The Plague of Viruses That Send Email with Forged "From:" Fields

This information can be freely reproduced in any medium, as long as the information is unmodified.

For more information on forged spam, see e.g., our Forged Spam Page, on which this page is originally based.

Since 2002, most viruses that generate email have forged their From: field -- in other words, the email appears to come from someone who in fact is not actually not the originator of the email. It was, in fact, originated by a virus on a completely unrelated system. The only relationship is that the email address of the recipient and that of the forged sender have both been harvested from the compromised computer.

First, an important fact:

If your name is forged as the sender of the virus this does not mean that your account has been compromised. The email is not sent from your account; instead, it is sent forged in your name. [You may be infected with something, of course, and it is prudent to check. But if you use top quality antivirus software and keep it up-to-date, you almost always will not be the victim of this or any other virus.]

Here's what happens, in brief:

1. A virus infects a computer.
   1. The virus searches the computer and harvests a list of supposedly valid email addresses

   2. The virus creates many messages -- using addresses from the harvested list both to select recipients, and also to use as the forged From: address.

      The "main victim" here is the person whose computer is infected, but victims also include those in whose name the email is forged: their good name is besmirched by the virus. The people who receive the virus are victims as well -- if not by being infected, then by the load it puts on their mailboxes.

   3. If an address to which the virus is sent is invalid,

      • Email server software will generate a rejection notice (for each such address), saying that the email cannot be delivered to the intended recipient.

      • That rejection message will be sent to the apparent "sender" of the original email -- but the email server software usually isn't clever enough to recognize that the email is forged .... Hence it comes to the person whose email address was forged in Step 2 above.

        Software designed to handle invalid email addresses is not intended to be able to handle forgeries, or viruses. We should be forgiving of this software's foibles

      • All too often, if the email contained an infected attachment, the virus is included in the returned message.

      • The "forge-ee" gets mysterious copies of bounced emails that s/he didn't send....

      • An example may make this clearer:

        • Person A's computer gets infected by a virus that sends forged email

        • The virus harvests an address for Person B, and also an invalid address for, say, <bogus_address@some_company.com>

        • The virus forges email from Person A's computer, forging it from Person B's address, and sending it to <bogus_address@some_company.com>

        • some_company.com's email gateway says "Hey, we don't have anybody here with an address of <bogus_address@some_company.com> -- I must send a DSN (Delivery Status Notification) to the sender.

        • some_company.com's email gateway looks at the From: field, and sends email to the apparent sender -- Person B's email address.

        • Person B gets the email and says "What the heck is this?? I never sent this email!"

        • If an infected attachment is contained in the email and Person B is foolhardy, s/he may open the attachment "just to see what it is" and thereby infect his or her machine. Some viruses actually generate email that looks like a gateway rejection notice, just to try to achieve this result.

        For years and years, I've been saying

        NEVER ACCEPT UNSOLICITED ATTACHMENTS, even from those you know and trust.

        Since viruses that forge email came along, I've had to change this to say

        NEVER ACCEPT UNSOLICITED ATTACHMENTS, not even when it appears to befrom those you know and trust. Not even if it appears to be from yourself!

        Now you know why.

   4. If an address to which the virus is sent is valid, but the recipient's email gateway scans for viruses,

      • The email probably will be detected and the recipient will be protected. This is a Good Thing.

      • Unfortunately, many email gateways (but not U-M's, of course!) are configured to send "warning" messages when a virus is received. These may go both to the intended recipient (probably not very common any more) and to the supposed "sender". But usually the software on the email gateway is not intelligent enough to recognize that the From: address is forged, so the "warning" message gets sent to the supposed sender.

      • In effect, the antivirus software on the email gateway spams the person whose email address is forged, and sows confusion and anxiety along the way.

      • Unlike the software that handles invalid addresses, antivirus email gateway software has absolutely no excuse not to recognize email forged by viruses. We should be completely unforgiving of such software.

      • We should be similarly unforgiving of system administrators who have misconfigured antivirus software on the email gateway -- but of course, we do need to give them a fair chance to fix their mistakes before we shower our opprobrium upon them: it's hard to fix something if you don't know it is broken, and I can assure you that sysadmins are usually too busy to have much time to think about such nicities after the scanner has been installed. But do tell them! Otherwise, they WON'T fix it.

      • Usually, the virus is deleted from the returned email. But not always: some email gateway scanners are configured in incredibly stupid ways....

      • Again, the "forge-ee" gets mysterious emails, this time saying that s/he is infected with something that, in fact, s/he is not.

      • Another example to illustrate this case:

        • As above, a virus that forges email infects Person A's computer

        • The virus harvests valid addresses for Person B and Person C

        • The virus sends email to Person C forged with Person B's address

        • Person C's ISP traps the virus, and sends a mis-directed alert to Person B that Person B's computer is infected with a virus. [The report actually should go to the ISP of Person A's computer.]

   5. Finally, we have the case where the virus sends forged email to a valid address, and the email reaches the intended recipient.

      • Clearly this is a Bad Thing - the recipient is put at risk.

      • With any luck, the recipient has antivirus software and the email is deleted before the recipient even knows that the email exists.

      • Often, however, the antivirus software will pop up a warning on Person C's computer saying that the email "from" Person B contains a virus.

        If Person C now makes contact with Person B to say "Hey! You sent me a virus!!", Person B is likely to be confused. After all, Person B didn't send email to Person C, let alone a virus. But Person B probably will be diligent and scan the computer ... and find nothing. "What the !@#$%^???", says Person B.

