Is it fake or is it Microsoft?

If my e-mail inbox is typical of a normal technical user's (and I believe it is), I'm not the only recent recipient of ostensibly security-related e-mail from "Microsoft-like" addresses. The names associated with their SMTP addresses (which never include microsoft.com as the domain name) include: Microsoft Security Division, Microsoft Security Update, Microsoft Security and so forth.

Some such e-mails include innocuous payloads: notifications and pointers to genuine Microsoft bulletins or obvious ads. Other payloads include attachments, some infected with viruses. My e-mail set-up lets me screen incoming messages through a Web interface before I download them, so I can indulge my curiosity when spurious messages arrive.

There are some rules you can (and should) use to determine whether any e-mail that claims to originate from Microsoft is legitimate. It's never safe to assume that such claims are valid, so never open any messages until you apply these simple tests:

  • Check the domain name for sender's SMTP address. If the domain name isn't microsoft.com it's an obvious impostor.
  • Microsoft never puts attachments in its e-mail messages. If any message that claims to originate from Microsoft includes an attachment, it's an obvious impostor. Instead, Microsoft e-mails include links to updates on their Web site so you can grab executable code from a known, verifiable source.
  • The Microsoft Security Response Center includes digital signatures in all e-mail messages and notifications it sends. You can download their PGP key from TechNet (look near the bottom of that page for a download link) to check the signature yourself.
  • All Microsoft security bulletins are posted on their Web site, always available there. If in doubt about any e-mail, visit the Web site instead, and check the original source.

Some fake messages are convincing in appearance, language and content but invariably break one or more of the foregoing rules. There's a stunning example of such a fake in Microsoft's own discussion of how to separate genuine e-mails from fake ones. This fake was so convincing, it helped spread the Swen worm, discovered on September 18, 2003.

But if you apply these simple rules to avoid opening bogus Microsoft messages, you will be immune to their sometimes malicious payloads.

Thomas Alexander Lancaster IV is a consultant and author with over 10 years experience in the networking industry, focused on Internet infrastructure.

This was first published in October 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.