Re: [SLUG] targeted virus or paranoia central ?
7!!! levels of quoting 8< 8< 8< SNIP! On Fri, 2003-08-29 at 10:49, Anthony Wood wrote: > On Thu, Aug 28, 2003 at 08:17:18PM -0400, Bret Comstock Waldow wrote: > > On Thu, 2003-08-28 at 19:05, Anthony Wood wrote: > > > On Fri, Aug 29, 2003 at 08:59:30AM +1000, Anthony Wood wrote: > > > > On Thu, Aug 28, 2003 at 10:49:51AM -0400, Bret Comstock Waldow wrote: > > > > > On Thu, 2003-08-28 at 02:36, Del wrote: > > > > > > [EMAIL PROTECTED] wrote: > > > > > > > during last weekend, I received several hundred of the the latest ms -- Tony Green <[EMAIL PROTECTED]> -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] targeted virus or paranoia central ?
On Thu, Aug 28, 2003 at 08:17:18PM -0400, Bret Comstock Waldow wrote: > On Thu, 2003-08-28 at 19:05, Anthony Wood wrote: > > On Fri, Aug 29, 2003 at 08:59:30AM +1000, Anthony Wood wrote: > > > On Thu, Aug 28, 2003 at 10:49:51AM -0400, Bret Comstock Waldow wrote: > > > > On Thu, 2003-08-28 at 02:36, Del wrote: > > > > > [EMAIL PROTECTED] wrote: > > > > > > during last weekend, I received several hundred of the the latest ms > > > > > > 'virus' emails, all about 100k, with about 7 different subjects. on Monday, > > > > > > the flow slowed down, just maybe a hundred or so all day, and, I assumed > > > > > > the worst was over, so to speak. > > > > > > > > > > > > However, between Tuesday and Wed this week, I received in excess of 1,000 > > > > > > emails in say 12 hours, and, when I looked at it in the afternoon, I was > > > > > > getting one new mssg every minute. > > > > > > > > > > I had the same problem. It was all coming from one machine at > > > > > cornell.edu so I put in a .procmail rule to redirect all mail > > > > > with a header "Received: (from that machine)" line in it back > > > > > to the complaints address I found on their web site (which > > > > > otherwise wasn't responding when I sent them mail asking them > > > > > to fix it). > > > > > > > > > > After that the flood lasted another 2-3 hours then stopped, > > > > > all by magick. > > > > > > > > Newbie question here. Is this definitive? > > > > > > > > I've read that this virus spoofs the return address, which I understand > > > > to mean the text, but what about the IP chain? > > > > > > > > I've read in separate articles about "untraceable" spam. Is this > > > > happening here? > > > > > > > > If there's a definitive way to be sure of the origin of an email, I'd > > > > like to know that's so, and how to determine it. > > > > > > When a mail comes into a server, they usually put in a "received" > > > line which nowadays usually reports the IP address of the > > > connecting server and what it says it's hostname is. > > > > > > You can send a mail message with a few recieved messages of your own like I've > > > done with this one. > > > > Sorry, looks like postfix and/or mutt strips it out. What a responsible program. > > > > This is what I had: > > > > > Received: from momandpop.com (cia.whitehouse.gov [4.3.2.1]) by > > > beast.switchonline.com.au (Postfix) with ESMTP id C08CC53B for > > +<[EMAIL PROTECTED]>; Fri, 29 Aug 2003 08:57:54 +1000 (EST) > > > > > > > momandpop.com is what the server said it was, cia.whitehouse.gov is the reverse > > > lookup of the actual ip address sent from (4.3.2.1) > > Here's one of mine: > > Sender: [EMAIL PROTECTED] > Received: from LUCKYLZ ([211.154.93.35]) by siaag1af.compuserve.com > (8.12.9/8.12.7/SUN-2.7) with ESMTP id h7SCxV7X003565 for > <[EMAIL PROTECTED]>; Thu, 28 Aug 2003 08:59:39 -0400 (EDT) > > So, [EMAIL PROTECTED] is spoofed, but the originating IP is correct? Or I guess that IP could be spoofed too. I'm a bit hazy on the black (hat) arts. Spam.pl a common complaints script uses whois to check the abuse email address for the ip addresses and sends a complaint to them. Make sure you list mailservers of any lists you are on (e.g. slug) as "friends". > just the reporting server siaag1af.compuserve.com? Does compuserve take > any steps to verify the included sender IP? Dunno. Woody -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] targeted virus or paranoia central ?
