James281 Posted May 6, 2005 Share Posted May 6, 2005 in our domain, almost everyone here at my company getting virus everyday now the incident just started on May 03, 2005. most of the virus are the same, send to a non existing account which were never got set up. right now i myself just got around 20 viruses today. i've contacted the tech support but they were no help. how long is this abuse going to be? My figure is if this doesn't stop i think its time to say bye bye TotalChoiceHosting. here are some of the header... >Return-path: <service@aol.com> Envelope-to: rsiefert@cpdhouston.com Delivery-date: Wed, 04 May 2005 13:10:01 -0500 Received: from [70.112.127.248] (helo=dmsml.com) by server57.totalchoicehosting.com with smtp (Exim 4.44) id 1DTOJm-00027o-3d; Wed, 04 May 2005 13:10:00 -0500 From: service@aol.com To: addressOf@cpdhouston.com Date: Wed, 04 May 2005 17:42:42 GMT Subject: FwD: mailing error Importance: Normal X-Mailer: AnonMail_Version 10.37 X-Priority: 3 (Normal) Message-ID: <acf07.4210d90be39@aol.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="==9bf088.30b1b73ba" Content-Transfer-Encoding: 7bit --------------------------------------------------------------------- Return-path: <service@ms-mss-06.texas.rr.com> Envelope-to: rsiefert@cpdhouston.com Delivery-date: Wed, 04 May 2005 12:35:29 -0500 Received: from [70.112.127.248] (helo=nxtovbs.com) by server57.totalchoicehosting.com with smtp (Exim 4.44) id 1DTNmQ-0008B0-Jn; Wed, 04 May 2005 12:35:29 -0500 From: service@ms-mss-06.texas.rr.com To: freemail@cpdhouston.com Date: Wed, 04 May 2005 17:22:07 GMT Subject: Your Password Importance: Normal X-Priority: 3 (Normal) X-MSMail-Priority: Normal Message-ID: <334fa5ca.74d0f4a535@ms-mss-06.texas.rr.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=====f3cbab.b186ad86f208eeb2a" Content-Transfer-Encoding: 7bit --------------------------------------------------------------------- Return-path: <info@hotmail.com> Envelope-to: rsiefert@cpdhouston.com Delivery-date: Wed, 04 May 2005 11:33:31 -0500 Received: from [70.112.127.248] (helo=esaqtdh.com) by server57.totalchoicehosting.com with smtp (Exim 4.44) id 1DTMoS-0000Sx-Qh; Wed, 04 May 2005 11:33:31 -0500 From: info@hotmail.com To: Your-Account@cpdhouston.com Date: Wed, 04 May 2005 16:22:50 GMT Subject: FwD: Registration Confirmation Importance: Normal X-Priority: 3 (Normal) X-MSMail-Priority: Normal Message-ID: <4acf5.e21fe040e1e@hotmail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=====a5a8b0eeab9ae" Content-Transfer-Encoding: 7bit --------------------------------------------------------------------- Return-path: <webmaster@hotmail.com> Envelope-to: rsiefert@cpdhouston.com Delivery-date: Wed, 04 May 2005 09:32:10 -0500 Received: from [70.112.127.248] (helo=ymwmxhn.com) by server57.totalchoicehosting.com with smtp (Exim 4.44) id 1DTKv0-0008B2-FM; Wed, 04 May 2005 09:32:09 -0500 From: webmaster@hotmail.com To: 3Dkprice@cpdhouston.com Date: Wed, 04 May 2005 14:19:32 UTC Subject: Your Password Importance: Normal X-Priority: 3 (Normal) Message-ID: <e73fcdec6772.cf9c1fb@hotmail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===47a1d7daf1393d3b" Content-Transfer-Encoding: 7bit --------------------------------------------------------------------- Return-path: <postmaster@hotmail.com> Envelope-to: rsiefert@cpdhouston.com Delivery-date: Wed, 04 May 2005 07:34:28 -0500 Received: from [70.112.127.248] (helo=jnciiq.com) by server57.totalchoicehosting.com with smtp (Exim 4.44) id 1DTJ57-00013o-Vf; Wed, 04 May 2005 07:34:28 -0500 From: postmaster@hotmail.com To: mail@cpdhouston.com Date: Wed, 04 May 2005 12:21:10 GMT Subject: FwD: Registration Confirmation Importance: Normal X-Priority: 3 (Normal) Message-ID: <57cc3c7.ebd9e5cc@cpdhouston.