Jump to content
James281

Email Contain Virus

Recommended Posts

in our domain, almost everyone here at my company getting virus everyday now the incident just started on May 03, 2005. most of the virus are the same, send to a non existing account which were never got set up. right now i myself just got around 20 viruses today.

 

i've contacted the tech support but they were no help. how long is this abuse going to be? My figure is if this doesn't stop i think its time to say bye bye TotalChoiceHosting.

 

 

here are some of the header...

 

>Return-path: <service@aol.com>
Envelope-to: rsiefert@cpdhouston.com
Delivery-date: Wed, 04 May 2005 13:10:01 -0500
Received: from [70.112.127.248] (helo=dmsml.com)
           by server57.totalchoicehosting.com with smtp (Exim 4.44)
           id 1DTOJm-00027o-3d; Wed, 04 May 2005 13:10:00 -0500
From: service@aol.com
To: addressOf@cpdhouston.com
Date: Wed, 04 May 2005 17:42:42 GMT
Subject: FwD: mailing error
Importance: Normal
X-Mailer: AnonMail_Version 10.37
X-Priority: 3 (Normal)
Message-ID: <acf07.4210d90be39@aol.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="==9bf088.30b1b73ba"
Content-Transfer-Encoding: 7bit


---------------------------------------------------------------------


Return-path: <service@ms-mss-06.texas.rr.com>
Envelope-to: rsiefert@cpdhouston.com
Delivery-date: Wed, 04 May 2005 12:35:29 -0500
Received: from [70.112.127.248] (helo=nxtovbs.com)
           by server57.totalchoicehosting.com with smtp (Exim 4.44)
           id 1DTNmQ-0008B0-Jn; Wed, 04 May 2005 12:35:29 -0500
From: service@ms-mss-06.texas.rr.com
To: freemail@cpdhouston.com
Date: Wed, 04 May 2005 17:22:07 GMT
Subject: Your Password
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID: <334fa5ca.74d0f4a535@ms-mss-06.texas.rr.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====f3cbab.b186ad86f208eeb2a"
Content-Transfer-Encoding: 7bit


---------------------------------------------------------------------


Return-path: <info@hotmail.com>
Envelope-to: rsiefert@cpdhouston.com
Delivery-date: Wed, 04 May 2005 11:33:31 -0500
Received: from [70.112.127.248] (helo=esaqtdh.com)
           by server57.totalchoicehosting.com with smtp (Exim 4.44)
           id 1DTMoS-0000Sx-Qh; Wed, 04 May 2005 11:33:31 -0500
From: info@hotmail.com
To: Your-Account@cpdhouston.com
Date: Wed, 04 May 2005 16:22:50 GMT
Subject: FwD: Registration Confirmation
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID: <4acf5.e21fe040e1e@hotmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====a5a8b0eeab9ae"
Content-Transfer-Encoding: 7bit

---------------------------------------------------------------------


Return-path: <webmaster@hotmail.com>
Envelope-to: rsiefert@cpdhouston.com
Delivery-date: Wed, 04 May 2005 09:32:10 -0500
Received: from [70.112.127.248] (helo=ymwmxhn.com)
           by server57.totalchoicehosting.com with smtp (Exim 4.44)
           id 1DTKv0-0008B2-FM; Wed, 04 May 2005 09:32:09 -0500
From: webmaster@hotmail.com
To: 3Dkprice@cpdhouston.com
Date: Wed, 04 May 2005 14:19:32 UTC
Subject: Your Password
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <e73fcdec6772.cf9c1fb@hotmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===47a1d7daf1393d3b"
Content-Transfer-Encoding: 7bit


---------------------------------------------------------------------


Return-path: <postmaster@hotmail.com>
Envelope-to: rsiefert@cpdhouston.com
Delivery-date: Wed, 04 May 2005 07:34:28 -0500
Received: from [70.112.127.248] (helo=jnciiq.com)
           by server57.totalchoicehosting.com with smtp (Exim 4.44)
           id 1DTJ57-00013o-Vf; Wed, 04 May 2005 07:34:28 -0500
From: postmaster@hotmail.com
To: mail@cpdhouston.com
Date: Wed, 04 May 2005 12:21:10 GMT
Subject: FwD: Registration Confirmation
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <57cc3c7.ebd9e5cc@cpdhouston.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="==ce7f9bb4f2f.16dabed0de5"
Content-Transfer-Encoding: 7bit


---------------------------------------------------------------------


Return-path: <service@aol.com>
Envelope-to: rsiefert@cpdhouston.com
Delivery-date: Wed, 04 May 2005 10:33:37 -0500
Received: from [70.112.127.248] (helo=xfoyi.com)
           by server57.totalchoicehosting.com with smtp (Exim 4.44)
           id 1DTLsU-0003zB-JH; Wed, 04 May 2005 10:33:36 -0500
From: service@aol.com
To: mail@cpdhouston.com
Date: Wed, 04 May 2005 15:28:13 GMT
Subject: Registration Confirmation
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID: <f642c8984abac89b5300@aol.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="====ca3d93065bcb"
Content-Transfer-Encoding: 7bit


