Increased E-Mails With Viruses Attached

[ntluser]

Has anyone else noticed that they have been receiving an increased number of e-mails with MyDoom or other viruses attached?

Fortunately, I have the AVG e-mail scanner which deals with most of them e.g. from "Elene" and others but now I'm getting others apparently from NTL subscribers e.g. john.simms@ntlworld.com. I'm not sure if these are from genuine NTL customers with infected machines, or whether they are being sent deliberately or what, but even using the scanner and the rules wizard it's becoming a pain. I know I'm not infected as I have two firewalls and run the MyDoom security checks to make certain I do not have it or other viruses.

I'm also getting viruses from yahoo and hotmail.com as well as from the Netherlands,Italy,France etc. Has anyone else had a similar experience?

PS. Just received this one now!!

Dear user of Ntlworld.com gateway e-mail server,

Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service.

For further details see the attach.

The Management,
The Ntlworld.com team

================================================== =======

[Paul M]

Yep - that's one of the Bagle variants you have received - discussed in various threads.

I too have noticed more of these about - I am getting two or three a day at the moment.

[philip.j.fry]

I've only had one, but that's one more than usual. My gf is getting around 2 a day now though.

[Jon_]

ive had some, plus emails from ntl's post system saying returned email due to users alloance over limit (cant remember and i just deleted the emails on sight)

[El Diablo]

Quote:

Originally Posted by ntluser

Has anyone else noticed that they have been receiving an increased number of e-mails with MyDoom or other viruses attached?

Fortunately, I have the AVG e-mail scanner which deals with most of them e.g. from "Elene" and others but now I'm getting others apparently from NTL subscribers e.g. john.simms@ntlworld.com. I'm not sure if these are from genuine NTL customers with infected machines, or whether they are being sent deliberately or what, but even using the scanner and the rules wizard it's becoming a pain. I know I'm not infected as I have two firewalls and run the MyDoom security checks to make certain I do not have it or other viruses.

I'm also getting viruses from yahoo and hotmail.com as well as from the Netherlands,Italy,France etc. Has anyone else had a similar experience?


================================================== =======

Yup, I'm seeing a large amount of these to published e-mail addresses at work, probably ~30 a day. The to and from fields of these e-mails are spoofed, so your reference to john.simms@ntlworld.com, just means that the virus has chosen to use that as the "from" address. In the same sense, it's completely feasible to receive responses whereby a mail purporting to be from your own email address has been bounced from a destination mail server. The mail server may then return you a copy of the mail, advising that it has been quarantined. This doesn't mean that you've sent it and if you can read the mail headers, you'll see that you clearly didn't send it.

It was interesting to see that with MyDoom, the virus would not replicate to mail addresses belonging to domains containing certain strings - such as ripe, arin, iana, ietf, sopho, gov, google, mil etc... which seems quite bizarre.... almost as if there's some trace of conscience within the malicous little b*stard that wrote it after all.... although maybe it's just ass covering, to an extent. Also interesting to see with this one is that it also attemps a dos attack on www.symantec.com...

Viruses like this tend to retrieve mail addresses from your Temp. Internet Files folder and also your Windows address book. Thus the mail may purport to originate from any address that it picks up along the way, whether it's via web pages browsed or within the mail client on the compromised system.

You may find the following link useful, as it explains the basics of valid mail headers, and thus provides some clue when determining the origin of e-mails:

http://pobox.com/valid1.html

[ntluser]

Quote:

Originally Posted by El Diablo

Yup, I'm seeing a large amount of these to published e-mail addresses at work, probably ~30 a day. The to and from fields of these e-mails are spoofed, so your reference to john.simms@ntlworld.com, just means that the virus has chosen to use that as the "from" address. In the same sense, it's completely feasible to receive responses whereby a mail purporting to be from your own email address has been bounced from a destination mail server. The mail server may then return you a copy of the mail, advising that it has been quarantined. This doesn't mean that you've sent it and if you can read the mail headers, you'll see that you clearly didn't send it.

It was interesting to see that with MyDoom, the virus would not replicate to mail addresses belonging to domains containing certain strings - such as ripe, arin, iana, ietf, sopho, gov, google, mil etc... which seems quite bizarre.... almost as if there's some trace of conscience within the malicous little b*stard that wrote it after all.... although maybe it's just ass covering, to an extent. Also interesting to see with this one is that it also attemps a dos attack on www.symantec.com...

Viruses like this tend to retrieve mail addresses from your Temp. Internet Files folder and also your Windows address book. Thus the mail may purport to originate from any address that it picks up along the way, whether it's via web pages browsed or within the mail client on the compromised system.

You may find the following link useful, as it explains the basics of valid mail headers, and thus provides some clue when determining the origin of e-mails:

http://pobox.com/valid1.html

I know it's possible to spoof addresses and to pretend to be someone else or even be a non-existent subscriber or fake a non-existent e-mail address. I just wondered if this was a virus or somebody just messing about or both.