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="==ce7f9bb4f2f.16dabed0de5" Content-Transfer-Encoding: 7bit --------------------------------------------------------------------- Return-path: <service@aol.com> Envelope-to: rsiefert@cpdhouston.com Delivery-date: Wed, 04 May 2005 10:33:37 -0500 Received: from [70.112.127.248] (helo=xfoyi.com) by server57.totalchoicehosting.com with smtp (Exim 4.44) id 1DTLsU-0003zB-JH; Wed, 04 May 2005 10:33:36 -0500 From: service@aol.com To: mail@cpdhouston.com Date: Wed, 04 May 2005 15:28:13 GMT Subject: Registration Confirmation Importance: Normal X-Priority: 3 (Normal) X-MSMail-Priority: Normal Message-ID: <f642c8984abac89b5300@aol.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="====ca3d93065bcb" Content-Transfer-Encoding: 7bit --------------------------------------------------------------------- Return-path: <hostmaster@ecrushmail.com> Envelope-to: rsiefert@cpdhouston.com Delivery-date: Wed, 04 May 2005 08:31:33 -0500 Received: from [70.112.127.248] (helo=drbqdl.com) by server57.totalchoicehosting.com with smtp (Exim 4.44) id 1DTJyO-00048H-2y; Wed, 04 May 2005 08:31:33 -0500 From: hostmaster@ecrushmail.com To: Recipient@cpdhouston.com Date: Wed, 04 May 2005 13:18:02 UTC Subject: FwD: mailing error Importance: Normal X-Mailer: AnonMail_Version 8.72 X-Priority: 3 (Normal) Message-ID: <ceac7d9a55.f1c4b8@ecrushmail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="====2cd021997da2b.c5c" Content-Transfer-Encoding: 7bit --------------------------------------------------------------------- Return-path: <hostmaster@hotmail.com> Envelope-to: rsiefert@cpdhouston.com Delivery-date: Wed, 04 May 2005 06:40:17 -0500 Received: from [70.112.127.248] (helo=yepmcdsvf.com) by server57.totalchoicehosting.com with smtp (Exim 4.44) id 1DTIEg-0006U8-39; Wed, 04 May 2005 06:40:17 -0500 From: hostmaster@hotmail.com To: jyevans@cpdhouston.com Date: Wed, 04 May 2005 11:27:13 UTC Subject: Your Password Importance: Normal X-Priority: 3 (Normal) X-MSMail-Priority: Normal Message-ID: <f2ec79.aadf8024a9d4@hotmail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=041ce01dc1ea.bec4a5eec5" Content-Transfer-Encoding: 7bit --------------------------------------------------------------------- Return-path: <postmaster@ms-mss-04.texas.rr.com> Envelope-to: rsiefert@cpdhouston.com Delivery-date: Wed, 04 May 2005 07:47:43 -0500 Received: from [70.112.127.248] (helo=pporjgk.com) by server57.totalchoicehosting.com with smtp (Exim 4.44) id 1DTJHw-0001iV-O4; Wed, 04 May 2005 07:47:43 -0500 From: postmaster@ms-mss-04.texas.rr.com To: addressOf@cpdhouston.com Date: Wed, 04 May 2005 12:38:09 UTC Subject: Registration Confirmation Importance: Normal X-Mailer: AnonMail_Version 6.38 X-Priority: 3 (Normal) Message-ID: <d3cccd.c47e74d6312ef@ms-mss-04.texas.rr.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=6dd4aad2c.d3159a8e" Content-Transfer-Encoding: 7bit Quote Link to comment Share on other sites More sharing options...
Guest Serpentine Posted May 6, 2005 Share Posted May 6, 2005 The last time I checked, TCH blocks some attachments but offers no virus scanning protection for your email. You are responsible for that. Quote Link to comment Share on other sites More sharing options...
