TCH-Dick Posted March 3, 2004 Posted March 3, 2004 Theres an e-mail going around that is attempting to collect username and password information, the e-mail is formatted like the one below and has an attachment that it asks you to open and fill out with all of your log in details. DO NOT open the attachment and fill it out, if you have immediately change all of your e-mail passwords via Cpanel. The e-mail will appear to come from your own domain name. Dear user of domain.com, Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. For more information see the attached file. For security reasons attached file is password protected. The password is "01415". Cheers, The domain.com team Quote
ThumpAZ Posted March 4, 2004 Posted March 4, 2004 (edited) Typical use of wording to lull you into thinking it is legit. Use words that appear to be technical sounding so that the reader gets confused into believing they really should respond. When in doubt, contact the company claiming to have sent the message! Thanks for the heads up Mike -GG EDIT: http://www.totalchoicehosting.com/forums/i...?showtopic=8186 It appears that this is actually the Beagle virus's latest variant according to a user with the latest Norton dat file. Edited March 4, 2004 by TCH-Glenn Quote
HCSuperStores Posted March 4, 2004 Posted March 4, 2004 I actually just got this one. It had a .pif file attached and it was worded almost the exact same way. I just sent out 70 e-mail notes to my subscriber list yesterday in the PM (non-TCH server and account) and that is where I got the e-mail from. I ALMOST fell for it! I thought my notes were being labelled as spam! I was sooo close to clicking the file. If the wording had been slightly different, it would have fooled me. However, since the e-mail note tried to pretend that it was me (the adminsitrator) it gave itself away. Phew! Quote
Cheryl Posted March 5, 2004 Posted March 5, 2004 I just received this email: From: support@stayhome.com To: cheryl@stayhome.com Subject: E-mail account disabling warning. Date sent: Thu, 04 Mar 2004 22:14:11 -0800 Hello user of Stayhome.com e-mail server, Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information. For more information see the attached file. For security reasons attached file is password protected. The password is "11653". Kind regards, The Stayhome.com team http://www.stayhome.com Attached was a readme.zip file (which of course I didn't open) This was the full header of the email: Return-path: <chazzbird@insight-outlook.org> Envelope-to: cheryl@stayhome.com Delivery-date: Thu, 04 Mar 2004 22:18:04 -0500 Received: from [141.152.171.42] (helo=cc150778-a) by server21.totalchoicehosting.com with smtp (Exim 4.24) id 1Az5qc-0000cG-OB for cheryl@stayhome.com; Thu, 04 Mar 2004 22:18:02 -0500 Date: Thu, 04 Mar 2004 22:14:11 -0800 To: cheryl@stayhome.com Subject: E-mail account disabling warning. From: support@stayhome.com Message-ID: <mvcbyktvbbtnjsdpqkh@stayhome.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------pigwslfcfedneoqkojwq" X-PMFLAGS: 570949760 0 1 P290A0.CNM ----------pigwslfcfedneoqkojwq Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit When I did the IP look-up: Received: from [141.152.171.42] it is coming from Verizon Internet Services VIS-141-149 (NET-141-149-0-0-1) 141.149.0.0 - 141.158.255.255 Verizon Internet Services VZ-DSLDIAL-CHSKVA-5 (NET-141-152-137-0-1) 141.152.137.0 - 141.152.171.255 Being that I own StayHome.com and have it hosted here, and do not have a support email...I was curious if this is a new kind of virus going around? Anyone know? Quote
MikeJ Posted March 5, 2004 Posted March 5, 2004 Yep. Delete it. Many of those have attachments that will try to get you to fill out and send information. It's bogus. Quote
Tnet Posted March 5, 2004 Posted March 5, 2004 Two email users (so far) have recieved the following email. The from email address does not exist , so it could not have been harvested from an address book. I substituted mydomain for my real domain name. From: staff@mydomain.net [mailto:staff@mydomain.net] Sent: Friday, March 05, 2004 7:31 AM To: Barnstormer@mydomain.net Subject: Warning about your e-mail account. Dear user of mydomain.net, Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. For further details see the attach. For security reasons attached file is password protected. The password is "52412". Sincerely, The mydomain.net team http://www.mydomain.net I created a filter to discard mail from stall@mydomain.net, but is there any way for me to trace the source of these emails(ip address, etc) ??? Quote
mike Posted March 8, 2004 Posted March 8, 2004 Mad!!! yep. thanks Mike, I already got those emails too. I mentioned it in a forum somewhere the other day and they had changed my email addresses by inserting a : 3d in front of everyones actual username, like 3dme@mysite.com Mad!!! Mad!!! of course my antivirus slapped it to sleep. heh heh . ( er.. this time anyway ) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.