevertheless be
> When one of our users got mail from NaughtyRobot, I determined from
> the headers that it originated at geocities.com. I then found in our mail
> logs an instance of a letter having been sent from the user to another
> address at geocities -- one that the user did not recognize. I wrote to
> geocities' postmaster and abuse aliases but never got a response.
I think you've probably fallen into the same trap as the article I
mentioned in my previous posting. You are unlikely to be able to trace
a hoax alert right back to source in this way. Not responding to
complaints is a common ISP defence mechanism.
> thus capturing the user's email address. It would be trivial to forge mail
> back to the user with the user's own address in the From: field. I suspect
> that this is what NaughtyRobot is doing (geocities is host to many web
> sites), but I can't say for certain in light of their silence on my
Geocities hosts some distinctly darkside websites. Or, if you prefer,
seems to have a fairly liberal policy on content. However, I don't
think you can assume that geocities is the original source.
> Is this relevant to the firewalls list? Probably not -- it's more a
> "communications with users" topic for a general network-security list,
> along with "how to explain that Good Times isn't a virus and why you
> shouldn't forward the warnings you get."
You're probably right. Hoax alerts/social engineering/meme viruses
are a problem for many people who subscribe to this list, but are
certainly not an exclusively firewall-related issue. The reason I
tend to de-lurk when these questions come up is the hope that
(since my sources on these topics are usually pretty good) I can
help forestall long, off-topic threads.
David Harley \ | / alt.comp.virus FAQ
uk \ | / & Anti-Virus Web Page
Support & Security Analyst \ | / Folk London On-Line gig-list
Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/