I’ve already posted something about this chainletter [http://www.eset.com/threat-center/blog/?p=112], but figured it was worth expanding on which parts of it are useful and which aren’t.
A friend who is a computer expert received the following directly from a system administrator for a corporate system.
This kind of opening is characteristic of many hoaxes and urban legends (we sometimes use the acronym FOAF, for Friend Of A Friend, to describe the fact that the person to whom whatever it is actually happened is always someone the sender doesn’t know personally, someone a few links down the chain of forwarders). Assumptions here are that:
- Invocation of expertise and authority, even though the individuals concerned are totally anonymous and may or may not exist at all, corroborates the authenticity of the message. Making it two "experts" rather than one is a nice touch.
- Being a "computer expert" or a system administrator makes you an expert on spam, malware and so on. Actually, many people who may fit the "computer expert" description in some senses and/or do administer systems perfectly competently, nevertheless know less than you might think about the specifics of security. In fact, in my years as a security analyst, sysadmin, and security manager, I came across many instances where IT staff, system managers, support staff, even security specialists, nevertheless distributed poor or misleading information, even hoax emails. Remind me to tell you sometime about what Rob Rosenberger calls "False Authority Syndrome".
It is an excellent message that ABSOLUTELY applies to ALL of us who send e-mails.
Of course it is and does. I just read it on the Internet. 
Please read the short letter below, even if you’re sure you already follow proper procedures.
I’m sure of nothing but how little I know. But I’m always ready to learn. 
Do you really know how to forward e-mails? 50% of us do; 50% DO NOT.
And 97.6935% of statistics are made up on the spot.
Do you wonder why you get viruses or junk mail? Do you hate it?
I think that’s called a rhetorical question. And rhetoric is what you use to sell an idea to people who are easier to persuade with psycholinguistics than with logic and pure fact. :-/
Every time you forward an e-mail there is information left over from the people who got the message before you, namely their e-mail addresses & names. As the messages get forwarded along, the list of addresses builds, and builds, and builds, and all it takes is for some poor sap to get a virus, and his or her computer can send that virus to every e-mail address that has come across his computer.
Well, there’s some truth in this. A message that’s forwarded does contain header information that can include the email addresses of other individual recipients, and it is possible for malware to scan a hard disk for addresses to send itself to, or for spamming purposes. But the steps listed here make virtually no difference in that respect, except to mislead those of us who aren’t particularly computer-literate.
Or, someone can take all of those addresses and sell them or send junk mail to them in the hopes that you will go to the site and he will make five cents for each hit. That’s right, all of that inconvenience over a nickel!
Well, taken as a whole, it’s a great many nickels. Unfortunately, though, this is far from the only (or even the most common) means by which spammers harvest addresses. So this isn’t going to fix the spam problem (or even just your spam problem) any more than all the other instant fixes of the past 10-20 years.
How do you stop it? Well, there are several easy steps:
The 11th Law of Data Smog: "Beware stories that dissolve all complexity." ("Data Smog", by David Schenk, Abacus 1997)
(1) When you forward an e-mail, DELETE all of the other addresses that appear in the body of the message (at the top).
Well, that’s often good netiquette. Many people forward or reply to messages without editing them at all, which can result in unnecessarily long and difficult-to-read messages. However, email addresses are often listed in the body of the message in a form that doesn’t give spammers anything to harvest. For instance:
> —–Original Message—–
> From: David Harley
> Sent: 07 March 2008 10:28
> Subject: bcc test
>
>
>
>
> –
> David Harley
> Research Author
> ESET, LLC
That’s right, DELETE them. Highlight them and delete them, backspace them, cut them, whatever it is you know how to do. It only takes a second.
And leaves the headers intact. But at least it shortens the message, and, if you’re careful about -what- you delete, may make it more readable.
If you want to strip the superfluous addresses from the headers, the easiest way is to paste the parts of the message you want to forward into a new message. By the way, if you’re not familiar with email headers, here’s a shortened version of a set of headers (with some of the detail edited).
Received: from DAVID ( [xxx.xxx.xxx.xxx])
by mx.google.com with ESMTPS id d38sm3486984and.17.2008.03.04.07.19.37
(version=SSLv3 cipher=RC4-MD5);
Tue, 04 Mar 2008 07:19:39 -0800 (PST)
Reply-To: <someone@somewhere.com>
From: "Joe Bloggs" <someone@somewhere.com>
To: "’Josephine Bloggs’" <someoneelse@somewhereelse.com>
X-ASG-Orig-Subj: FW: News
Subject: FW: News
Date: Tue, 4 Mar 2008 15:19:30 -0000
Message-ID: <005801c87e0b$25dc6540$4101a8c0@DAVID>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="—-=_NextPart_000_0059_01C87E0B.25DC6540"
X-Mailer: Microsoft Office Outlook 11
You MUST click the "Forward" button first and then you will have full editing capabilities against the body and headers of the message. If you don’t click on "Forward" first, you won’t be able to edit the message at all.
Well, it’s true you can’t usually edit the original of a message that you’ve received until you forward it, reply to it etc.
(2) Whenever you send an e-mail to more than one person, do NOT use the To: or Cc: fields for adding e-mail addresses.
