[Declude.Virus] RE Mass mailing maybe new virus
Hello Our Mail server recevied a mass mailing earlier today.The email is address to [EMAIL PROTECTED] and is coming from[EMAIL PROTECTED]Copy of headers:Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400From: mail.citravel.com[EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: RE:X-Mailer: Microsoft OutlookMime-Version: 1.0Content-Type: text/html; charset=us-asciiMessage-Id: [EMAIL PROTECTED]X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52]X-Declude-Spoolname: Df06e0595011c829f.SMDX-Note: This message was scanned for SpamX-RBL-Warning: Total weight value: 0X-Spam-Tests-Failed: Whitelisted [0]X-Note: Recipient Host: citravel.comX-Note: Sender Address: [EMAIL PROTECTED]X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52])Precedence: bulkSender: [EMAIL PROTECTED]Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.comStatus: UX-UIDL: 384277933This person's email client does not show they sent this message but the IPof the sending host is the senders system.I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic.User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/newsGet sent to a pornography site. After they close this site there systemkeeps having pop ups appearing regularly. this link redirects toh t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m(space added)I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~
Re: [Declude.Virus] RE Mass mailing maybe new virus
Looks like a match for this new worm W32/Wallon.worm.a http://vil.nai.com/vil/content/v_125096.htm The message body simply contains a hyperlink, which is designed to trick users into thinking that they are going to a Yahoo News site, when in fact they are redirected to a page on the www..security-warning..biz domain. Extra "."s added to address. Greg Email Admin wrote: Hello Our Mail server recevied a mass mailing earlier today. The email is address to [EMAIL PROTECTED] and is coming from [EMAIL PROTECTED] Copy of headers: Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 From: mail.citravel.com[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52] X-Declude-Spoolname: Df06e0595011c829f.SMD X-Note: This message was scanned for Spam X-RBL-Warning: Total weight value: 0 X-Spam-Tests-Failed: Whitelisted [0] X-Note: Recipient Host: citravel.com X-Note: Sender Address: [EMAIL PROTECTED] X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52 X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) Precedence: bulk Sender: [EMAIL PROTECTED] Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.com Status: U X-UIDL: 384277933 This person's email client does not show they sent this message but the IP of the sending host is the senders system. I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic. User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/news Get sent to a pornography site. After they close this site there system keeps having pop ups appearing regularly. this link redirects toh t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m (space added) I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~ --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE Mass mailing maybe new virus
I received a similar e-mail. Sent to a user who doesn't normally get spammed. Made to look like a Yahoo link to my company. HTMLHEAD/HEADBODY bgColor=#ffDIVFONT face=Arial size=2BRA href=http://drs.yahoo.com/farmprogress.com/NEWS/*http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs.yahoo.com/farmprogress.com/NEWS;http://drs.yahoo.com/farmprogress.com/NEWS/A/FONT/DIV/BODY/HTML Headers: Received: from imail.Farmprogress.com by fpmain.farmprogress.com; Tue, 11 May 2004 10:04:20 -0500 Received: from webgate.bg [212.50.2.129] by imail.Farmprogress.com (SMTPD32-8.11) id AB5E15D70268; Tue, 11 May 2004 10:03:58 -0500 Received: (qmail 16825 invoked from network); 11 May 2004 15:17:58 - Received: from voka-gw.customer.0rbitel.net (HELO [EMAIL PROTECTED]) (195.24.34.138) by lea.webgate.bg with SMTP; 11 May 2004 15:17:58 - From: [EMAIL PROTECTED][EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Possible SPAM] RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: [EMAIL PROTECTED] Declude JunkMail for spam. X-Note: Reverse DNS lea.webgate.bg . X-Country-Chain: BULGARIA-destination Date: Tue, 11 May 2004 10:04:19 -0500 Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 05/11/04 03:23PM Hello Our Mail server recevied a mass mailing earlier today. The email is address to [EMAIL PROTECTED] and is coming from [EMAIL PROTECTED] Copy of headers: Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 From: mail.citravel.com[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52] X-Declude-Spoolname: Df06e0595011c829f.SMD X-Note: This message was scanned for Spam X-RBL-Warning: Total weight value: 0 X-Spam-Tests-Failed: Whitelisted [0] X-Note: Recipient Host:citravel.com X-Note: Sender Address:[EMAIL PROTECTED] X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52 X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) Precedence: bulk Sender: [EMAIL PROTECTED] Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.com Status: U X-UIDL: 384277933 This person's email client does not show they sent this message but the IP of the sending host is the senders system. I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic. User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/news Get sent to a pornography site. After they close this site there system keeps having pop ups appearing regularly. this link redirects to h t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m (space added) I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE Mass mailing maybe new virus