TCH-Thomas Posted May 6, 2005 Share Posted May 6, 2005 You have probably done this, but it might be worth checking out if spamassassin is enabled? The reason I ask is that I noticed that mine was disabled which I didn´t noticed until now since I haven´t received any evil stuff lately. It won´t sort out/kill viruses but it will stop most spam. Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted May 6, 2005 Share Posted May 6, 2005 As Thomas said, enable Spam Assassin and also I suggest that you set your default email address to :fail: As Serpentine says TCH blocks some attachments but does no virus filtering. If you have email you are no doubt going to get email with virus attachments. That's a fact of internet life. All you can do is arm yourself with good anti-virus software and keep it updated. Quote Link to comment Share on other sites More sharing options...
James281 Posted May 6, 2005 Author Share Posted May 6, 2005 (edited) The last time I checked, TCH blocks some attachments but offers no virus scanning protection for your email. You are responsible for that. i don't care if i get one virus a week or maybe one a day.. but in all we have around 10-20 account on our domain and every single account getting around 20 viruses a day and they are all the same on all acount. if this is not abuse then what is? we all have virus scan on our computer but its sure is anoying to keep on getting virus. You have probably done this, but it might be worth checking out if spamassassin is enabled?The reason I ask is that I noticed that mine was disabled which I didn´t noticed until now since I haven´t received any evil stuff lately. It won´t sort out/kill viruses but it will stop most spam. <{POST_SNAPBACK}> i think mine is disable right now, but spam isn't the problem, all computer here using office 2003 which have spam filter and it work pretty well most of the spam got filter out. but i will enable this spamassassin in. Edited May 6, 2005 by James281 Quote Link to comment Share on other sites More sharing options...
TCH-Thomas Posted May 6, 2005 Share Posted May 6, 2005 Its just a thought but... I looked at the "Received: from" in the attached text. All email seems to come from same people so perhaps its time for you to email their isp and ask them to take action. Quote Link to comment Share on other sites More sharing options...
James281 Posted May 6, 2005 Author Share Posted May 6, 2005 As Thomas said, enable Spam Assassin and also I suggest that you set your default email address to :fail: As Serpentine says TCH blocks some attachments but does no virus filtering. If you have email you are no doubt going to get email with virus attachments. That's a fact of internet life. All you can do is arm yourself with good anti-virus software and keep it updated. <{POST_SNAPBACK}> i did set the default email address to :fail: like i said i don't mind if we in all 10 emails getting maybe 1-2 virus a week. but we getting 20+ email with virus a day!!! and this incident just recently happen that is why i asked you guys for help. and we all do have anti-virus software. Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted May 6, 2005 Share Posted May 6, 2005 I've had an increase in virus attachments recently and they are all bounced emails that I never sent. So someone has me in their address book that is infected and it's spoofing my address. Maybe the same is happening to you. Quote Link to comment Share on other sites More sharing options...
James281 Posted May 6, 2005 Author Share Posted May 6, 2005 I've had an increase in virus attachments recently and they are all bounced emails that I never sent. So someone has me in their address book that is infected and it's spoofing my address. Maybe the same is happening to you. <{POST_SNAPBACK}> sure i can see that happen .. but not to all 15+ emails account. Quote Link to comment Share on other sites More sharing options...
woodygap Posted May 6, 2005 Share Posted May 6, 2005 I've had an increase in virus attachments recently and they are all bounced emails that I never sent. So someone has me in their address book that is infected and it's spoofing my address. Maybe the same is happening to you. <{POST_SNAPBACK}> Could one of the machines in your group be virus infected? If all 15 users have each other in their address book that would be a possible cause for such a high volume. Do the attachments have similar names? Good Luck Quote Link to comment Share on other sites More sharing options...
lktodd Posted May 6, 2005 Share Posted May 6, 2005 I'm having the same problem as James describes. Bombarded with these emails all of a sudden. I think I had 45 this morning when I opened email. Spam assassin is turned on. Any other ideas? I've had an increase in virus attachments recently and they are all bounced emails that I never sent. So someone has me in their address book that is infected and it's spoofing my address. Maybe the same is happening to you. <{POST_SNAPBACK}> sure i can see that happen .. but not to all 15+ emails account. <{POST_SNAPBACK}> Quote Link to comment Share on other sites More sharing options...
