Message-Id: <200204270354.UAA27244@gateway.astro.ucla.edu>
Date: Fri, 26 Apr 2002 20:54:40 -0700 (PDT)
From: help (computer support)
To: users (mailing list)
Subject: fake e-mail epidemic

TYPE OF NOTICE	warning

IMPORTANCE	major

DATE		as of this month

IMPACT		your e-mail address may be used by third parties to send 
		a virus to other people (exposing you to complaints)

AFFECTS		all users

USERS MUST	follow instructions below carefully

You should all be on the lookout for suspicious e-mail messages that have already affected several of you, due to a virus that has been propagating a lot lately.

Because its pattern differs substantially from what had been described in a previous summary on the subject (see http://www.astro.ucla.edu/computing/announcements/0176.shtml), we are sending you this important update. You should read it entirely to understand how your identity is actively being forged and what you can do about it.

THE TWO PROBLEMS
Old one: You may be receiving e-mail messages that contain a virus (which could infect your computer), but those messages were not sent by their apparent sender.

New one: Other people's (that you know or not) computers may be sending messages (containing the same virus) ``disguised'' as you, so you may be hearing from the recipients of those messages (maybe with a copy of the virus quoted in their followup) asking why you sent them those messages (which you didn't). And these ``other people'' most likely won't know their computer was doing that until they have been alerted (by you or those recipients). This does not mean that your computer is infected; other people's are.

CONCEPTS
The first thing to understand is that it is possible to send e-mail and make it look like it came from someone else (without that someone else being aware of it), due to the intrinsic nature of the mail transport protocol.

The second is that a virus usually propagates via e-mail by picking addresses from the address books of Microsoft Outlook (or O. Express) users (although other mail clients may be used; just less frequently), either by sending messages as you to people in those lists, or by sending them as someone in that list to someone else in that list. So a message can be transmitted from one person to another (which could be a mailing list) using your computer without you being involved in any apparent way.

Third, it is possible for a Windows computer to become infected by an e-mail virus even if you did not open any attachment, but just read the message, or even simply previewed it.

Finally, security fixes (``patches'') are NEVER communicated by e-mail, so if you receive something that claims you should run it in order to protect or improve your computer, it is FOR SURE a virus (and therefore should NOT be run), even if it seems to be coming from help (or any other source you would normally trust).

OLD PROBLEM: PREVENTION (FOR WINDOWS USERS ONLY)
In terms of preventing your computer from being infected, we have made an effort to make sure that you have up-to-date anti-virus software. However, it is up to you to make sure that it gets updated, especially if your PC is not left turned on and connected to our network at all times (laptops especially). Over the last couple of weeks, we went around to make sure that the software was properly configured for everyone, but we cannot afford to spend all our time doing that continually, so we will ask you to help us protect you by periodically checking that it is running as expected (details will follow for those who are affected).

It is also important that we be able to install operating system updates (which usually require a reboot) on your computer frequently (weekly at least). Unfortunately, we have been unable to develop a policy and a schedule for doing that, so that has bot been happening so far...

Of course, we can only repeat that: it is preferable not to use Windows to read your mail; if you have to, it is preferable not to use a Windows mail client, but to read it in a UNIX terminal; if you have to, it is preferable not to use Outlook (or O. Express), but Netscape (free) or Eudora (free); if you have to, it is preferable to have all automatic preview/execution features turned off; but even then, you are on your own... In all cases, you should not use Internet Explorer, but Netscape (free) or Opera (free). These problems would not exist if no one used IE and O/OE!!

And as usual: Never open an attachement you did not request from the person who sent it to you (without first verifying with them that it was sent intentionally)!

NEW PROBLEM: USER (RE)ACTION
Technically, there is nothing that can be done to stop e-mail from being sent with a fake identity (namely, yours). However, you should be aware that impersonating someone else is prohibited by University policy, so sanctions could be taken against the agents or perpetrators of such forgery if requested by the victim...

So you should be very careful when receiving a message that doesn't seem to ``check out'' (e.g., no personal information for you in the body, an attachment, an unknown sender, different From and From: headers, etc). If you suspect that this message was generated by a virus, you have two options: deleting the message without reading/previewing it and forgetting about it; or tracking down its origin and notifying the parties involved (to try to put an end to its source).

In the latter case, the process is fairly complex, and definitely time consuming; so much so that it has been eating up way too much of our time in the last couple of weeks (half an hour per message is typical). So please keep that in mind before you e-mail to tell us about the latest message you received. We are going to make a guide available online for you to learn how to handle this yourself. It should be announced soon...

Because this seems to affect a certain category of users more than others, some of you will receive additional instructions by e-mail shortly. In the meantime, keep in mind that replying to the sender probably won't help, since they didn't have anything to do with the message being sent.

VIRUS SPECIFICS
The latest virus that is going around and prompting this warning is a variant of ``Klez.'' The sender will be random, and there is a multitude of possible Subject lines (you can view a sample and find more technical details at
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci818032,00.html, although some of the other comments on that page should be ignored); the body may tell you that this is an IE patch that you should install; and it will inevitably have an attachment (the virus); the typical size of the message seems to be between 100 and 150 kB. However, this description will probably not apply for the next one to come along, so you should always be vigilant and follow the basic precautions described above.
FEEDBACK
If you have any doubts or questions about this, please do not hesitate to come talk to us about it (avoid e-mailing us this long virus if you think you got it...). It is critical that you know exactly what to do. Thanks.