Tuesday, September 18, 2007

The Mysterious Message (spoofed e-mail)

I often get questions from faculty and staff about mysterious e-mail messages they're getting. Usually it's some sort of automatic reply:

Your message did not reach some or all of the intended

11/12/2007 11:21 AM

The following recipient(s) could not be reached:

xxx@yyyyyyyy.org on 9/14/2007 12:33 PM
You do not have permission to send to this recipient. For assistance, contact
your system administrator.

< id="28018-01-25">

This, alas, is a routine part of the Internet: the spoofed e-mail address. The reply is a function of two practices, one bad, the other a good idea (that will probably no longer exist).

It has always been trivially easy to fake an e-mail address, and spammers and virus writers have latched onto this. Spam and virus e-mail is almost always sent out with a spoofed address: one chosen at random from the many saved on the compromised computers (you'd be surprised, but there are hundreds of e-mail addresses on your computer -- and not just in your address book). This makes it harder to track down the sender.

In addition, in the old days of the Internet, when people were assumed to play nice, any incorrectly addressed e-mail would generate a message to the sender, with the idea that this will let them know their message wasn't received and allow them to fix the problem. Alas, with spoofed e-mail addresses, the e-mail is sent to someone (you) who isn't even involved with sending the message.

So you get a mysterious message. And you wonder how you could get a bounce message when you haven't even sent an e-mail to the address listed.

It's all in the spoofing. As a matter of fact, the practice of telling people they're using the wrong address is dying out. Not only does it send these mysterious messages, but it allows spammers to harvest e-mail address. (How? Send a million e-mails using random names all to one domain. You may get 999,930 bounce messages. The other 70 are "live" address that can be sold to spammers).

Let's make it clear: if you get the message, it does not mean you have a virus, or that your machine has been compromised. It merely means that some computer that has your e-mail address (which could be any computer you ever sent an e-mail to, or any web page where you ever put up your e-mail) has been compromised. It doesn't hurt to check, but it'd be very surprising if the message chose your address from your own computer.

So what to do? Well, as Estragon says, "Nothing to be done." There's no way to determine the actual sender from the bounce message (the site sending the message could, but does not pass the information along to you). The only thing you can do is delete the message.