August 21, 2003

Recently I've received tons of email in the last 3 days or so with 100kb attachments from all kinds of people I don't know trying to infect my computer. It seems that the MS Blaster and Sobig worm and their variants are rampant on the internet right now.

Here's what you can do to protect yourself 100% :

• get a FREE copy of AVG anti-virus from www.grisoft.com and keep it updated at least weekly. The key to any good anti-virus software is to keep it current. Even if you have the best software it's not much good with an outdated virus list.
• get yourself Mailwasher to check your emails on the mail server before you retrieve them to your computer's mail inbox. More hints on mailwasher below.
• be vigilant! Educate yourself, your staff, your family or anyone who also uses your computer.
• if you are using Windows2000 or WindowsXP get the update patches from Microsoft to fix the vulnerability of the software.

As far as Mailwasher is concerned, after you run the software and set up the basics (your pop3 and email address, etc). Go into the TOOLS menu. Select FILTERS from the menu. Then click on ADD filter. Choose "entire header" in the Rules section, then leave it as "contains". Next window type in ".pif". Make sure you select the option "this filter takes precedence over the friends list". This way if a friend or collegue sends you an infected email it will take care of them as well. You may also find that you are receiving a disproportionate amount of emails from one source. In my case it was a high number from Arizona State University. The way to find out where it's coming from is to preview the message in Mailwasher but look at the header details. In there you'll see where it's coming from with a specific IP address. I will show you an example below:

As you can see, by looking at the header details above, the IP address of 129.219.29.2 is the source in my case. If you do have a lot from one particular IP address you can add it as a filter in mailwasher and/or send an email to the offending source, in this case Arizona State University. You can do a search on an IP address here to find out who it belongs to and contact information.

In most cases though, simply adding a filter to check for ".pif" attachments and maybe ".exe" attachments is sufficient in combination with AVG or a similar anti-virus software package. If you receive an email with a file attachment you don't recognize, do a search on the internet for the last three characters of the filename behind the period. "movie0045s.pif" most likely is an infected file just by looking at the ".pif" characters. If you're uncertain do a search on www.google.ca for the three characters or search for "pif file attachment" and see what comes up. If it looks like a common virus type of file attachment delete the email in question. PIF files are executables similar to EXE (executable) files and are a software program that will run on your computer to do who knows what. Be wary of them. Of course, you can also add IP addresses to mailwasher's filters if most are coming from one source like a university.

What you want to avoid (and it's tempting not to) is do not under any circumstances BOUNCE the virus/worm infected emails with mailwasher as most "from" addresses are spoofed and not genuine so unwitting people will receive the entire email forwarded to them as "return to sender" which contain the virus attachment, consequently you will look like the sender and your ISP may shut down your internet access temporarily.

If this is the case if you have a cable modem or anything using dynamic IP addresses you may be able to shut off your cable modem for 1/2hr or longer, then restart it to automatically obtain a new IP address. The cable company servers may filter your actual modem identification and not your IP address so this method may or may not work for you. If you have static IP addresses you're hooped.

Anyhow, that's all for now so play it safe!

Copyright 2001-2003  Peter Ferlow