{"id":1657,"date":"2009-03-12T19:17:38","date_gmt":"2009-03-12T23:17:38","guid":{"rendered":"http:\/\/blogs.n1zyy.com\/n1zyy\/?p=1657"},"modified":"2009-03-12T19:17:38","modified_gmt":"2009-03-12T23:17:38","slug":"worst-virus-attempt-ever","status":"publish","type":"post","link":"https:\/\/blogs.n1zyy.com\/n1zyy\/2009\/03\/12\/worst-virus-attempt-ever\/","title":{"rendered":"Worst Virus Attempt Ever"},"content":{"rendered":"

So at work, I receive a copy of all mail sent to the address that we send mail to our users from, meaning\u00a0 that hundreds of thousands of people have this address sitting in their inbox. As such, I receive lots<\/em> of virus attempts. The Hallmark fake was a big one, probably because it looked so authentic. It even had me fooled looking at the headers, since it spoofs “hallmark.com” as its outgoing HELO string. (The IP, though, was a residential ISP customer. SPF might catch it, although Hallmark’s SPF record is set to “softfail” mail not from one of their IPs.)<\/p>\n

But today, I received an e-mail from a random stranger with this subject line: ^Hi,friend^ download this stuff>>>>>>>>>>>><\/strong>.\u00a0 It just contains a link to a website, so, content that it wasn’t a unique URL (e.g., http:\/\/spammer.com\/confirm_email.php?email_address=helen@n1zyy.com<\/a>), I clicked through. It was made up to look like a file sharing site, except that it used JavaScript to push a file called SURPRISE.EXE to the user. There was no secret about this, really; the page indicated that you were downloading it. But it didn’t even push it out to you right away; you had to wait for the timer to count down before it prompted you to download it.<\/p>\n

I’m really curious if anyone<\/em> has been infected with this virus. You have to open the shadiest e-mail ever, click a link, wait to download SURPRISE.EXE, and then manually run it. But perhaps I give users too much credit.<\/p>\n

Oh, bonus points: the site is its own domain name (registered by someone in the Virgin Islands), and hosted in Africa. Internet access to Africa is quite scarce, so I tend to think the server would get knocked offline if more than a handful of people tried to download it at once anyway.<\/p>","protected":false},"excerpt":{"rendered":"

So at work, I receive a copy of all mail sent to the address that we send mail to our users from, meaning\u00a0 that hundreds of thousands of people have this address sitting in their inbox. As such, I receive … Continue reading →<\/span><\/a><\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1657","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/posts\/1657","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/comments?post=1657"}],"version-history":[{"count":0,"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/posts\/1657\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/media?parent=1657"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/categories?post=1657"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/tags?post=1657"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}