Guest Serpentine Posted May 6, 2005 Share Posted May 6, 2005 (edited) By the way, that is the Win32.Sober.p worm. This worm spreads by mass-mailing copies of itself using its own SMTP engine. It gathers its target recipients from files with certain extensions names. This means that anyone infected that has your email address in their address book or document on their computer will have this sent to you or the entire organization. You cant stop them from coming to you. By the way, as this worm is a new variant it is most likely the reason it has happened suddenly. Update your virus defs if you havent done so yet. You can get more informstion at the Trend Micro site. I would create filters in your mail program to delete any subjects containing • mailing error • Re: • Registration Confirmation • Your email was blocked • Your Password Edited May 6, 2005 by Serpentine Quote Link to comment Share on other sites More sharing options...
James281 Posted May 6, 2005 Author Share Posted May 6, 2005 I've had an increase in virus attachments recently and they are all bounced emails that I never sent. So someone has me in their address book that is infected and it's spoofing my address. Maybe the same is happening to you. <{POST_SNAPBACK}> Could one of the machines in your group be virus infected? If all 15 users have each other in their address book that would be a possible cause for such a high volume. Do the attachments have similar names? Good Luck <{POST_SNAPBACK}> well as i understand, even if a machine doesn't have virus protection, you would have to download the attachment and unzip to get infected. and i am sure non of the account we have here download any of the attachment. there's around 20 computer from where i am at with the posibility of having all of our email in its address book. anyway this is the virus its been looping around for a few days now. W32.Sober.O@mm Win32.Sober.N [Computer Associates], Sober.P [F-Secure], W32/Sober.p@MM [McAfee], W32/Sober-N [sophos], WORM_SOBER.S [Trend Micro] http://securityresponse.symantec.com/avcen...sober.o@mm.html Quote Link to comment Share on other sites More sharing options...
Madmanmcp Posted May 6, 2005 Share Posted May 6, 2005 You are getting the newest variant of the original sober virus, which makes sense. The virus scanners are normally behind the virus writers and it takes several days to catch up. well as i understand, even if a machine doesn't have virus protection, you would have to download the attachment and unzip to get infected. Actually all thats needed is to "execute" the file. It comes in a self-extracting zip, so it will unzip itself and then execute itself. Quote Link to comment Share on other sites More sharing options...
briguy33 Posted May 8, 2005 Share Posted May 8, 2005 same thing is happening to one of our reseller clients.. i wish i knew what to do about this. Quote Link to comment Share on other sites More sharing options...
Guest Serpentine Posted May 8, 2005 Share Posted May 8, 2005 How can you stop these email from being sent to you? Not much you can do but selective filtering and keeping your AV definitions up to date. Quote Link to comment Share on other sites More sharing options...
Dark Posted May 8, 2005 Share Posted May 8, 2005 (edited) I use McAfee Spamkiller. It's configured to periodically sign onto my mail account and filter any mail that was sent to my inbox. I had an incident where someone signed me e-mail address up to about 1000 newsletters and I never received one. It's a good program and it also blocks certain addresses from contacting you period. Edited May 8, 2005 by Dark Quote Link to comment Share on other sites More sharing options...
redwolf Posted May 15, 2005 Share Posted May 15, 2005 W32.Sober.O@mmWin32.Sober.N [Computer Associates], Sober.P [F-Secure], W32/Sober.p@MM [McAfee], W32/Sober-N [sophos], WORM_SOBER.S [Trend Micro] http://securityresponse.symantec.com/avcen...sober.o@mm.html <{POST_SNAPBACK}> The scum that NOD32 ate this morning was listed as containing the Mytob.CD worm [and there's two more being eaten as I type]. I've had a few days of this virus hitting the inbox. The social engineering aspect of the messages (your e-mail account is suspended, open this to fix it) will easily convince the less web-savvy recipient to open the message. It won't work if you get a large amount of e-mail, but will for those who only get a few. Secunia Virus Information: MYTOB.CD Net-Worm.Win32.Mytob.gen, W32.Mytob.BD@mm, W32/Mytob, W32/Mytob.CL@mm, W32/Mytob.gen@MM, Win32.Mytob.BO, Win32/Mytob.BO!Worm, WORM_MYTOB.CD Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.