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WALLON.A Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 05/11/04 03:23PM Hello Our Mail server recevied a mass mailing earlier today. The email is address to [EMAIL PROTECTED] and is coming from [EMAIL PROTECTED] Copy of headers: Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 From: mail.citravel.com[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52] X-Declude-Spoolname: Df06e0595011c829f.SMD X-Note: This message was scanned for Spam X-RBL-Warning: Total weight value: 0 X-Spam-Tests-Failed: Whitelisted [0] X-Note: Recipient Host:citravel.com X-Note: Sender Address:[EMAIL PROTECTED] X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52 X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) Precedence: bulk Sender: [EMAIL PROTECTED] Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.com Status: U X-UIDL: 384277933 This person's email client does not show they sent this message but the IP of the sending host is the senders system. I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic. User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/news Get sent to a pornography site. After they close this site there system keeps having pop ups appearing regularly. this link redirects to h t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m (space added) I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE Mass mailing maybe new virus
This is likely just spam. The technique with the URL is someone exploiting Yahoo's redirection scheme to land you on another site. They do this to hide from URL parsers that don't recognize the exploit. It is possible that the site tries to install an exploit such as Java Byte Verify, which can be used to place just about anything on your computer, but typically just drops browser helper objects (adware/spyware) onto your system. Norton stops this stuff cold, and it's been around for a while. Note that I didn't bother with the payload link. Anyway, it just looks like it's forging spam to me. Your block of that address also isn't very wise because it is a legitimate link that could stop valid E-mail from Yahoo and their partners from getting through. If you are running JunkMail Pro, there is a filter for this technique listed on my site (link in the sig) called !YDIRECTED. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = Email Admin wrote: Hello Our Mail server recevied a mass mailing earlier today. The email is address to [EMAIL PROTECTED] and is coming from [EMAIL PROTECTED] Copy of headers: Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 From: mail.citravel.com[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52] X-Declude-Spoolname: Df06e0595011c829f.SMD X-Note: This message was scanned for Spam X-RBL-Warning: Total weight value: 0 X-Spam-Tests-Failed: Whitelisted [0] X-Note: Recipient Host: citravel.com X-Note: Sender Address: [EMAIL PROTECTED] X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52 X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) Precedence: bulk Sender: [EMAIL PROTECTED] Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.com Status: U X-UIDL: 384277933 This person's email client does not show they sent this message but the IP of the sending host is the senders system. I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic. User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/news Get sent to a pornography site. After they close this site there system keeps having pop ups appearing regularly. this link redirects toh t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m (space added) I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~
RE: [Declude.Virus] RE Mass mailing maybe new virus
Thanks I was thinking about adding the rule as well but also assumed that any legit mail to yahoo would be blocked and stopped myself. Too bad the powers that be here are not buying JUNK Mail. DC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, May 11, 2004 4:57 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.Virus] RE Mass mailing maybe new virus This is likely just spam. The technique with the URL is someone exploiting Yahoo's redirection scheme to land you on another site. They do this to hide from URL parsers that don't recognize the exploit.It is possible that the site tries to install an exploit such as Java Byte Verify, which can be used to place just about anything on your computer, but typically just drops browser helper objects (adware/spyware) onto your system. Norton stops this stuff cold, and it's been around for a while. Note that I didn't bother with the payload link.Anyway, it just looks like it's forging spam to me.Your block of that address also isn't very wise because it is a legitimate link that could stop valid E-mail from Yahoo and their partners from getting through. If you are running JunkMail Pro, there is a filter for this technique listed on my site (link in the sig) called !YDIRECTED.Matt-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =Email Admin wrote: Hello Our Mail server recevied a mass mailing earlier today.The email is address to [EMAIL PROTECTED] and is coming from[EMAIL PROTECTED]Copy of headers:Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400From: