March 17, 2004
Felo de spam

Here's a new variant on malevolent email that I at least haven't seen before:


Dear user of "Offthekuff.com" mailing system,

Your e-mail account has been temporary disabled because of unauthorized access.

Advanced details can be found in attached file.

Have a good day,

The Offthekuff.com team


Now, obviously, if my email account had been disabled, I wouldn't be able to log in and see this message. Plus, all the stuff from my webhost is very clearly identifiable as coming from them, and more specifically from their domain. Still, it took me a second because the message is a bit shocking, and it's not like I've never experienced mail issues before.

The attachment is a PIF file, which those of you who don't remember the Win 3.1/DOS days may not realize is basically a command file for DOS. I didn't bother looking too closely, but it probably does something pleasant like delete a bunch of files or some such. Many corporate email servers block PIFs because of this.

So consider this a public service warning. You've probably heard it often enough to block it out completely, but never open an attachment in email unless you know what it is and why it was sent to you. Don't be the cause of your PC's implosion.

Posted by Charles Kuffner on March 17, 2004 to Skepticism | TrackBack
Comments

We've had users on whiterose get that too. Since most postmaster email for us is clearly marked as from one or the other of the postmaster team, it wasn't very effective, but we did get asked.

There's a similar one that tells you your email account is over quota.

Posted by: Ginger on March 17, 2004 7:10 PM

We had one whiterose.org user send us a very apologetic note after he got that virus. I had to dash back a quick note that said "Um, [Friend], that came from a virus. If it was from us, it would have had content that you would have recognized as coming from us. And it wouldn't have had a windows virus attached."

[Friend] also kindly asked us of the virus that his AV software detected in it. I was very glad that his response was to ask about it rather than to open it. And yet, someone is opening those, otherwise the thing wouldn't be spreading. How is it that anyone opens an unannounced attachment in a dangerous format at all in 2004? I am boggled.

Posted by: Michael on March 17, 2004 7:18 PM

Not being up on all the file extensions, I've wondered (not to the point of opening) what .pif was. Thanks for the tip.

Posted by: Linkmeister on March 18, 2004 1:02 AM

"How is it that anyone opens an unannounced attachment in a dangerous format at all in 2004? I am boggled." - Michael

At many businesses, including my current client, there are people whose jobs require them to open every email they receive, because most of them contain legitimate customer requests, orders etc. Fortunately, my client is obsessive about keeping the A/V software updated on every machine in the shop.

As to dangerous formats, if even Linkmeister doesn't recognize .pif, a lot of people won't. Not everyone who uses email is technologically adept, and even those who are may not know the older executable formats.

Posted by: Steve Bates on March 19, 2004 1:08 AM

BTW, I received a different but similarly constructed virus-bearing message today in the mailbox I use in blog comments and for a few lists. This is the first virus I believe I've ever received in that mailbox. My host's server-side A/V software did not identify it, but I could, by visual inspection of the raw message.

Is it tinfoil hat time yet, folks?

Posted by: Steve Bates on March 19, 2004 1:12 AM