Posted by: David Harley | March 10, 2014

Postcard from Hallmark hoax

Here’s a hoax alert I was asked about recently. It’s far from new, but it seems to be enjoying a new lease of life on social media at the moment. As it’s an example of a very prevalent kind of hoax, it’s worth giving it some special attention, in the hope that it will be easier to spot similar timewasters.

THIS IS IMPORTANT BEWARE and tell everybody you can think of!!!

[Yes, we know it’s important because it’s IN CAPITALS and has three exclamation marks!!! Wait a minute… Who decided it was IMPORTANT, and on what authority? We’ll get to that in a minute.]

Regards, Better to be safe than sorry

Regards? End of the message already? Obviously not, but this does suggest more than one message stitched together, a very common feature of dross like this. I don’t think there’s a single line in this message I haven’t seen elsewhere, but so many hoax gambits in a single message is an educational opportunity I can’t pass up.

Dave’ s brother is a very advanced programmer who does computer work for a living…

I don’t know who Dave is (it isn’t me, I haven’t coded anything in years!), let alone his brother. So excuse me if I don’t take their programming expertise or knowledge of malicious software as a given. As a matter of fact, since I sidled into the IT industry in 1986, I’ve found programmers and other IT professionals  to be as capable as anyone else (including security professionals) of spreading misinformation when they step outside their own specializations. And by the way, you can be extremely technically knowledgeable without being a professional programmer, you know, though having no knowledge at all of programming would be a significant disadvantage in some contexts.

…and has a high up status with Microsoft.

Remember that story about Bill Gates being unable to install the Windows 8.1 upgrade? Except that it appears that story originated with the New Yorker’s satirical Andy Borowitz column, which rather casts doubt on its accuracy (even though many sites have republished or summarized it without question). Still, if there’s one thing I’ve learned from nearly 30 years in the industry, it’s this: even technically accomplished people tend to lose their technical grasp as they acquire more and more people who can do routine tasks for them. High status does not equal technical expertise.

He doesn’t send these if they aren’t real. If He says this is for real, it for sure is.

Of course it is. How could anyone not take Dave’s brother’s word on it?

Be aware. VIRUS COMING !

This is just so wrong on so many levels. I don’t know what it reminds me of most: those helpful people who tell you to be careful while you’re picking yourself up off the ice you just slipped on, or those security experts who tell you not to open suspicious messages. “Oh look, it’s a suspicious message. I must open it and see what it says.”

Hi All, I checked with Norton Anti-Virus, and they are gearing up for this virus!

What on earth does ‘gearing up’ mean? They’re looking for a sample? They’re trying to work out how to detect it? They’re putting up sandbags so that it doesn’t leak into their offices? No, it means ‘I haven’t been in touch with anyone at Symantec/Norton at all, but maybe Dave’s brother has.’

I checked Snopes , and it is for real.

This is interesting. And a common claim by hoaxers who’ve done no such thing and are hoping that you won’t either, in case you find that there’s a Snopes entry that says exactly the opposite. In this case, though, the Snopes entry lists this as ‘outdated’ rather than as an out-and-out hoax, despite the manifest improbability of some of the claims made in this message. Which may be why some hoaxes sometimes include the specific URL for this entry.

The rationale here is that there really have been instances of malware spread via what were passed off as links to e-card sites, notably in Nuwar/Storm campaigns, with subject lines like “You’ve received a postcard from a family member!” Quite a few of those subject lines are listed in the Snopes article, but while it’s perfectly possible that future malware campaigns will re-use this approach and even some of those subject lines, the idea that you can spot an incoming malicious message by its subject line is misleading at best. In fact, it’s characterized email virus hoaxes going right back to the venerable (but not venerated) Good Times hoax, and even further back to the ‘Mogul metavirus’ spoof, which was meant to be humorous but, arguably, spawned a million imitators. Elements of many of those imitators are present in the POSTCARD FROM HALLMARK hoax, including the Olympic Torch hoax, A Virtual Card For You, the Invitation hoax and so on.

Get this E-mail message sent around to your contacts ASAP.

Quick, before you have time to think about it and see how ridiculous it is. This does give you some idea of how old this hoax actually is, going back to the days when email was the main channel for Internet communication and social media were barely an idea.