What the writer doesn’t seem to have remembered is that often you actually want to share addresses! Also, blind copied mail can actually confuse the recipient.
Always use the BCC: (blind carbon copy) field for listing the e-mail addresses. This is the way the people you send to will only see their own e-mail address.
That isn’t automatically a good rule for every occasion. For a start, it’s exactly what a lot of spam messages do, which means that some crude filters may automatically reject it.
If you don’t see your BCC: option click on where it says To: and your address list will appear. Highlight the address and choose BCC: and that’s it, it’s that easy.
That depends on which mail client you use, actually. But it does (kind of) happen if you use Outlook, give or take a menu or two and one or two other variables.
When you send to BCC: your message will automatically say "Undisclosed Recipients" in the "TO:" field of the people who receive it.
There’s nothing automatic about it. It depends on a number of variables. Which casts doubt on the "expertise" of the person who wrote this. But maybe the point is to appear authoritative, rather than informative?
(3) Remove any "FW :" in the subject line. You can re-name the subject if you wish or even fix spelling.
Hopefully, someone will explain to me how this reduces virus/spam dissemination. What am I missing?
(4) ALWAYS hit your Forward button from the actual e-mail you are reading.
Well, that’s one way of getting to edit it, but ALWAYs is a BIG WORD.
Ever get those e-mails that you ha ve to open 10 pages to read the one page with the information on it? By Forwarding from the actual page you wish someone to view, you stop them from having to open many e-mails just to see what you sent.
That’s a netiquette issue. Perhaps this is one of those instances of a hoax mail intended to reinforce "good" practice, but unless we get the chance to talk to the anonymous originator, we may never really know. Certainly it would be nice if people sometimes removed the unnecessary bits of email they reply to or forward.
(5) Have you ever gotten an email that is a petition?
Of course. A few of them have constituted serious chain letter hassle, and they’re not generally a good idea. There’s a place for electronic petitions, but not in the form of chain letters, which are hardly ever justified.
It states a position and asks you to add your name and address and to forward it to 10 or 15 people or your entire address book. The email can be forwarded on and on and can collect thousands of names and email addresses.
That’s a rough and ready definition of a chain message. I’ll come back to that thought at the end.
A FACT: The completed petition is actually worth a couple of bucks to a professional SPAMMER because of the wealth of valid names and email addresses contained therein.
So such a petition is (1) a professional spamming exercise (2) only going to make a couple of bucks difference to the spammer? Hmmm… But I have seen chain letters that appeared to be intended for address-harvesting purposes.
If you want to support the petition, send it as your own personal letter to the intended recipient. Your position may carry more weight as a personal letter than a laundry list of names and email address on a petition. (Actually, if you think about it, who’s supposed to send the petition in to whatever cause it supports? And don’t believe the ones that say that the email is being traced, it just ain’t so!)
Certainly there are problems administering a petition by email: it may be much better to do it by way of a web form, for instance.
(6) One of the main ones I hate is the ones that say that something like, "Send this email to 10 people and you’ll see something great run across your screen." Or, sometimes they’ll just tease you by saying something really cute will happen. IT AINT GONNA HAPPEN!!!!!
Poor cynical chap. People are always sending me cute stuff. I don’t always want them to, but that’s another issue.
(Trust me, I’m still seeing some of the same ones that I waited on 10 years ago!) I don’t let the bad luck ones scare me either, they get trashed. (Could be why I haven’t won the lottery??)
Those "if you don’t forward this you’ll have bad luck" messages are sometimes referred to as "St Jude letters", after a particular example: Richard Dawkins, among others, has written about them in some detail. They are, in fact, pointless and mildly evil…
(7) Before you forward an Amber Alert, or a Virus Alert, or some of the other ones floating around nowadays, check them out before you forward them. Most of them are junk mail that’s been circling the net for YEARS! Just about everything you receive in an email that is in question can be checked out at Snopes. Just go to www.snopes.com/
An excellent resource. I recommend it.
Its really easy to find out if it’s real or not.
Unless it’s a new one. And hoaxers can be quite inventive: it sometimes takes significant research to establish truth or falsity, even for an expert.
If it’s not, please don’t pass it on.
Even if it is, it’s rarely appropriate to pass on a warning to everyone you know. Well-administered corporates usually forbid this except by people who are explicitly authorized to pass on a warning.
So please, in the future, let’s stop the junk mail and the viruses.
If only it were that easy…
Finally, here’s an idea!!! Let’s send this to everyone we know (but strip my address off first, please). This is something that SHOULD be forwarded.
BANG!!!! Credibility blown to blazes… After all that, it’s just another chain letter, no different to all the other chain letters the author is railing against.
Err… No. It isn’t something that SHOULD be forwarded, thank you. Even if it were much better advice than it actually is, chain letters that turn up again and again don’t usually make up in usefulness for the irritation they cause…
Here’s an idea. Let’s not forward this blog to everyone we know, either. But feel free to post possible hoaxes to hoaxchecker@gmail.com, and I’ll endeavour to confirm that it’s true or false.
David Harley
Research Author
Visit ESET on Facebook
Follow ESET on Twitter