Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


[Dshield] Re: list Digest, Vol 10, Issue 1
.

  • To: [EMAIL PROTECTED]
  • Subject: [Dshield] Re: list Digest, Vol 10, Issue 1
  • From: Kenneth Coney <[EMAIL PROTECTED]>
  • Date: Wed, 01 Oct 2003 12:32:36 -0400
  • In-reply-to: <[EMAIL PROTECTED]>
  • Old-x-envelope-to: [EMAIL PROTECTED]
  • References: <[EMAIL PROTECTED]>
  • Reply-to: General DShield Discussion List <[EMAIL PROTECTED]>
  • Sender: [EMAIL PROTECTED]
.
 
Most of the newer viruses create a mail server in the infected machine. Initially, they use the infected machines address list not yours. Likewise some of them also make reports confirming their existence and location, at least once, to a pre determined IP address and then await further instructions while replicating through email. It is not improbable that received instructions can include new email addresses and spoofed IP numbers to use for email sources. Some ISP's are now filtering outgoing mail for viruses from the infected machines. This results in emasculated emails (i.e., stripped of harmful instructions) arriving at your machine. If you are paranoid, consider that someone somewhere wants your IP added to his list of slaves, so the attempts at infecting you continue. :) 



Subject: [Dshield] Swen related 'qmail' question
From: "Guy Barnum" <[EMAIL PROTECTED]>
Date: Tue, 30 Sep 2003 15:19:56 -0400
To: "General DShield Discussion List" <[EMAIL PROTECTED]>
Question regarding a flood of fake failed emails since Swen has been breeding in the wild: I have recently been flooded with the fake microsoft support swen-attached emails (getting this one under control) but now I'm flooded with fake failed emails, some of which (%25 or less?) claim to be an undeliverable qmail message. You can tell the messages that don't mention qmail are still from the same general source, they all look the same with 3 or 4 lines in the subject regarding a failed email message with the same text in the email bolded or not bolded in all of them.
I know this has been reported as one of the emails sent by the swen virus strain but ALL of these messages piling up on my system have no attachments and are not html emails with any macros or malicious code.
My system in question passes the latest virus scans per norton corporate and all of the to and from addresses in these messages are fake so they aren't being pulled from my address book. So where are they coming from and how-why are they getting delivered to my address? Is this just a symptom of infected machines out there on the net which my email address has ended up on somehow and is being flooded until they clean their system?
Also with no infected or 'bad' file attachments and with the faked to & from info how can you block these emails?
I'm looking into the email headers of these msgs and even though the fake from address doesn't match the sending email host can I assume they were sent from a real email server? If so then they could be informed of infected machines on their network to clean up and stop flooding me right?
Any advice or explanations of how this all works is greatly appreciated, or pointing me to where this has already been covered of course. I would be happy to post up a header or two from these emails, if you want to see one just ask on or off list. 

Guy




_______________________________________________
list mailing list
[EMAIL PROTECTED]
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.