If my e-mail inbox is typical of a normal technical user's (and I believe it is), I'm not the only recent recipient of ostensibly security-related e-mail from "Microsoft-like" addresses. The names associated with their SMTP addresses (which never include microsoft.com as the domain name) include: Microsoft Security Division, Microsoft Security Update, Microsoft Security and so forth.
Some such e-mails include innocuous payloads: notifications and pointers to genuine Microsoft bulletins or obvious ads. Other payloads include attachments, some infected with viruses. My e-mail set-up lets me screen incoming messages through a Web interface before I download them, so I can indulge my curiosity when spurious messages arrive.
There are some rules you can (and should) use to determine whether any e-mail that claims to originate from Microsoft is legitimate. It's never safe to assume that such claims are valid, so never open any messages until you apply these simple tests:
- Check the domain name for sender's SMTP address. If the domain name isn't microsoft.com it's an obvious impostor.
- Microsoft never puts attachments in its e-mail messages. If any message that claims to originate from Microsoft includes an attachment, it's an obvious impostor. Instead, Microsoft e-mails include links to updates on their Web site so you can grab executable code from a known, verifiable source.
- The Microsoft Security Response Center includes digital signatures in all e-mail messages and notifications it sends. You can download their PGP key from TechNet (look near the bottom of that page for a download link) to check the signature yourself.
- All Microsoft security bulletins are posted on their Web site, always available there. If in doubt about any e-mail, visit the Web site instead, and check the original source.
Some fake messages are convincing in appearance, language and content but invariably break one or more of the foregoing rules. There's a stunning example of such a fake in Microsoft's own discussion of how to separate genuine e-mails from fake ones. This fake was so convincing, it helped spread the Swen worm, discovered on September 18, 2003.
But if you apply these simple rules to avoid opening bogus Microsoft messages, you will be immune to their sometimes malicious payloads.
Thomas Alexander Lancaster IV is a consultant and author with over 10 years experience in the networking industry, focused on Internet infrastructure.
This was first published in October 2003