On Fri, 28 Aug 2003, Bret Comstock Waldow wrote: > If there's a definitive way to be sure of the origin of an email, I'd > like to know that's so, and how to determine it. Try a little test. Mail yourself an absolutely minimal message by doing an smtp session manually and see what arrives. eg: [EMAIL PROTECTED] telnet a2.scoop.co.nz 25 Trying 203.96.152.68... Connected to a2.scoop.co.nz. Escape character is '^]'. 220 a2.scoop.co.nz ESMTP Sendmail; Fri, 29 Aug 2003 12:11:54 +1200 (NZST) helo foobar 250 a2.scoop.co.nz Hello eth1383.nsw.adsl.internode.on.net [150.101.203.102], pleased to meet you mail from: 553 5.5.4 ... Domain name required for sender address andrew mail from: <[EMAIL PROTECTED]> 250 2.1.0 <[EMAIL PROTECTED]>... Sender ok rcpt to: <[EMAIL PROTECTED]> 250 2.1.5 <[EMAIL PROTECTED]>... Recipient ok data 354 Enter mail, end with "." on a line by itself . 250 2.0.0 h7T0BsgV076791 Message accepted for delivery quit 221 2.0.0 a2.scoop.co.nz closing connection Connection closed by foreign host. I then recieve the following. Exactly what you recieve will depend somewhat on which mail software you run. Return-Path: <[EMAIL PROTECTED]> Received: from foobar (eth1383.nsw.adsl.internode.on.net [150.101.203.102]) by a2.scoop.co.nz (8.12.9/8.12.9) with SMTP id h7T0BsgV076791 for <[EMAIL PROTECTED]>; Fri, 29 Aug 2003 12:12:30 +1200 (NZST) (envelope-from [EMAIL PROTECTED]) Date: Fri, 29 Aug 2003 12:11:54 +1200 (NZST) From: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> To: undisclosed-recipients:; X-Loop: [EMAIL PROTECTED] X-Spam: unknown; 0.00; foobar:01 example:12 com:30 X-Bogosity: No, tests=bogofilter, spamicity=0.025957, version=0.13.7.2 X-DCC-SdV-Metrics: a2.scoop.co.nz 1179; Body=0 Looking at the Recieved header (the top one if there's more than one), you can tell which machine delivered it to your server (150.101.203.102). The name it reports for itself (foobar) might as well not be displayed, and the name found by DNS lookup (eth1383.nsw.adsl.internode.on.net) may not be reliable if the spammer has control over the appropriate DNS PTR record. The Date, From, To and Message-ID headers here have been added by my system, but if they were present in the original, then they would have been passed through un-modified. They should not be relied upon. Message-ID used to be a surprisingly good way to catch spammers out, but that's a long time ago now. All those X-* headers are added by my procmail rules or things added from there. Everything else is generated by my mail daemon based on the limited info it recieved from the SMTP session. This is the most important bit: *any* other header that might appear in another recieved message was part of the body of the delivered message and cannot be trusted. It might be that the message has been relayed through a bascially trustworthy server whose headers you can trust, but then again those headers might be spoofed. You really don't have much you can rely on besides the IP of the machine (from the Recieved header) which sent the email to your server. In the case of Sobig.F however, this is the IP of the infected machine. That's good information, but you still don't have a contact address for the user. Supposing you want to chase this up, the only thing you can really do is to chase down the owner of that block of IP addresses and ask them to pass on the message. They'll need the IP and the time when it happened (for dynamic IPs). They probably won't bother with it unless you send full headers, and even then they get so many of these they may not bother anyway. Don't expect them to tell you what they do or don't do. Andrew McNaughton -- No added Sugar. Not tested on animals. May contain traces of Nuts. If irritation occurs, discontinue use. --- Andrew McNaughton In Sydney Working on a Product Recommender System [EMAIL PROTECTED] Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] targeted virus or paranoia central ?
