In Search of Lost Malicious E-Mails
-
OH NO MY COMPUTER IS INFECTED WHAT DO I HAVE TO DO THIS IS UNACCEPTABLE!!!!!
BILL
-----Original Message-----
From: hans.adenauer@contoso.de
Sent: Friday, December 4, 2015 09:17
To: bill.reed@acmecorp.com
Subject: InfectionDear Mr. Reed,
After scanning your e-mail we found spyware infections and cookies in it. Please scan your computer for malware.
Kind regards,
Hans Adenauer
System Engineer
Contoso"Multiple exclamation marks," Juan J. thought, shaking his head, "are a sure sign of a diseased mind." (*)
A quick check of Bill's computer showed it was as healthy as it could be, considering an old Java was installed - the corporate flagship wouldn't work with any version higher than 5u22. Juan asked Bill if he could take look at his Sent Items to see the malicious e-mail. He could, be the file was not to be seen.
"Perhaps it deleted itself automatically after being sent," offered Bill helpfully, "like those letters the Stasi used to use before the Wall fell."
If the e-mail can't be found at the sender, it might still be at the recipient.
Dear Mr. Adenauer,
I'm assuming you can't send an infected e-mail back to me, but could you by any chance send me the headers?
Kind regards,
Juan J.
System Engineer
Moo GmbHOnly 15 minutes later the headers arrived.
Dear Mr. J.,
Attached are the headers for that dangerous e-mail. Please let us remind you to take urgently care of cleaning that system from viri.
Kind regards,
Hans Adenauer
System Engineer
ContosoJuan wondered for a fraction of a second why they had to clean the system from men, but then realized that the plural of virus has always posed people with some trouble.
Unfortunately, everything in the headers looked normal. Juan thought that the infected e-mail might have been spoofed and actually came from a different source outside of his customer's network. Alas: the e-mail was legitimate. Then his eye fell on the subject line.
[code]Subject: [ACME Flagship App] Your invoice #548425 [/code]
This e-mail wasn't sent from Bill's computer, but from the Big App. This is an Oracle monster that thousands of people use. If this was really infected, that would be a serious disaster. But that system being infected is extremely unlikely, if only because the amount of calls he would have had by then would have been immense. And anyways: how could spyware and cookies come from a system that doesn't browse the internet?
Dear Mr. Adenauer,
Thank you for your swift reply. I cannot, however, find anything wrong on our side. Would it be possible to send me the original e-mail?
Kind regards,
Juan J.
System Engineer
Moo GmbHHans was, admittedly, fast. Another 15 minutes later the e-mail arrived.
Dear Mr. J.,
Here it is. Please be careful with it.
Kind regards,
Hans Adenauer
System Engineer
ContosoIt was, as expected, a legitimate e-mail from the corporate system. It contained a .zip with 3 PDF files. No spyware, no cookies. If so, it would have probably been blocked by the e-mail scanning appliances on both sides too, one would expect.
The word 'cookies' dawned on Juan. How could cookies be in an e-mail actually? Something was wrong here.
Dear Mr. Adenauer,
I really cannot find any trace of the malware you are referring too. Are you really sure this e-mail was infected and not another one?
Kind regards,
Juan J.
System Engineer
Moo GmbHThis time the reply took half an hour.
Dear Mr. J.,
Attached is a screenshot from our antivirus. We are disappointed that you seem to doubt our competence.
Kind regards,
Hans Adenauer
System Engineer
Contoso
Dear Mr. Adenauer,
Looking at that screenshot, I think you have confused the content of that e-mail with your own system. Please scan your computer for malware.
Kind regards,
Juan J.
System Engineer
Moo GmbHJuan didn't hear back from them.
In my series of corporate WTF moments: Confession: Proactive wiring, With love... from Exchange, The Voice Mail of Reason and the 'rampartly' classic Gone Phishing (but written by Lorne).
(*) We still miss you, Sir Terry :'(
-
I suppose it's nice that "Bedrohung"s (
) aren't translated.
