PDA

View Full Version : "Removed" content from Email replies. Where does it go?



Billy T
14-02-2003, 11:41 AM
Hi Team

For some time now I have been the recipient of a series of emails carrying the Yaha virus.

I usually delete them and that's the end of that, but they have reached annoying levels so I decided to reply to the spoofed address on the basis that for me to be receiving them, he must be in the actual sender's address book along with my address.

Working on the principle that if you do nothing, nothing happens, I emailed this person and suggested that he send a note to everybody in his address book asking them to do an online scan for virii. I though that was a reasonable action given that it is his good name that cops the flak if one of these emails infects one of his friends' or clients' computers.

Before replying to his email, I used the right click/remove function to delete the virus, and therein lies the question:

Where does that virus package go after removal? I checked the recycle bin and it is not there, so is it still lurking somewhere in my Outlook 2000 files?

Cheers

Billy 8-{) :|

PS If he does send a broadcast email, is it likely to hit the source or could the spoof address used be several times removed from the actual infected computer? I always believed that a direct connection must exist between the infected computer, the spoofed sender address and the recipient

Gordon.
14-02-2003, 02:18 PM
In reply to your last question Billy I was of the understanding that the spoofed address could be several/many times removed from its source because some of these new virus's can copy and use the address from your inbox, etc so if your messages have been f>>>>warded on and never cleaned up anywhere along the way, then your address could have been picked up from there.

The message header information can sometimes give a clue about the location of the infected user. As you will be aware of, the sender(spoofed) could be abc@xtra but the message header info could indicate the source as being sent from someone in Australia or Thailand for example.

All the more reason to promote the use of BCC but all to often it falls on deaf ear's.

Billy T
14-02-2003, 03:06 PM
Hmmmm.....

Thanks Gordon

My address is not associated in any other way that as the recipient, however my unwanted correspondent "Stu", who started off with polite suggestions that I look at things he had sent me, but has progressed to telling me he loves me (now that our relationship has matured, or could that just be a Valentines day special?) is the only source so it seems to be a virus lodged in one of his friends' or colleagues' computer.

I checked the internet headers each time and they remain the same. They identify only this person and my email service provider.

I can live with it I guess, but I still want to know where the deleted attachment goes.

Cheers

Billy 8-{)

Graham L
14-02-2003, 03:59 PM
It's reasonable that the scanner writers would make "delete" delete a virus, rather than putting it in the Bin, where you could "accidentally" restore it. If you can unconditionally delete a file with shift/delete, there will be an option to a system call to do that.

Computer viruses can act like Cupids's arrows? :O So you can use a computer and still get a life. :D

Billy T
14-02-2003, 05:23 PM
It wasn't deleted by a virus scanner Graham.

In Outlook, when you reply to an email the original text is sent with it and appears as an icon below the message you are typing. Right clicking on this icon give you the option to "remove" it so that you don't send their original message back. I usually do this on all email replies because I dislike the huge message strings that build up over a few toing and froings. I also removed it as a courtesy to the person whose email address it hijacked in case they got caught by it when they opened my message.

So, when I "removed" it, the virus disappeared but what I still want to know is where it went

Graham L
14-02-2003, 05:41 PM
I suppose I was thinking more of something like an enclosure which would be saved as a file.

The content is just octets in memory. It's easily deleted: just modify the pointers. It's still in memory (if you start an AV programme which scans memory, it will find it), but it won't be saved as an accessible part of a saved version of the outgoing email. (Part of it might be written to disk, if it comes between the "end" of the file and the cluster boundary. Again, the end of file marker/EOF pointer will exclude it from "normal" access.)

Heather P
14-02-2003, 05:52 PM
Billy, have you ever thought that when you delete it it might actually be ... er ... deleted?

In the early days such things as recycle bins didn't exist. Once you hit delete that was it (unless you were very fast and could extract stuff off the disk before you overwrote that sector).

As a forwarded email already saves the attachment in the original it's quite possible that as there is little need to save it a second time it just goes without the restore option.

But a way to check would be to Start; Search; Files and computers and use the filters to limit the search to the date and time.

Billy T
14-02-2003, 06:45 PM
Hi Heather

Yes I did consider that, and it is my optimum outcome:D

It was only after I started to think about it that I began to wonder where it went, and whether it was hanging around somewhere.

My automatic Friday night AV scan starts in a few minutes so I'll be interested to see if it is detected.

Cheers

Billy 8-{) :|

mikebartnz
14-02-2003, 11:03 PM
From what you have said it has dissappeared completely from that email and not to the recycle bin but it will still be in the original email.