---------------------------------------------------------------------


Return-path: <hostmaster@ecrushmail.com>
Envelope-to: rsiefert@cpdhouston.com
Delivery-date: Wed, 04 May 2005 08:31:33 -0500
Received: from [70.112.127.248] (helo=drbqdl.com)
           by server57.totalchoicehosting.com with smtp (Exim 4.44)
           id 1DTJyO-00048H-2y; Wed, 04 May 2005 08:31:33 -0500
From: hostmaster@ecrushmail.com
To: Recipient@cpdhouston.com
Date: Wed, 04 May 2005 13:18:02 UTC
Subject: FwD: mailing error
Importance: Normal
X-Mailer: AnonMail_Version 8.72
X-Priority: 3 (Normal)
Message-ID: <ceac7d9a55.f1c4b8@ecrushmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="====2cd021997da2b.c5c"
Content-Transfer-Encoding: 7bit


---------------------------------------------------------------------


Return-path: <hostmaster@hotmail.com>
Envelope-to: rsiefert@cpdhouston.com
Delivery-date: Wed, 04 May 2005 06:40:17 -0500
Received: from [70.112.127.248] (helo=yepmcdsvf.com)
           by server57.totalchoicehosting.com with smtp (Exim 4.44)
           id 1DTIEg-0006U8-39; Wed, 04 May 2005 06:40:17 -0500
From: hostmaster@hotmail.com
To: jyevans@cpdhouston.com
Date: Wed, 04 May 2005 11:27:13 UTC
Subject: Your Password
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID: <f2ec79.aadf8024a9d4@hotmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=041ce01dc1ea.bec4a5eec5"
Content-Transfer-Encoding: 7bit


---------------------------------------------------------------------

Return-path: <postmaster@ms-mss-04.texas.rr.com>
Envelope-to: rsiefert@cpdhouston.com
Delivery-date: Wed, 04 May 2005 07:47:43 -0500
Received: from [70.112.127.248] (helo=pporjgk.com)
           by server57.totalchoicehosting.com with smtp (Exim 4.44)
           id 1DTJHw-0001iV-O4; Wed, 04 May 2005 07:47:43 -0500
From: postmaster@ms-mss-04.texas.rr.com
To: addressOf@cpdhouston.com
Date: Wed, 04 May 2005 12:38:09 UTC
Subject: Registration Confirmation
Importance: Normal
X-Mailer: AnonMail_Version 6.38
X-Priority: 3 (Normal)
Message-ID: <d3cccd.c47e74d6312ef@ms-mss-04.texas.rr.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=6dd4aad2c.d3159a8e"
Content-Transfer-Encoding: 7bit

Share this post


Link to post
Share on other sites
Guest Serpentine

The last time I checked, TCH blocks some attachments but offers no virus scanning protection for your email. You are responsible for that.

Share this post


Link to post
Share on other sites

You have probably done this, but it might be worth checking out if spamassassin is enabled?

The reason I ask is that I noticed that mine was disabled which I didn´t noticed until now since I haven´t received any evil stuff lately.

 

It won´t sort out/kill viruses but it will stop most spam.

Share this post


Link to post
Share on other sites

As Thomas said, enable Spam Assassin and also I suggest that you set your default email address to :fail:

 

As Serpentine says TCH blocks some attachments but does no virus filtering.

 

If you have email you are no doubt going to get email with virus attachments. That's a fact of internet life. All you can do is arm yourself with good anti-virus software and keep it updated.

Share this post


Link to post
Share on other sites
The last time I checked, TCH blocks some attachments but offers no virus scanning protection for your email. You are responsible for that.

 

i don't care if i get one virus a week or maybe one a day.. but in all we have around 10-20 account on our domain and every single account getting around 20 viruses a day and they are all the same on all acount. if this is not abuse then what is? we all have virus scan on our computer but its sure is anoying to keep on getting virus.

 

 

You have probably done this, but it might be worth checking out if spamassassin is enabled?

The reason I ask is that I noticed that mine was disabled which I didn´t noticed until now since I haven´t received any evil stuff lately.

 

It won´t sort out/kill viruses but it will stop most spam.

 

i think mine is disable right now, but spam isn't the problem, all computer here using office 2003 which have spam filter and it work pretty well most of the spam got filter out. but i will enable this spamassassin in.

Edited by James281

Share this post


Link to post
Share on other sites

Its just a thought but...

I looked at the "Received: from" in the attached text. All email seems to come from same people so perhaps its time for you to email their isp and ask them to take action.

Share this post


Link to post
Share on other sites
As Thomas said, enable Spam Assassin and also I suggest that you set your default email address to :fail:

 

As Serpentine says TCH blocks some attachments but does no virus filtering.

 

If you have email you are no doubt going to get email with virus attachments. That's a fact of internet life. All you can do is arm yourself with good anti-virus software and keep it updated.

 

 

i did set the default email address to :fail:

like i said i don't mind if we in all 10 emails getting maybe 1-2 virus a week. but we getting 20+ email with virus a day!!! and this incident just recently happen that is why i asked you guys for help. and we all do have anti-virus software.

Share this post


Link to post
Share on other sites

I've had an increase in virus attachments recently and they are all bounced emails that I never sent. So someone has me in their address book that is infected and it's spoofing my address.

 

Maybe the same is happening to you.

Share this post


Link to post
Share on other sites
I've had an increase in virus attachments recently and they are all bounced emails that I never sent. So someone has me in their address book that is infected and it's spoofing my address.

 

Maybe the same is happening to you.

 

sure i can see that happen .. but not to all 15+ emails account.

Share this post


Link to post
Share on other sites
I've had an increase in virus attachments recently and they are all bounced emails that I never sent. So someone has me in their address book that is infected and it's spoofing my address.

 

Maybe the same is happening to you.

Could one of the machines in your group be virus infected? If all 15 users have each other in their address book that would be a possible cause for such a high volume. Do the attachments have similar names?

 

Good Luck

Share this post


Link to post
Share on other sites

I'm having the same problem as James describes. Bombarded with these emails all of a sudden. I think I had 45 this morning when I opened email.

 

Spam assassin is turned on. Any other ideas?

 

 

I've had an increase in virus attachments recently and they are all bounced emails that I never sent. So someone has me in their address book that is infected and it's spoofing my address.

 

Maybe the same is happening to you.

 

sure i can see that happen .. but not to all 15+ emails account.

Share this post


Link to post
Share on other sites
Guest Serpentine

By the way, that is the Win32.Sober.p worm. This worm spreads by mass-mailing copies of itself using its own SMTP engine. It gathers its target recipients from files with certain extensions names.

 

This means that anyone infected that has your email address in their address book or document on their computer will have this sent to you or the entire organization. You cant stop them from coming to you. By the way, as this worm is a new variant it is most likely the reason it has happened suddenly.

 

Update your virus defs if you havent done so yet. You can get more informstion at the Trend Micro site.

 

I would create filters in your mail program to delete any subjects containing

 

• mailing error

• Re:

• Registration Confirmation

• Your email was blocked

• Your Password

Edited by Serpentine

Share this post


Link to post
Share on other sites
I've had an increase in virus attachments recently and they are all bounced emails that I never sent. So someone has me in their address book that is infected and it's spoofing my address.

 

Maybe the same is happening to you.

Could one of the machines in your group be virus infected? If all 15 users have each other in their address book that would be a possible cause for such a high volume. Do the attachments have similar names?

 

Good Luck

 

 

well as i understand, even if a machine doesn't have virus protection, you would have to download the attachment and unzip to get infected. and i am sure non of the account we have here download any of the attachment. there's around 20 computer from where i am at with the posibility of having all of our email in its address book.

 

anyway this is the virus its been looping around for a few days now.

 

W32.Sober.O@mm

Win32.Sober.N [Computer Associates], Sober.P [F-Secure], W32/Sober.p@MM [McAfee], W32/Sober-N [sophos], WORM_SOBER.S [Trend Micro]

http://securityresponse.symantec.com/avcen...sober.o@mm.html

Share this post


Link to post
Share on other sites

You are getting the newest variant of the original sober virus, which makes sense. The virus scanners are normally behind the virus writers and it takes several days to catch up.

 

well as i understand, even if a machine doesn't have virus protection, you would have to download the attachment and unzip to get infected.

 

Actually all thats needed is to "execute" the file. It comes in a self-extracting zip, so it will unzip itself and then execute itself.

Share this post


Link to post
Share on other sites

same thing is happening to one of our reseller clients.. i wish i knew what to do about this.

Share this post


Link to post
Share on other sites
Guest Serpentine

How can you stop these email from being sent to you? Not much you can do but selective filtering and keeping your AV definitions up to date.

Share this post


Link to post
Share on other sites

I use McAfee Spamkiller. It's configured to periodically sign onto my mail account and filter any mail that was sent to my inbox. I had an incident where someone signed me e-mail address up to about 1000 newsletters and I never received one. It's a good program and it also blocks certain addresses from contacting you period.

Edited by Dark

Share this post


Link to post
Share on other sites
W32.Sober.O@mm

Win32.Sober.N [Computer Associates], Sober.P [F-Secure], W32/Sober.p@MM [McAfee], W32/Sober-N [sophos], WORM_SOBER.S [Trend Micro]

http://securityresponse.symantec.com/avcen...sober.o@mm.html

The scum that NOD32 ate this morning was listed as containing the Mytob.CD worm [and there's two more being eaten as I type].

 

I've had a few days of this virus hitting the inbox. The social engineering aspect of the messages (your e-mail account is suspended, open this to fix it) will easily convince the less web-savvy recipient to open the message. It won't work if you get a large amount of e-mail, but will for those who only get a few.

 

Secunia Virus Information: MYTOB.CD

Net-Worm.Win32.Mytob.gen, W32.Mytob.BD@mm, W32/Mytob, W32/Mytob.CL@mm, W32/Mytob.gen@MM, Win32.Mytob.BO, Win32/Mytob.BO!Worm, WORM_MYTOB.CD

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...