Attachments Again!

I got another question from one of my customers recently (last night in fact) regarding a complaint he'd received from a couple of people he has e-mailed in the past, but not recently.

The complaint was that they (the people he has in the past corresponded with) received an email with an attachment that was described as an "excel document" but in fact was called "document.pif" in the attachment.
If you don't know by now, then you should learn (as I told him) that anything with an extension of ".pif" is not to be opened, along with ".com", ".exe", ".scr", ".bat", and any other extension that describes a directly executable program unless you're running something other than Windows and especially if you're using one of Microsoft's email programs and Internet Explorer since they'll happily go about running the program unless you've been very careful (and non-standard) in the setup of your security.

In this case my customer is the subject of what is called a "joe job" where his address has been used as the "reply-to" address for a bunch of email going out of an infected machine, and either the machine has been loaded with many other addresses that just happened to include his other contacts, or (more likely) the infected machine has also seen his contact's addresses at some time (like my customer sending out a message with everyone included in the CC field instead of the BCC field for instance)

Of course there is also the possibility that my customer's machine is infected, but since I have not seen anything from him with a virus in it (and I do look) I don't think so - he's been well trained to practice safe internet.

The thing to do when someone accuses you of sending them a virus (or something equally nasty) is to ask them to look at the headers on the original message and see if the first one or two steps in the chain look like the ones from some other message you've sent them in the past (or the one you sent them to tell them to look at the headers) and see if there are similarities. There are some sophisticated virus mailers out there that in fact will duplicate the first couple of the "Received" lines of the header from a real message but most don't.

Usually there will be between 4 and 5 "Received" lines - a couple from the sender's ISP and a couple from the recipient's.

If you can't figure the headers out - get them to send them (and the rest of the message) to me and I'll do it if necessary. Note that just "forward"ing the message does not send the original headers. Depending on the mail program you (and they) use, you/they may have to cut and paste or save the message as a text file in order to preserve the original headers - then send it as an attachment.

Don't worry about me getting a virus - I use Ximian's Evolution on Linux - looks like Outlook but has none of the security problems ;)