Some important email virus information

Matt Stratton | Aug 21, 2003 min read

A couple friends of mine have been “accusing” me of emailing them viruses…so I figured this was as good a time as any to discuss exactly HOW these viruses work, and why you shouldn’t go all apeshit when you get a virus that APPEARS to come from a certain email address.

Basically, this is how these email worm propagate (all names used for comedic value and to make things clear).

The cast of characters

Larry – Larry is running Windows XP Home Edition on his brand new Dell computer that he just bought. Larry has a cable modem so that he can buy used porn tapes on eBay. Larry reads his email with Outlook Express.

Matt – Matt also runs a Windows operating system. He is running an updated antivirus software on it. He reads his email with Outlook XP.

Dallas – Dallas uses Linux on his computer. We don’t know what he uses to read his email, and frankly, we don’t care.

So let’s trace the email virus…Larry’s computer gets infected with the virus. It immediately goes to his address book, as well as his inbox and sent items folder, and sends emails (with the virus attached) to every single email address it can find. Of course, to make itself harder to track, it doesn’t put Larry’s email address as the “from”…but one of the other email addresses it finds. For example, Dallas’s.

Matt receives an email that appears to be from Dallas. His antivirus software strips the infected attachement, but Matt figures out that it was from a virus. He immediately calls up Dallas and yells “Hey fucker, you sent me a virus”.

Dallas climbs up on the High Horse of Open Source and quietly and rationally explains that he could not have sent the virus, as he uses StrokeTorvalds-c to read his email, and since nobody but Dallas and Jake use that program, nobody’s bothered to write a virus for it.

Make sense? Never trust the “from” header in email…it’s super-easy to spoof. If you have the technology and wherewithal to do so, look at *all* the headers. You won’t always be able to tell exactly WHO sent the email, but you can start to track it down.

Of course, if you a) don’t open attachements from email EVER or b) run updated AV software, this is less of an issue. But again, before going apeshit on someone, check the *real* headers.