Monday, November 21, 2005

"You visit illegal web sites"

I just got a rather different spam/scam/virus in my e-mail. This one claims to be from [mail@fbi.gov] and even lists the real street address and telephone number of the FBI in Washington. According to "Steven Allison," my IP address has been logged on bazillions of illegal Websites. Attached to the message is a ZIP file that supposedly contains a list of questions that it is very important for me to answer.

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.


Yours faithfully,
Steven Allison



*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000
I didn't bother finding out what was actually in "list.zip," but my guess is it's probably a virus.

There are several tip-offs that it's not a real message. I'm always amazed at how many of my friends and family miss some obvious clues, so I'll give you a quick rundown:
  • "Dear Sir/Madam": if the FBI were really contacting you about something like this, they would already know your name. Besides that, they would send it in the snail mail, not by e-mail.

  • "we have logged your IP-address on more than 30 illegal Websites.": I know that people have become sloppy in e-mail correspondence, but still, I would hope that an FBI agent would at least know to capitalize the first word in a sentence. Also, there's no hyphen in IP address and websites should not be capitalized in this context. [My motto: I put the hyphen in anal-retentive!] Unfortunately, it's all too believable that an FBI agent would say something like The list of questions are attached. The message should also specify at least some of the supposed illegal websites by name, along with the dates and times I supposedly accessed them.

  • Here's a subtle techie point: your IP address is probably dynamic. That means that each time you connect to your ISP — especially on a dial-up connection, but often even with broadband — you might get a different IP address. Thus, it isn't really your IP address. It's more like having an open account with a car rental agency: you have a car when you need one, but you don't get the same car every time.

  • Better yet, this spam/virus was sent to an address I have on a freebie web-based account. I can check my e-mail from any computer on the Internet. Even if I did visit illegal web sites, this address would not be associated with that activity.

  • "list.zip": Why is a list of questions in a ZIP file? Why does the file have such a generic name? Why does it take 74K to ask me some simple questions?

  • Symantec's Security Response web site suggests that this is the W32.Sober.K@mm mass-mailing worm. [Strictly speaking, a worm is different from a virus, but they are close cousins.] If you don't have antivirus software, you shouldn't be on the Internet — seriously. However, it's always good to check any suspicious message — including an e-mail that warns you about the latest supposed threat — with a "name-brand" antivirus web site. Many innocuous-looking messages are viruses, but also many "virus warnings" are hoaxes. It's bad manners to forward either viruses or virus hoaxes.

  • The message originated from a computer that identified itself as "fruxnt.gov" but that actually belongs to Georgia Motor Trucks, Inc. Besides that, of course, there's no such domain name as "fruxnt.gov" — unless you count the sooper-seekrit Federal Regional Unsolicited X-rated National Transmogrification project. (Their black helicopters have special nekkid ladies on the mudflaps.)
Well, now that I've taken care of that e-mail nuisance, I can get on with the arrangements for my new Nigerian pen pal to send me $52,000,000.00 (fifty two million U.S. dollars) to start a new wildlife refuge for fuzzy kittens.