Saturday, 20 September, 2003
I checked my email after dinner last night. A few hours later I checked it again and had 70 new messages. PocoMail flagged every one of them as junk mail because all but one of them was a variant of the message claiming to contain the latest security patch from Microsoft. The oddball was a pitch to sell me $100,000 homes for $10,000. As of this evening—24 hours after I first got one of those messages—I had received over 250 of those emails. That's in addition to my apparently meager spam load of about 80 messages per day. Oddly enough, Debra hasn't received even one of these worm emails.
This has gotten totally out of hand. I'm surprised that, after the last 3 or 4 years of worms and viruses, there are still so many people who will unquestioningly run a program that they get via email from an unknown person. Are these the same people who will give their credit card numbers over the phone?
This kind of attack would be much less apt to succeed if the email protocols required end-to-end authentication. If there was no way to get an anonymous message into the system, then it would be very difficult for somebody to start this without getting caught. In addition, people opening their messages could easily check to see if the message really was from Microsoft Support before running the attachment. Laws that prescribes penalties for perpetrators are wholly ineffective at stopping such attacks, because it's very difficult or impossible to prove who sent the message.