Author Topic: DO NOT OPEN MY MAIL (Read 1398 times)

2Slow · « **Reply #30 on:** February 25, 2004, 05:31:27 PM »

Mdoomf was discovered on the 20th. Symantec didn't have new virus definitions until the 23rd. Got a small dose of Mdoom at work. Took down one of our servers. It deleted 11,000 user files off of it.

Mdoomf is one mean little sucker.

Chairboy · « **Reply #31 on:** February 25, 2004, 06:26:03 PM »

Send the following URL to your ISP:

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.f@mm.html

Tell them to go to Section 19. The pertinent point in bold below:

Quote

From:
The senders name may be one of the following:

jerry
bill
smith
jim
sam
james
alex

with one of the following domains:

aol.com
msn.com
yahoo.com
hotmail.com

--------------------------------------------------------------------------------
Note: The worm may also use the email addresses it finds from the local files.
--------------------------------------------------------------------------------

If the From: line was your address, then it was culled from a file on an infected persons machine. You most likely never had it, and your ISP is in serious need of gathering a clue.

Octavius · « **Reply #32 on:** February 25, 2004, 06:33:22 PM »

Time Warner Cable - Road Runner. I talked to the national help desk too.

Thanks for the link.

AKIron · « **Reply #33 on:** February 25, 2004, 06:44:10 PM »

I'm assuming they detected the virus when you authenticated into their smtp server and then attempted to send the infected attachment. If that is what happened then it is likely you were infected.

I mean when the virus did this, not you personally.

Octavius · « **Reply #34 on:** February 25, 2004, 06:47:25 PM »

Wouldn't the virus scanners have picked it up? The logs don't show anything automatically deleted. I would have seen the results of the several scans I've done.

Shane · « **Reply #35 on:** February 25, 2004, 06:56:22 PM »

i dealt with this in the original mydoom epsiode. i was getting back mailer daemons saying my emails were bouncing. since i'm pretty on the ball with virus crap (never been infected) after doing my legwork i knew it wasn't me. the kicker was the returned mail (with text) showing what the message was.. it had included the name (and ssn) of someone i knew who had me in his book, so i gave him a heads up. after a few days it all went away.

so yeah, your isp is in serious need of a clue - or at least the people you spoke with. i have rr myself, but i didn't need them to resolve this.

good luck tracking down the person who has you in their addy book and is infected. all it takes is a little break to figure out who it might be.

2Slow · « **Reply #36 on:** February 25, 2004, 07:08:37 PM »

Quote

Originally posted by Octavius
I already did ^ up there a few posts. "MyDoom.f"

I just got off the phone with my ISP and they say it's highly unlikely there to be any forgery. They claim I probably had it and already cleaned it off (but somehow missed it in the process ). The messages I'm getting are just residual bouncebacks from when it supposedly was on the system.

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.f@mm.html

go to the above link, there is a link there for a removal tool. If you have the latest definitions, dated 23rd or later, for symantec or mcafee then a scan will find it.

Octavius · « **Reply #37 on:** February 25, 2004, 07:12:33 PM »

I have the latest definitions for both. They found nothing.

Shane, thats exactly what is happening. If they keep coming in I'll look around for any information that I know. I could post the text of one of them. No important information beside my e-mail in there.

AKIron · « **Reply #38 on:** February 25, 2004, 07:32:55 PM »

If your isp was going by the "from address" to determine who sent the email then yeah, they are definitely clueless. However, no one can log into their smtp server as you without your user account and password, which of course your email client knows and a virus would use.

Chairboy · « **Reply #39 on:** February 25, 2004, 08:03:54 PM »

Akiron, when sending SMTP mail, most ISPs don't require a login, they only require it for retrieving mail. In either case, even if you DO log in, in an SMTP session you just send 'FROM: reagan@whitehouse.gov' and it accepts it, it has nothing to do with the login.

Eagler · « **Reply #40 on:** February 25, 2004, 11:10:42 PM »

Oct
had the same thing here, at least one person with my address in their address book was infected and i kept getting the bounce/virus notifications back from various email servers. I have RR here also but even when I was getting 300 to 500 a day,, they never contacted me about it. I sent an email describing the fix to the ppl i thought were the originators of the emails and it slowly went away..

AKIron · « **Reply #41 on:** February 25, 2004, 11:14:53 PM »

Quote

Originally posted by Chairboy
Akiron, when sending SMTP mail, most ISPs don't require a login, they only require it for retrieving mail. In either case, even if you DO log in, in an SMTP session you just send 'FROM: reagan@whitehouse.gov' and it accepts it, it has nothing to do with the login.

I think you're worng about that Chairboy. Most do require authentication to send mail. Some may use the connection authentication though or ip address. Without authentication their smtp server can be used by spammers. That's why so many are blocking ip's with open relay these days.

AKIron · « **Reply #42 on:** February 25, 2004, 11:29:58 PM »

Quote

Originally posted by Chairboy
Akiron, when sending SMTP mail, most ISPs don't require a login, they only require it for retrieving mail. In either case, even if you DO log in, in an SMTP session you just send 'FROM: reagan@whitehouse.gov' and it accepts it, it has nothing to do with the login.

Any smtp server will allow you to send mail to recipients on that server without authenticaticating. However, using that server to send mail to recipients in another domain will usually fail unless the server uses "open relay" or the user is authenticated.

As I mentioned in the previous post, authentication may be nothing more than allowing a block of ip addresses they assign to their network users to relay email. Still, they should have a log of of what user or ip address attempted to send an infected attachment. If they don't and are going only by the "from", they are clueless.

AKcurly · « **Reply #43 on:** February 25, 2004, 11:38:00 PM »

Quote

Originally posted by AKIron
I think you're worng about that Chairboy. Most do require authentication to send mail. Some may use the connection authentication though or ip address. Without authentication their smtp server can be used by spammers. That's why so many are blocking ip's with open relay these days.

Yep, open relays are a big no-no.

curly

MrsRoo · « **Reply #44 on:** February 26, 2004, 01:04:53 AM »

Oct .... all you have to do is look at the message source of one of those infected emails that was sent back to you ... in the last recieved line of the message header it will have the IP of the orgiginating computer ... if it's your IP you were, or are infected ... if it's another IP then it's not you. You can use that IP addy to try to track the person down ... you can atleast get a fix on the city.

Aces High Bulletin Board

Author Topic: DO NOT OPEN MY MAIL (Read 1398 times)

2Slow

DO NOT OPEN MY MAIL

Chairboy

DO NOT OPEN MY MAIL

Octavius

DO NOT OPEN MY MAIL

AKIron

DO NOT OPEN MY MAIL

Octavius

DO NOT OPEN MY MAIL

Shane

DO NOT OPEN MY MAIL

2Slow

DO NOT OPEN MY MAIL

Octavius

DO NOT OPEN MY MAIL

AKIron

DO NOT OPEN MY MAIL

Chairboy

DO NOT OPEN MY MAIL

Eagler

DO NOT OPEN MY MAIL

AKIron

DO NOT OPEN MY MAIL

AKIron

DO NOT OPEN MY MAIL

AKcurly

DO NOT OPEN MY MAIL

MrsRoo

Oh quit making the poor man chase his tail!