PS Consultants - ideas & solutions

Theft of identity

March  2003  

One of the hard working folks at Shopper HQ sent me a message the other day that suggested I had sent them a virus. I have a large amount of “stuff” that ensure that I can’t do this sort of thing, so I took a brief look at the header and realised it could have been any 10 year old with the ability to change the “reply to” setting in Outlook….

Hi Bill
 
We seem to have received a virus from you, which was safely
deleted. However, we have received no copy. Could you rectify
this situation asap please.
thanks
Chris

william@poel.co.uk writes:
***********************
A virus (WORM_KLEZ.H) was detected in the file (border.scr).
Action taken  = remove
***********-***********
 >
 >  Received: from tmailb1.svr.pol.co.uk (tmailb1.svr.pol.co.uk
 >  [195.92.168.141])
 >    by mail.dennis.co.uk with ESMTP id gBDA8iUF027314
 >    for <shoppercopy@dennis.co.uk>; Fri, 13 Dec 2002 10:08:45 GMT
 >  Received: from modem-1825.crocodile.dialup.pol.co.uk [81.78.39.33]
 >  helo=Hrnfewq)
 >    by tmailb1.svr.pol.co.uk with smtp (Exim 3.35 #1)
 >    id 18Mmkv-0001h2-00
 >    for shoppercopy@dennis.co.uk; Fri, 13 Dec 2002 10:09:18 +0000
 >  From: william <william@poel.co.uk>
 >  To: shoppercopy@dennis.co.uk
 >  Subject: Meeting notice
 >  MIME-Version: 1.0
 >  Content-Type: multipart/alternative;
 >        boundary=Y4sE6217t2Z4
 >  Message-Id:
 > <E18Mmkv-0001h2-00.2002-12-13-10-09-18@tmailb1.svr.pol.co.uk>
 >  Date: Fri, 13 Dec 2002 10:09:18 +0000

The bit in the header (highlight the message in outlook inbox, right click and look at “options” that gives the game away is the line

>  Received: from modem-1825.crocodile.dialup.pol.co.uk [81.78.39.33]

Any ISP worth its salt can trace back from this information to see which user was logged in and have them disconnected without much trouble. How else do you imagine that the plod finds it so easy to organise vast raids on internet porn connoisseurs? It’s the equivalent of the felon with the bag marked “swag” slung across his shoulder catching a thread on a nail and leaving the trail all the way back from the break-in to his lair.

I reported this to abuse@pol.co.uk and got an automated response with a ticket number of 358,676, which I firmly believe is a sequential number. You have no idea how many people report abuse in the hope that someone will do something about it, and Energis provides virtual ISP services to around 20 large ISP operations – including Freeserve.

Also note that the file with the virus was a screen saver - border.scr – so for heavens’ sake don’t think that the only files that can carry infections are .doc or .exe. You should NEVER open attachments from unknown or un-trusted sources, so perhaps this pathetic correspondent thought by sticking my published email details into the “reply-to part of the header, they would sneak in.

Even without this type of crude name theft, the amount of spam turning up around the festive season has got completely out of order this year, and the spamicide filter on the inbox is working overtime, but it is high time that something was done about it for real. Politicians will take years and achieve nothing. A lynch mob and necktie party could probably cure it overnight.

 
 BACK TO FEATURES