mail.citravel.com[EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: RE:X-Mailer: Microsoft OutlookMime-Version: 1.0Content-Type: text/html; charset=us-asciiMessage-Id: [EMAIL PROTECTED]X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52]X-Declude-Spoolname: Df06e0595011c829f.SMDX-Note: This message was scanned for SpamX-RBL-Warning: Total weight value: 0X-Spam-Tests-Failed: Whitelisted [0]X-Note: Recipient Host: citravel.comX-Note: Sender Address: [EMAIL PROTECTED]X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52])Precedence: bulkSender: [EMAIL PROTECTED]Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.comStatus: UX-UIDL: 384277933This person's email client does not show they sent this message but the IPof the sending host is the senders system.I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic.User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/newsGet sent to a pornography site. After they close this site there systemkeeps having pop ups appearing regularly. this link redirects toh t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m(space added)I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~
Re: [Declude.Virus] RE Mass mailing maybe new virus
Take note that there was a virus payload at the link as Greg pointed out, but it appears that Terra-Lycos has killed the domain in question. It is too bad that the power that be aren't buying JunkMail. I find it to be a very effective last line of protection for viruses, as virtually everything that slips through before definitions are updates, ends up getting caught by a good JunkMail config. It can be very time consuming though, especially if you enjoy it too much :) Matt Douglas Cohn wrote: Thanks I was thinking about adding the rule as well but also assumed that any legit mail to yahoo would be blocked and stopped myself. Too bad the powers that be here are not buying JUNK Mail. DC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, May 11, 2004 4:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] RE Mass mailing maybe new virus This is likely just spam. The technique with the URL is someone exploiting Yahoo's redirection scheme to land you on another site. They do this to hide from URL parsers that don't recognize the exploit. It is possible that the site tries to install an exploit such as Java Byte Verify, which can be used to place just about anything on your computer, but typically just drops browser helper objects (adware/spyware) onto your system. Norton stops this stuff cold, and it's been around for a while. Note that I didn't bother with the payload link. Anyway, it just looks like it's forging spam to me. Your block of that address also isn't very wise because it is a legitimate link that could stop valid E-mail from Yahoo and their partners from getting through. If you are running JunkMail Pro, there is a filter for this technique listed on my site (link in the sig) called !YDIRECTED. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = Email Admin wrote: Hello Our Mail server recevied a mass mailing earlier today. The email is address to [EMAIL PROTECTED] and is coming from [EMAIL PROTECTED] Copy of headers: Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 From: mail.citravel.com[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52] X-Declude-Spoolname: Df06e0595011c829f.SMD X-Note: This message was scanned for Spam X-RBL-Warning: Total weight value: 0 X-Spam-Tests-Failed: Whitelisted [0] X-Note: Recipient Host: citravel.com X-Note: Sender Address: [EMAIL PROTECTED] X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52 X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) Precedence: bulk Sender: [EMAIL PROTECTED] Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.com Status: U X-UIDL: 384277933 This person's email client does not show they sent this message but the IP of the sending host is the senders system. I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic. User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/news Get sent to a pornography site. After they close this site there system keeps having pop ups appearing regularly. this link redirects toh t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m (space added) I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~ -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
[Declude.Virus] .smd files in c:/
Have a quick question for everyone. Recently we have been getting virus files (.SMD) showing up in our root of our e-mail server (C:/) When we run a virus scan on the drive, it picks it up as various virus's, such as the Netsky and Beagle virus. We delete them, but they keep popping back up. I checked theDeclude virus.cfg file and nowhere in there does it talk about sticking these files on the C:/ drive. I also couldn't find anything on I-mail admin. Any help is appreciated. Tim Cook Varsity Contractors IT Technical Support (208) 232-8599 x335 [EMAIL PROTECTED]
Re: [Declude.Virus] RE Mass mailing maybe new virus
I've found Declude Junkmail to be almost an addiction. Is there a 12 step program available? Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 05/11/04 04:42PM Take note that there was a virus payload at the link as Greg pointed out, but it appears that Terra-Lycos has killed the domain in question. It is too bad that the power that be aren't buying JunkMail. I find it to be a very effective last line of protection for viruses, as virtually everything that slips through before definitions are updates, ends up getting caught by a good JunkMail config. It can be very time consuming though, especially if you enjoy it too much :) Matt Douglas Cohn wrote: Thanks I was thinking about adding the rule as well but also assumed that any legit mail to yahoo would be blocked and stopped myself. Too bad the powers that be here are not buying JUNK Mail. DC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, May 11, 2004 4:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] RE Mass mailing maybe new virus This is likely just spam. The technique with the URL is someone exploiting Yahoo's redirection scheme to land you on another site. They do this to hide from URL parsers that don't recognize the exploit. It is possible that the site tries to install an exploit such as Java Byte Verify, which can be used to place just about anything on your computer, but typically just drops browser helper objects (adware/spyware) onto your system. Norton stops this stuff cold, and it's been around for a while. Note that I didn't bother with the payload link. Anyway, it just looks like it's forging spam to me. Your block of that address also isn't very wise because it is a legitimate link that could stop valid E-mail from Yahoo and their partners from getting through. If you are running JunkMail Pro, there is a filter for this technique listed on my site (link in the sig) called !YDIRECTED. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = Email Admin wrote: Hello Our Mail server recevied a mass mailing earlier today. The email is address to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] and is coming from [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Copy of headers: Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 From: mail.citravel.com[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [10.215.43.52] X-Declude-Spoolname: Df06e0595011c829f.SMD X-Note: This message was scanned for Spam X-RBL-Warning: Total weight value: 0 X-Spam-Tests-Failed: Whitelisted [0] X-Note: Recipient Host:citravel.com X-Note: Sender Address:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52 X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) Precedence: bulk Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.com Status: U X-UIDL: 384277933 This person's email client does not show they sent this message but the IP of the sending host is the senders system. I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic. User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/news Get sent to a pornography site. After they close this site there system keeps having pop ups appearing regularly. this link redirects to h t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m (space added) I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~ -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] ---
Re: [Declude.Virus] .smd files in c:/
Have a quick question for everyone. Recently we have been getting virus files (.SMD) showing up in our root of our e-mail server (C:/) When we run a virus scan on the drive, it picks it up as various virus's, such as the Netsky and Beagle virus. We delete them, but they keep popping back up. I checked the Declude virus.cfg file and nowhere in there does it talk about sticking these files on the C:/ drive. I also couldn't find anything on I-mail admin. Any help is appreciated. What directory does the VIRDIR option in your \IMail\Declude\virus.cfg file point to? Are any viruses getting sent to the \IMail\spool\virus directory (or whatever directory is in the VIRDIR option)? Are you running a version of Declude before 1.75 (you can type \IMail\Declude -diag from a command prompt to see which version you are running)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] .smd files in c:/
In the Virus.cfg, it is pointing to the default, E:/IMail/Spool/Virus. We currently have it commented out (with a #), so nothing is getting sent to that folder. I'm assuming it is just deleting them. Could that be the problem? Do we have to send them to that folder? Tim Cook Varsity Contractors IT Technical Support (208) 232-8599 x335 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Tuesday, May 11, 2004 4:15 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] .smd files in c:/ Have a quick question for everyone. Recently we have been getting virus files (.SMD) showing up in our root of our e-mail server (C:/) When we run a virus scan on the drive, it picks it up as various virus's, such as the Netsky and Beagle virus. We delete them, but they keep popping back up. I checked the Declude virus.cfg file and nowhere in there does it talk about sticking these files on the C:/ drive. I also couldn't find anything on I-mail admin. Any help is appreciated. What directory does the VIRDIR option in your \IMail\Declude\virus.cfg file point to? Are any viruses getting sent to the \IMail\spool\virus directory (or whatever directory is in the VIRDIR option)? Are you running a version of Declude before 1.75 (you can type \IMail\Declude -diag from a command prompt to see which version you are running)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [63.230.118.52] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] .smd files in c:/