“You know we mean it. We’re typing in capitals again.” But please don’t forward it. Really.

You should be alert during the next few days.

Be alert. Facebook needs more lerts. (Sorry. Couldn’t resist.)

Do not open any message with an attachment entitled POSTCARD FROM HALLMARK , regardless of who sent it to you. It is a virus which opens A POSTCARD IMAGE, which ‘burns’ the whole hard disc C of your computer.

Sounds alarming. Imagine all those melting hard disk platters. “Hello, Dali, well, hello, Dali….” Actually, it sounds as if Dave’s brother doesn’t know a lot about storage technology or even how Windows sees a hard drive.

This virus will be received from someone who has your e -mail address in his/her contact list. This is the reason you need to send this e -mail to all your contacts.

Specious reasoning if ever I saw it… This just means “I want you to forward this to as many people as possible and hopefully you won’t look too carefully at the logic.”

It is better to receive this message 25 times than to receive the virus and open it.

That could possibly be true if the virus was real, but it’s even better not to receive any copies of a useless but somewhat viral message. It’s better not to receive real malware (most modern malware isn’t viral) than to receive it. But receiving a memetic virus is in itself pretty irritating, if not as unequivocally damaging as a CIH or Autostart.

If you receive an email entitled “POSTCARD,” even though it was sent to you by a friend, do not open it!

That, at least, makes some sense in that you can’t safely trust a message just because it appears to come from a person whose intentions you trust. Unfortunately, simply assuming that all email with the subject POSTCARD is malicious is less sensible. Deleting or blocking messages because they have a highly generic subject line associated with a virus that doesn’t actually exist is even less sensible.

Shut down your computer immediately.

I’m not sure what the logic is here. If you didn’t open the message, it’s unlikely that whatever malicious code it’s supposed to contain could be executed. There have been occasions where a bug in a specific email client could cause code to be executed from an unopened message, but it’s rare, and there’s no indication of an email client problem here. The remote possibility of such an issue is a good reason for keeping your operating system and applications promptly patched and updated. But that isn’t alarmist enough for a chain letter.

Of course, if the malware was real and as bad as described, shutting down the PC would probably mean you wouldn’t be able to start it up again.

This is the worst virus announced by CNN.

Well, a news channel is obviously best-equipped to make a rational assessment of the impact of the threat. In the real world, though, it might be nice if it could be attributed to a security company with some knowledge of malware. Failing that, at least give us a URL to verify… (Preferably a link to a trustworthy site, and no URL shortening, QR codes or other link obfuscation gambits.

It has been classified by Microsoft as the most destructive virus ever.

Oh, OK. Though actually, at the time this hoax first appeared, few would have considered Microsoft to be a security company at all. But they certainly know something about malware now. But again, there’s no way of verifying the assertion. Of course, there’s no way to check that Microsoft really did classify the thing in this way. But that would be because they didn’t.

This virus was discovered by McAfee yesterday,

No verification. Yawn. And no way of establishing when ‘yesterday’ might have been. 2001 or earlier, I’d say… Strange that at least two major security companies know about it and yet…

…and there is no repair yet for this kind of Virus.

We’re doomed.

This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept.

Well, you can certainly cause appreciable (not necessarily permanent) damage by trashing the Master Boot Record, which is what normally occupies Sector 0, but the risk to real hardware from an imaginary virus is fairly small.


No, no, no. Please don’t. This is just emotional blackmail and social engineering. Don’t forward it.

And do feel free to let the person who sent it to you know that it’s a hoax. (However, if the mail was sent to lots of other people at the same time – as is usually the case – I don’t generally recommend that you “reply all” so that they all get to hear that it’s a hoax.

It’s often the case – in my experience – that when you let people know they’ve been hoaxed, they take some convincing. Well, no-one wants to be made to feel stupid. Here are some more resources you can quote them if they don’t believe you.

In general, any instruction to send an email to all your friends is by definition a chain message. That doesn’t make it a hoax by definition, but it’s always worth (a) verifying before you send (b) considering whether your friends will really appreciate getting 25 copies of more-or-less the same message. I know I wouldn’t.

David Harley 
Small Blue-Green World


  1. The Postcard email had been forwarded 6 times…someone finally thought :hoax” and looked into things.
    Thank you for this quality resource, and for additional addresses to check with.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: