Click here to return to Kansas Originals Home page.
Since approximately August 20, 2003, thousands of people have received virus infected email which claims to be from one of several people or email accounts associated with Kansas Originals Market. Let me say right up front that, although they appear on the surface to be coming from Kansas Originals, they are not. The "From:" address in those emails has been forged. An explanation of how this happens and how to verify it will follow, but I want to assure you first that we at Kansas Originals did not send them, there is really nothing practical we can do to prevent it from happening, and we feel your pain. Our own mail server is currently rejecting thousands of such virus-infected emails, many of which claim to be from us. All relevant computers at Kansas Originals are running anti-virus software, and our internet guru has verified that the emails in question did not originate on a computer associated with us. In fact, while we do not know the exact identity of the people whose computers are responsible, we can tell you that they are not necessarily even somebody we have ever had contact with.
How it happens...
The short answer is that a virus infects a computer somewhere, and as it begins the task of reproducing itself, it searches the computer it is infecting for email addresses. Once it comes up with all of the email addresses it can find, it then selects one of the addresses to use as the "forged" From: address, and another of the addresses to be the recipient of the email. It then constructs the email and sends it out. This is how you can receive a virus-laden email claiming to be from somebody@kansasoriginals.com even though nobody associated with Kansas Originals has an infected computer.
The long answer...
The most obvious place that a virus would look for email addresses to use as both the To: and From: in its email would be the address book on the infected computer. Most viruses do look there, but... not everybody has a full and complete address book. Some people don't even use an address book on their computers. (Imagine that!) So, in order to get as many addresses as possible, many viruses will look other places on the computer where it might reasonably expect to find email addresses, such as in the old emails which are stored in the mail client (this can be both email received AND email sent from that computer previously), and also in the "temporary internet files" folder, or in the web cache.
You see, each and every web page you visit is stored temporarily on your computer for a set number of days, so that if you view the same web page multiple times, your computer doesn't necessarily need to transfer that page from the web site server to your computer each time. This dramatically speeds up your web browsing. All your computer needs to do in many cases is to "ask" the web server if the page you want to see has changed since the last time you looked at it, and if it is determined that the page hasn't changed, your web browser can show you the copy it already has instead of downloading the whole thing again.
Because of this storing of web pages on computers, and the fact that many web pages (including ours) contain email addresses, any virus that wants to get the maximum number of email addresses to send itself to will peruse the files in the web cache (and other "web pages" it can find) and parse the email addresses from those. What that means is that, for a virus to "find" an email address associated with Kansas Originals Market on any given computer, all that would be required would be that the owner of that computer had viewed one of our site's pages which contained one of our email addresses sometime in the last week or so in most cases. Or it could have been somebody who had purchased from us in the past, or somebody interested in one of our fine products or for any other reason had our email address on their computer somewhere.
As you can see, it is not possible for us to prevent our email addresses from being stored on other people's computers, in fact we WANT them there, so that people can communicate with us as they desire. With tens of thousands of people viewing our web site each month, that means that there are a lot of computers out there that have one or more of our email addresses stored on them somewhere. Unfortunately, that means that any virus can grab our email address from one of those many computers and mis-use it also.
How you can tell...
If you did get a virus infected email which claimed to be from one of us, and you are still suspicious that one of us sent it, here is how you can tell where that email really came from. You won't be able to tell (in most cases) who the owner of the computer is, but you can learn enough to know that it wasn't one of us.
The first thing you need to do is to look at a part of the email that you probably have never seen before. Since most of you are using Microsoft's Outlook Express as your email client, these directions will be specific to that application, but most other email clients will have similar functionality somewhere in there.
In Outlook Express, highlight the message containing the virus in the message list. Don't open any attachments though! Remember that this is a virus infected email you are dealing with! With the message highlighted, go to the "File" menu and select "Properties". A new box will appear on your screen with details of the currently highlighted message. Toward the top of that box, there should be a tab labeled "Details". Click on that tab and you should see something like the following as the first two lines in the details view...
Return-Path: <webmaster@kansasoriginals.com>
Received: from mail.isp.com (mail.isp.com [123.123.124.122])
by mail.yourisp.com (8.9.3p2/8.9.3) with ESMTP id RAA30195
for <somebody@somewhere.com>; Tue, 19 Aug 2003 17:09:40 -0400
These first two lines may be all you need to see, although in some cases you need to go a little further down in the list to see exactly who the responsible party was. The Return-Path: line is not relevant at this point, as it may be set to what it is as a result of the virus having forged the From address, but the Received: line is added by each mail server that handles the email on its way from the sender to you, with the top or first Received line being added by the most recent server to handle the mail. If the email you received looks like the one above, with the Received: line stating that the email was received from the computer at 123.123.124.122 calling itself mail.isp.com, then the email was handled by that computer, and sent on to your ISPs mail server which is listed in the next line (by mail.yourisp.com).
If there is more than one Received: line like the above, each section indicates where that server got the mail from and what time it was handled, again with the first or top Received line being the last hop before it reached you. The lowest Received: line then should be the computer that first handled the email, and will probably give you the best idea of where the email originated, although in some cases, those lowest lines will be forged also. What you want to do though, is to look at the IP addresses of the computers listed in the Received lines, in the example above that would be 123.123.124.122. (don't trust the name of that server, go with the IP address). That IP address is assigned by one of several registries around the world, and has contact information for the entity to whom that IP address is assigned. The grand-daddy of all such registries is ARIN and you can go to their Whois lookup page (http://www.arin.net/whois/index.html) to find out to whom each address is assigned.
Take the IP addresses you got, and look them up in the ARIN database, and you will see names and addresses of the owners of the IP addresses of the computers that handled the email on its way to you. If you do this with the virus email that you got claiming to be from us, you will find that those emails originated in Texas, Oklahoma, Ohio, or they could be from anywhere else in the world. Most likely, they are not from any of the ISPs used by any of the employees or contractors of Kansas Originals Market.
If you do lookups as outlined above, and you find evidence that leads you to suspect that the virus did indeed come from one of us, or if you just need help deciphering what you see in the mail headers, you may contact our web site administrator (that's me) at webmaster@kansasoriginals.com and he will do his best to help you understand, or verify the ISPs and computers involved in sending you the virus.
I hope this explanation has helped.
John Vogel
Internet Administrator
Kansas Originals Market