In the Virus.cfg, it is pointing to the default, E:/IMail/Spool/Virus. We currently have it commented out (with a #), so nothing is getting sent to that folder. I'm assuming it is just deleting them. Could that be the problem? That is the problem. Without letting Declude Virus know where to send the files, it has to send them somewhere, so it sends the to the root directory. Do we have to send them to that folder? No, you can send them to any directory that you want. In your case, you may want to use the DELETEVIRUSES ON option, to automatically delete viruses. However, vulnerabilities and banned E-mails will still be saved, just to be safe. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] .smd files in c:/
K, thanks Scott, we'll change that and give that a try. Tim Cook Varsity Contractors IT Technical Support (208) 232-8599 x335 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Tuesday, May 11, 2004 4:55 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] .smd files in c:/ In the Virus.cfg, it is pointing to the default, E:/IMail/Spool/Virus. We currently have it commented out (with a #), so nothing is getting sent to that folder. I'm assuming it is just deleting them. Could that be the problem? That is the problem. Without letting Declude Virus know where to send the files, it has to send them somewhere, so it sends the to the root directory. Do we have to send them to that folder? No, you can send them to any directory that you want. In your case, you may want to use the DELETEVIRUSES ON option, to automatically delete viruses. However, vulnerabilities and banned E-mails will still be saved, just to be safe. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [63.230.118.50] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] RE Mass mailing maybe new virus
I love decludeJunkmail as I have it on my personal domain on a sharedmail serverthat an ISP friend/client allows me to use. I must now use a local spam product on my personal mail and everyone else fends for themselves on the company domain which works for some but it is still local meaning everything already made it through the network. So you lost half the battle before you start basically. Eventually I am hoping to convince them to go withdeclude but they are pestering me for an Exchange 2003 server. I was thinking of Using GFI for that unless Declude releases something for Exchange by then... Anything in the works Scott. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, May 11, 2004 5:43 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.Virus] RE Mass mailing maybe new virus Take note that there was a virus payload at the link as Greg pointed out, but it appears that Terra-Lycos has killed the domain in question.It is too bad that the power that be aren't buying JunkMail. I find it to be a very effective last line of protection for viruses, as virtually everything that slips through before definitions are updates, ends up getting caught by a good JunkMail config. It can be very time consuming though, especially if you enjoy it too much :)MattDouglas Cohn wrote: Thanks I was thinking about adding the rule as well but also assumed that any legit mail to yahoo would be blocked and stopped myself. Too bad the powers that be here are not buying JUNK Mail. DC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Tuesday, May 11, 2004 4:57 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.Virus] RE Mass mailing maybe new virusThis is likely just spam. The technique with the URL is someone exploiting Yahoo's redirection scheme to land you on another site. They do this to hide from URL parsers that don't recognize the exploit.It is possible that the site tries to install an exploit such as Java Byte Verify, which can be used to place just about anything on your computer, but typically just drops browser helper objects (adware/spyware) onto your system. Norton stops this stuff cold, and it's been around for a while. Note that I didn't bother with the payload link.Anyway, it just looks like it's forging spam to me.Your block of that address also isn't very wise because it is a legitimate link that could stop valid E-mail from Yahoo and their partners from getting through. If you are running JunkMail Pro, there is a filter for this technique listed on my site (link in the sig) called !YDIRECTED.Matt-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =Email Admin wrote: Hello Our Mail server recevied a mass mailing earlier today.The email is address to [EMAIL PROTECTED] and is coming from[EMAIL PROTECTED]Copy of headers:Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400From: mail.citravel.com[EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: RE:X-Mailer: Microsoft OutlookMime-Version: 1.0Content-Type: text/html; charset=us-asciiMessage-Id: [EMAIL PROTECTED]X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52]X-Declude-Spoolname: Df06e0595011c829f.SMDX-Note: This message was scanned for SpamX-RBL-Warning: Total weight value: 0X-Spam-Tests-Failed: Whitelisted [0]X-Note: Recipient Host: citravel.comX-Note: Sender Address: [EMAIL PROTECTED]X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52])Precedence: bulkSender: [EMAIL PROTECTED]Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.comStatus: UX-UIDL: 384277933This person's email client does not show they sent this message but the IPof the sending host is the senders system.I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic.User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/newsGet sent to a pornography site. After they close this site there systemkeeps having pop ups appearing regularly. this link redirects toh t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o .
