Antonio Aparicio wrote:
> On 19 May 2004, at 23:28, Malcolm Smith wrote:
> > So how do e-mail addresses get hi-jacked for this sort of nonsense? Can
> > anyone point me at a suitable website to find out how?
> I think what happens is your email address gets picked up somewhere on
> the net and inserted into a spam/virus email as if it were sent by you
> which it is not. You then get a virus alert warning in return from the
> recipients system.
That's pretty much it. I'm not sure whether there are any
recent worms which don't forge the return address, so these
days you can pretty much figure that anyone _except_ the
listed sender might own the infected machine.
The standard trick is for the worm to pluck a random address
out of the infected machine's address book (pick a popular
mail program for it to look for an address book file for);
several (and I suspect this is what most do now) look in the
address book, the recently-received mail folder, the recently-sent
mail folder, and the web cache (local copies of "recently" viewed
web files so that the browser doesn't need to download each
page/image/sound/etc. completely from scratch the next time
a previously-viewed element is referenced again) ... and probably
Usenet if it can, and I wouldn't be surprised if they're looking
at instant messaging configuration files or something these days
(though that last bit is conjecture -- I haven't checked to see
whether any worms do so).
When worm and virus writers started using this trick, you could
figure that the infected machine was owned by someone who knew
both the recipient and the forged sender. When they started
mining the web cache, the list of potential infection vectors
grew to include anyone who'd looked at a web page with either
address on it. Nowadays everyone's "recently received mail"
spools have gotten polluted with enough copies of worms forged
to look like they're from someone more than two degrees of
separation away, that it's hard to draw any conclusions unless
you know the particular behaviour of a specific worm is simplistic
and old fashioned, or you get more clues from the pattern of
recipients of the latest infection (i.e. you know a lot about
who _else_ got copies at the same time you did).
So let's say Joe Blow picks up a worm. The worm finds my address
in his recently-received file. But he's never heard of me; he
only has my address because a different worm from Jane Cain's
machine forged my address when it sent itself to him last week.
And she's only got my address because the computer belonging
to Jack Flack, whom I've never heard of, sent her a third worm
(or a previous cycle of one of the first two) with my name forged,
and the worm found my address because Jack got an idea a month
ago to look for rather specialized erotica or information about
medieval musical instruments and wound up looking at a web page
on my site that had my address in it ... or read a newsgroup
about fibromyalgia, Christianity, or filk and saw a post by me
(especially if he used a web interface to the newsgroup). There's
a really tenuous link between me and Jack, goodness knows how Jack's
machine had Jane's address, and by the time we get to Joe's
machine there's no longer any shared interests, mutual acquaintances,
or any other link between my address and Joe other than our
each having Internet access, but Joe's computer is sending out
worms with my name on 'em.
That's how your email address gets hijacked.
-- Glenn