Most of the e-mail viruses, as you say, grab your address book and send e-mails out to everybody in it.This snowballs as it takes over the address books of the the unwary recipients and repeats the process on a massive scale. Fortunately, I have a great e-mail scanner, 2 firewalls and all the virus removal tools from Symantec. Having checked my system I know I'm clear.

I only used to receive a few e-mails with attached viruses but lately I've been getting 20 or more per day, which is most annoying.

I suppose I should be grateful that despite the viruses I am unaffected.I just wish there was some way to find the perpetrators and make them pay.

[zoombini]

I'm getting several, all of them are the BBmedic trial too!

[El Diablo]

Quote:

Originally Posted by ntluser

I know it's possible to spoof addresses and to pretend to be someone else or even be a non-existent subscriber or fake a non-existent e-mail address. I just wondered if this was a virus or somebody just messing about or both.

Most of the e-mail viruses, as you say, grab your address book and send e-mails out to everybody in it.This snowballs as it takes over the address books of the the unwary recipients and repeats the process on a massive scale. Fortunately, I have a great e-mail scanner, 2 firewalls and all the virus removal tools from Symantec. Having checked my system I know I'm clear.

I only used to receive a few e-mails with attached viruses but lately I've been getting 20 or more per day, which is most annoying.

I suppose I should be grateful that despite the viruses I am unaffected.I just wish there was some way to find the perpetrators and make them pay.

Yup, and that's how most of us feel... It's the fact that it's reached the point where *anybody* that has your mail address and has been infected by such a virus can cause the virus to initiate replication purporting to originate from you. Your system may be as secure as you feel you need, but can you guarantee the same kind of committment from *everyone* that knows *your* mail address?

The scope of this isn't completely limited to the *people* that have your mail address, as such. It may be recovered from an infected system that you have provided the details to, or a web page that details this information. It's difficult to get around this, although if you have your own domain name, things can become a little easier to manage. For instance, when subscribing to nthellworld.co.uk, you could use a mail address of nthellworld@yourdomain.com. If you have a reasonable domain management system in place and begin to receive spam to this address, you simply dev/null it so that the system reacts as though the address doesn't exist. You then *know* the source of the spam, as you wouldn't provide this unique address to anyone else.

Of course you may then wish to add a different address to the service so you're not completely blanked - but by this point you can seriously question the service providers as to how this address was 'leaked'. Do this for every online service that you subscribe to and things become a lot more manageable. Indeed, you don't neccessarily need POP access to each address, manage it in a way that it's easy for you to retrieve - try forwarding mail for all such addresses to one manageable mailbox and manually keep an eye on what the destination of the mail is supposed to be and act accordingly when the integrity is breached. Combine this with the use of reasonable spam filters and Bob truly does become your auntie

I don't think we're really going to find a 'cure' for this, just different ways of managing online personas to increase damage limitation.

Quote:

Originally Posted by El Diablo

Yup, and that's how most of us feel... It's the fact that it's reached the point where *anybody* that has your mail address and has been infected by such a virus can cause the virus to initiate replication purporting to originate from you. Your system may be as secure as you feel you need, but can you guarantee the same kind of committment from *everyone* that knows *your* mail address?

The scope of this isn't completely limited to the *people* that have your mail address, as such. It may be recovered from an infected system that you have provided the details to, or a web page that details this information. It's difficult to get around this, although if you have your own domain name, things can become a little easier to manage. For instance, when subscribing to nthellworld.co.uk, you could use a mail address of nthellworld@yourdomain.com. If you have a reasonable domain management system in place and begin to receive spam to this address, you simply dev/null it so that the system reacts as though the address doesn't exist. You then *know* the source of the spam, as you wouldn't provide this unique address to anyone else.

Of course you may then wish to add a different address to the service so you're not completely blanked - but by this point you can seriously question the service providers as to how this address was 'leaked'. Do this for every online service that you subscribe to and things become a lot more manageable. Indeed, you don't neccessarily need POP access to each address, manage it in a way that it's easy for you to retrieve - try forwarding mail for all such addresses to one manageable mailbox and manually keep an eye on what the destination of the mail is supposed to be and act accordingly when the integrity is breached. Combine this with the use of reasonable spam filters and Bob truly does become your auntie

I don't think we're really going to find a 'cure' for this, just different ways of managing online personas to increase damage limitation.

Good post ! and very true - our mail servers at work have logged over 150000 in the last week

[El Diablo]

Quote:

Originally Posted by stuartbe

Good post ! and very true - our mail servers at work have logged over 150000 in the last week

Cheers I guess you're in a good position to see this kind of effect. I would be too but as we don't actually manage the mail systems of our end user organisations [which essentially accounts for over 6 million users] it's often difficult to get a decent handle on the extent of the replication. Of course, there are still the ones reported, but due to the hierarchial nature of this, an estimated figure can be very hard to pluck