      • If the virus actually reaches the recipient, the forged email may try all sorts of tricks to get the virus installed on the recipient's system. These include trying to exploit unpatched vulnerabilities in the recipient's email software or operating system, "social engineering": trying to convince the recipient that the email contains a fix for a security flaw or a virus prevention/removal tool, or just dumb luck... that the recipient will do something careless that causes the machine to be infected.

      • Of course, a cautious recipient won't be afflicted by any of these things. Instead, the recipient will

        • just delete the email, or
        • contact the apparent sender by a means other than or in addition to email, saying "Did you send me email that says <whatever>? If so, why did you send it? What does it contain? Did you scan it for viruses? Is your antivirus software using the most recent virus definitions?" -- and then open the attachment only if the human on the other end of the phone is able to convince Person C that the attachment is wanted and uninfected, or
        • will at least wait 24 hours or longer to open the attachment, to give antivirus software a chance to "catch up", or
        • if technically, inclined, examine the full email headers and forward an abuse report to the appropriate ISP or the recipient's support staff

Why do viruses use forged "From:" fields?? I don't know, but I suspect that it is their hope that email from a "real" address -- possibly a known one, since both addresses are on the same computer -- is more likely to be trusted by the recipient than email from a fake name. Perhaps it's so that bounced email doesn't go directly to postmasters, who would get the accounts cancelled more quickly. Who knows? In the final analysis, it doesn't matter -- what does matter is that this is what most viruses that send email are actually doing.

A few points:

• This original email sent by the virus -- that from the compromised machine to the recipient -- contains information that shows where the email originates. With proper analysis -- see e.g., links on our antispam page -- one can complain to the ISP of the compromised machine and probably get the victim's account disabled until the virus is removed than the system is secured. In particular, the "full email headers" show where the email originated.

• Unfortunately, the email "bounces" generated in (3) above and the "You are infected" false alarms generated in (4) above do not always contain this full email header information. [That's a pity -- but it does seem that more often than not, email server software does include these data in the rejection message, while antivirus gateway rejections are much more of a mixed bag: some include the info, some don't.]

• Moreover, getting the victim's account disconnected from the Internet does not necessarily stop the abuse of your email address: there may be other infected machines out there that have your address on them.

  Probably the virus isn't picking on a particular address with any malice toward that individual, but it sure won't look that way to the recipient of a zillion emails!

• Reprise: Note that if your name is forged as the sender of the virus this does not mean that your account has been compromised. The email is not sent from your account; instead, it is sent forged in your name.

• If you want confirmation that you aren't the infected party, use top quality antivirus software -- and make sure you are using its most recent engine and virus definitions.

  In this regard, you may find NAI's free Stinger (leaving our site) tool useful. Note that Stinger covers only about 40 of the more than 87,000 viruses out there, and it can only detect and (usually) repair and remove; it does not protect. That said, it is excellent at removing those few nasty viruses, and at this writing (1 April 2004, but no April Fools here) it handles most of the viruses that forge their From: field.

• Until the laws change so that:
  • ISPs must block viruses aggressively -- and immediately disconnect their customers who are victims, then assist them at their convenience

  • Severe penalties against virus distributors are both put into the penal code, and aggressively enforced

    [So write to your congresspeople!]

  • or we file class action lawsuits for defamation of character

  • Or, perhaps, all ISPs somehow voluntarily manage to block all viruses before they get sent, either by clever filtering or authenticated email (for technical details, see the reference section) of our Forged Spam page.

  there's not much you can do about this, other than report the email to the REAL victim's ISP. Remember, the email probably is entirely external to U-M (or your email provider) so we can't help you ... much though we'd love to eradicate viruses!. For example, neither the victim nor the recipient have U-M accounts. Hence the U (or your ISP) isn't involved with the email in any way .. so it can't be blocked or otherwise prevented on the University email servers (because the original virus never goes through them).

It sucks. But to some degree, that's just the way email is.

A Short List of Viruses That Forge Email

This is not intended to be all-inclusive -- but here are a few viruses that forge email. In fact, these few probably generate the majority of the email generated by all viruses combined.

When there are several viruses in a particular virus family, sometimes not all of those viruses forge email. But we won't both with such nuances here. The U-M URLs below don't cover whole families of viruses -- just one or two. Again, that's just a detail. See antivirus vendor Virus Library URLs below for a more complete picture.

The Netsky family (leaving our site), the Bagle family, the Mydoom family, the MyMail family (leaving our site), the Klez family, the Bugbear family, the Braid virus, the Sobig family, and the Swen virus all forge email. For the consequences, see our Virus Mail Storm URL.

For technical information on viruses, see e.g., NAI's Virus Information Library (leaving our site) or F-Secure's Computer Virus Information Center (leaving our site).

A Few Closing Thoughts

While it won't help to prevent email forged by viruses on someone else's computer, at least you can protect your own. U-M folks can benefit from the University's site-licensed antivirus software.

It comes as no surprise that both spammers and those who write and distribute viruses and other malware would use the same scumbag techniques. They are a blight upon the planet. Again, see Forged Spam URL for more information about (you guessed it) forged spam.

If you want to pass this information along to others, I suggest that you provide a pointer to this URL (http://www.umich.edu/~virus-busters/forged_from.html) . That way, the information will be most current.
For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB