mIRC Script.INI security flaw (IBM virus alerts)

Public links to this specific article:
http://www.korova.com/virus/hoax980101.htm
Also: this page, print-friendly

Got a question? Try
"The FAQ du Jour"

January 1, 1998     

It was a quiet year, 1997, according to Rob Rosenberger, host of the Computer Virus Myths home page. Still, the Christmas season warmed up the yuletide hoax pudding a bit.

Still. People are taken in by bullshit, and companies embarrass themselves by publishing old, inaccurate or erroneous information (or all of the above). For instance, in a cautionary "notice" about e-mail virus hoaxes, Mirabilis included a warning against any "HTML mail-message, linking to a gif/jpeg file, which has a virus in it." Sorry, it's an old April's Fool joke, JPEG images can't harbor viruses. Mirabilis was hit with a virus hoax themselves, in the form of a rumor of viruses passed around with their ICQ "wwpager" and chat software.

In other corners of the Net, a security flaw in a popular Internet Relay Chat (IRC) client blossomed into a full-fledged (though half-baked) "AN AN AS" virus scare. Another turkey takes flight. Turns out that, like e-mail attachments, certain versions of the mIRC client have a flaw that allows someone to send a SCRIPT.INI file which could behave maliciously on the recipient's system, and even spread to other users. (Read more at left, "In Other News....")

More intriguing to me is the continuing hallucination by "e-j-mailers" that Netizens are willing to tolerate, are even enthusiastic about, unsolicited commercial e-mail (UCE) in their Inboxes. Most surveys indicate grass roots support for ritualistic genital mutilation of those who generate revenue by clogging the bandwidth and systems with unwelcome spam. But e-j-mailers like Sanford Wallace (Cyber Promotions) evoke such erroneous American issues as free speech and the free enterprise system to justify their antagonistic use of the Net.

Today's example, class (prepare to suspend your disbelief):

As reported on CNN Interactive, the National Organization of Internet Commerce (NOIC) had threatened to reveal 1 million American Online (AOL) customer addresses on Janurary 1, 1998, in a clearly childish attempt to harrass AOL over what the NOIC claims are AOL's anti-small business practices.

NOIC president Joe Melle would have you believe that AOL's aggressive actions (legal and technical) to block e-j-mail to AOL's users as an effort to put small Internet businesses out of business, by denying them the UCE method of commerce. "Our goal is to protect [business owners'] Civil rights and their right of free speech." [NOIC home page.] As reported by CNN, "[Melle] told the Los Angeles Times that barring the use of affordable bulk e-mail on the network would prevent small business from gaining access to as many as half the regular users of the Internet." He doesn't stop there; the NOIC claims that ISPs' and online services' blocking of spam is "unconstitutional."

Their solution? A threat to publicly post 1 million AOL users' addresses on the NOIC web site on January 1, 1998, so that ANYONE can download the names and bombard the third party victims, AOL users, with even more e-j-mail. Gee, that'll show 'em.

On Tuesday, December 30, 1997, AOL sent a letter to the kind folks at the NOIC, threatening to "seek full legal redress, including compensatory and punitive damages," if NOIC posted the addresses publicly. [CNN] NOIC's reasoned response? On December 31, 1997, the NOIC promised to post 5 million addresses on their web site (http://www.noic.org/) on January 8, 1998.

In an open letter on the NOIC web site, Mr. Melle wraps himself in the altruistic bedclothes of free enterprise, free speech, service to the consumer, and productive and egalitarian use of the Net. Why then the malicious act of disclosing individuals' private addresses on their web site?

AOL claims this is cyberterrorism. Actually, terrorist acts are random acts against innocents that disrupt the peace of a community, and inspire aggressive law enforcement actions, thereby causing further inconvenience to a populace. All to prove a point. This is extortion. NOIC wants AOL to knuckle under, disarm the firewalls and filters, and let spammers have a field day carpet-bombing users' mailboxes with trash. If AOL doesn't, why then the NOIC will just invite the entire e-j-mailer community to mail-bomb AOL users from all fronts, an action that could cripple or crash AOL's mail services. Pretty ugly, eh?

So what's the Hoax du Jour? As usual, e-j-mailers make the case that they're just a bunch of ethical businessmen (and women) who wanna make an honest buck selling great values directly on the Net. They may also make the case that they're the pioneers of that "online commerce" thing you've been hearing about. Hell, this is American free enterprise at its finest.

Bull. What loudmouths like Sanford Wallace and Joe Melle WON'T tell you is that e-j-mail also constitutes junk mail offering useless products or services, sexual-explicit material or online sites, and even illegal multilevel marketing schemes. There are no credentials required to send e-mail, so anyone can send out something like "$$ Get Rich Quick $$" or "Ever wanted to tie your girlfriend up?" And, contrary to their claims, e-j-mail is not a cost-free resource. Instead of costing the vendor (as in postal junk mail), e-j-mail costs the user in terms of time, bandwidth, disk space, and time to receive, identify and delete unwanted e-mail. E-j-mailers even support lame legistation that protects their activity while shifting the burden of cost and support onto Internet service providers and users [CAUCE].

How to recognize e-j-mail? Here's a quick FAQ:

1. ALL-CAPITAL letters. Lots of them. It's commonly accepted as "shouting" on the Net, but far be it for spammers to learn from twenty years of Internet conventions.
2. Misspellings. Look for mistakes of the junior high school variety.
3. Atrocious grammar. No high school diploma is required to send e-j-mail; maybe you already figured that out.
4. Total absence of any guarantee, warranty, or legal protection.
5. New in 1997: totally insincere paragraphs apologizing "if you didn't want to receive this mailing," and deceptive offers to remove your name by replying to the message. (You won't be removed. You'll just get more e-j-mail. Why? Your reply proves that yours is a valid address with a human using it; the inethical e-j-mailer will smile, lock on and open fire.)
6. Reply-to addresses that are already invalid by the time you receive, and respond to, the e-j-mail.
7. Believe it or not, I get e-j-mail with web URLs that aren't functional. Or for sites that don't work properly in a basic browser. Duh. They spent their money on spam-mail software, not on their product representation.

It's generally agreed upon that e-j-mail isn't remotely ethical by conventional business standards. So ... why would you buy from an inethical business? So why would you even want to read it? And there's the clinch -- most of use don't even want to see it, but we have no choice, it's forced upon us by people like the NOIC's members.

I don't know if there's an end in sight for this e-j-mail nightmare. I can only hope that spamming our elected representatives, and complaining loudly to the Federal Trade Commission (FTC), can awaken legislators to further regulating how these punks abuse the net. And isn't that what a New Year's Day is all about, HOPE?

Update!

January 03, 1998     

As reported Newsbytes, the National Organization of Internet Commerce has backed down. Previously, the NOIC wanted America Online "to sit at the table and talk to us," but I think that what NOIC president Joe Melle REALLY wanted was a lot of publicity.

Melle's company, TSF Marketing ("the leader in Internet marketing"), is the founding member of the NOIC; TSF collects AOL e-mail addresses from chat rooms and other Internet locations used by AOL users. Melle had originally threatened to publicly post 1 million addresses on the NOIC web site. When AOL threatened legal action, Melle increased the threat to 5 million. (A USENET administrator joked online that this would result in a database file that could be as large as 54MB. Could the NOIC handle that kind of traffic?)

In "An Important Letter" posted to the NOIC's web site Friday afternoon, Melle claimed that his group had received "thousands of emails and hundreds of phone calls" supporting his group's goals. Supposedly, many of these messages came from AOL users "who agree with our goals and what we stand for."

Once we can stop marveling at the incredible audacity of Melle's spin control, you have to wonder what kind of logic the man is operating under. His group threatens to disclose private e-mail addresses as retaliation for perceived abuses by AOL against small Internet-based businesses. Three days later, the group recants, claiming a revelation that AOL users "are concerned" about NOIC's intended violation of private addresses.

Of course, the NOIC's stated interest is in prohibiting all online service or ISP restrictions on e-j-mail, squarely placing the burden on the individual user to filter or kill unwanted messages. How cozy that all those thousands of AOL users would support such a shallow "solution." Does something smell fishy here?

Of course something smells fishy. The efforts of ISPs and administrators to provide anti-spam solutions are the DIRECT RESULTS of overwhelming consumer concern. Bearing that in mind, one has to wonder if Joe Melle has done more damage to the cause and reputation of commercial e-mail than anyone else in the past two years. Threatening such an public display of selfish disregard in the interest of making "the Internet a pleasant experience for everyone," and then claiming that the victims support his goals,... is a plainly bizarre delusion. I wager he's displaced Sanford Wallace (Cyber Promotions) as the Paul Joseph Goebbels of e-j-mail.

David Spalding