On Wed, 13 Sep 2006, Paul Howarth wrote:
fredex wrote:
On Wed, Sep 13, 2006 at 05:33:21AM -0500, Mike McCarty wrote:
I'm getting inundated (like a few tens of e-mails a day) with
messages claiming that my machine has been identified as sending
a multitude of messages and is likely to be infected, or that
some e-mail I don't recognize was undeliverable. Both of them
recommend that I follow the attached instructions.
The attachment is a .zip which unpacks to a file named
text.doc .scr
This is a classic virus/trojan payload technique. If your mailer appears
to show the attachment as a .doc file, you might be persuaded to open it
with MS Word. The .scr extension is there to get past attachment scanners
that key on the file type. Odds are, this is a Word macro trojan.
(many more spaces in the name than I put). For some of these,
I've managed to ascertain that they are actually Windows
executables. Sometimes my ISP warns me that the attachment
contains the W32.Mydoom.M@mm virus, and the content was
removed (in which case the .zip is 0 bytes). Other times
the "virus protection" was unavailable, and I am warned
that it wasn't run, and those are the ones I've looked
at.
Would someone please help me in interpreting the headers
from these messages so I can ascertain where they originate,
and possibly get someone (who I presume is infected) either
cleaned or shut down?
It's playing whack-a-mole, really. But you can follow the chain of
"Received:" headers back to the last one that makes sense (sometimes the
earlier ones are forged too) and mail the postmaster or abuse address at
that domain.
Thanks very much for your time.
Mike:
I dunno where they come from, but I get tons of 'em too. They're
clearly some kind of spam, I presume them to be a phishing scheme,
though it could just be a virus laden piece of crapware.
My spam filter (spambayes) does an excellent job of filtering out
all that junk so I never see them anywhere except in the spam (or
unsure) folder.
It's probably just clueless anti-virus software sending mail to the forged
sender address used by the virus.
http://attrition.org/security/rant/av-spammers.html
http://www.joewein.de/sw/spam-virus-warnings.htm
http://www.f-prot.com/news/gen_news/030910_open_letter.html
http://www.f-prot.com/news/gen_news/040130_open_letter.html
That usually explains the "undeliverable" notices. Occasionally, you get
a legitimate one, though (usually very shortly after you send a message
with a typo in the address). I just trash most of them, except the ones
that come right after I hit send. That's not quite perfect, but I haven't
figured out quite how to filter them.
Paul.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs