Read This If You Know Me

Somebody out there with my email address in their Outlook address book has some variant of W32.Bagle.* (or something like it) on their machine. I know this because longtime Heathen Ms. “Boom Boom” Brown phoned a couple hours to ago to let me know that I might have this buggar myself, a wholly reasonable suspicion on her part.

Of course, that cannot be the case for a variety of reasons. First, I don’t use Outlook. Second, I don’t even run Windows [1]. These two facts make me almost completely immune from the current crop of virii; few bother to write worms and such for non-Microsoft platforms, and even if they did it would be very, very hard to create the sort of chaos things like Bagle, Blaster, et. al. leave in their wake because of the vastly superior security model at work on Unix-based operating systems (i.e., the other two real choices, Macs and Linux). Frankly, you’re dramatically safer even on Windows if you just stop using Outlook, which is the preferred environment for most of these malware mailings.

Why, then, did she think I was infected? Simple; she got mail that looked like it was from me. Well, here’s where I tell a big secret us Internet people know, but most other folks don’t: just because a mail SAYS it’s from doesn’t mean it actually IS from It is trivially easy to send a mail that appears to be from anyone you like, even from addresses that don’t actually exist. [2]

So, what happened? Someone — probably someone reading this, even — got Bagle in their Outlook, and it did its dirty work by sending mail on the sly out to folks in the victim’s address book. The worm, whatever it was, could and did send copies of itself to those folks, but hid its real origin by using other addresses from the list as the forged “from” entry. (Bagle itself may not have this behavior, some combination of email virus infection and propegation produced the aforementioned forged mail in Ms. Brown’s mailbox.)

As luck would have it, I’ve noticed in the last couple days that another of our cronies, Mr. CEJ, appears to also be the victim of email malfeasance; I’ve gotten mails apparently from him containing what I presume to be destructive-on-Windows payloads; a cursory examination of the mail headers makes it clear that they’re not REALLY from CEJ, but that’s a bit beyond most folks’ ken. [3]

Of course, these terse mailings included weird attachments and none of CEJ’s trademark wit, so it was also obvious without looking at the headers that these were virus-generated mails; what we couldn’t tell from that, though, was where they came from. Had CEJ been the localized “patient zero,” I’d have the same mail, but with headers that showed it coming from Roadrunner. Mr. CEJ may not even have the bug; we can’t tell.

What we can tell is that somebody he knows probably does, and a bit of deduction suggests that this person is known to both of us, and to Ms. Brown as well. This isn’t a particular short list of people, of course, but a good portion of the possible victims read this site. No matter who you are, though, if you’re running Windows and Outlook, make sure you’re not infected. And if you’re running Outlook at all, please don’t put my name or email address in your Contacts list. Use my business card, a Post-It, your Dayrunner, a strategically-placed tattoo, or anything else, but not Outlook. Thanks.


  1. What do I run? My full-time working environment is a Macintosh Powerbook G4; it’s a great machine for ubergeeks, and a great machine for Aunt Millie as well. I keep a PC around for testing and gaming, but I never read mail on it.
  2. This is part of the basic operating system, if you will, of the Internet, and isn’t likely to change anytime soon. It’s also potentially useful; I and others use this aspect of the system to automate newsletters, for example.
  3. Though your mail program probably hides it from you, all emails come with a couple dozen lines called “headers” that document its path through the Net. Real mails from CEJ start at the outgoing mail server available to him inside the local Roadrunner network (i.e., the one his ISP lets him use — typically you may only use the SMTP server of your ISP, and you cannot reach said server from outside their network); the forgeries have no such entries, and in fact feature incomplete headers.

Comments are closed.