On Thu, 2003-08-28 at 19:05, Anthony Wood wrote: > On Fri, Aug 29, 2003 at 08:59:30AM +1000, Anthony Wood wrote: > > On Thu, Aug 28, 2003 at 10:49:51AM -0400, Bret Comstock Waldow wrote: > > > On Thu, 2003-08-28 at 02:36, Del wrote: > > > > [EMAIL PROTECTED] wrote: > > > > > during last weekend, I received several hundred of the the latest ms > > > > > 'virus' emails, all about 100k, with about 7 different subjects. on Monday, > > > > > the flow slowed down, just maybe a hundred or so all day, and, I assumed > > > > > the worst was over, so to speak. > > > > > > > > > > However, between Tuesday and Wed this week, I received in excess of 1,000 > > > > > emails in say 12 hours, and, when I looked at it in the afternoon, I was > > > > > getting one new mssg every minute. > > > > > > > > I had the same problem. It was all coming from one machine at > > > > cornell.edu so I put in a .procmail rule to redirect all mail > > > > with a header "Received: (from that machine)" line in it back > > > > to the complaints address I found on their web site (which > > > > otherwise wasn't responding when I sent them mail asking them > > > > to fix it). > > > > > > > > After that the flood lasted another 2-3 hours then stopped, > > > > all by magick. > > > > > > Newbie question here. Is this definitive? > > > > > > I've read that this virus spoofs the return address, which I understand > > > to mean the text, but what about the IP chain? > > > > > > I've read in separate articles about "untraceable" spam. Is this > > > happening here? > > > > > > If there's a definitive way to be sure of the origin of an email, I'd > > > like to know that's so, and how to determine it. > > > > When a mail comes into a server, they usually put in a "received" > > line which nowadays usually reports the IP address of the > > connecting server and what it says it's hostname is. > > > > You can send a mail message with a few recieved messages of your own like I've > > done with this one. > > Sorry, looks like postfix and/or mutt strips it out. What a responsible program. > > This is what I had: > > > Received: from momandpop.com (cia.whitehouse.gov [4.3.2.1]) by > > beast.switchonline.com.au (Postfix) with ESMTP id C08CC53B for > +<[EMAIL PROTECTED]>; Fri, 29 Aug 2003 08:57:54 +1000 (EST) > > > > momandpop.com is what the server said it was, cia.whitehouse.gov is the reverse > > lookup of the actual ip address sent from (4.3.2.1) Here's one of mine: Sender: [EMAIL PROTECTED] Received: from LUCKYLZ ([211.154.93.35]) by siaag1af.compuserve.com (8.12.9/8.12.7/SUN-2.7) with ESMTP id h7SCxV7X003565 for <[EMAIL PROTECTED]>; Thu, 28 Aug 2003 08:59:39 -0400 (EDT) So, [EMAIL PROTECTED] is spoofed, but the originating IP is correct? Or just the reporting server siaag1af.compuserve.com? Does compuserve take any steps to verify the included sender IP? Bret -- bwaldow at alum dot mit dot edu -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] targeted virus or paranoia central ?
On Fri, Aug 29, 2003 at 08:59:30AM +1000, Anthony Wood wrote: > On Thu, Aug 28, 2003 at 10:49:51AM -0400, Bret Comstock Waldow wrote: > > On Thu, 2003-08-28 at 02:36, Del wrote: > > > [EMAIL PROTECTED] wrote: > > > > during last weekend, I received several hundred of the the latest ms > > > > 'virus' emails, all about 100k, with about 7 different subjects. on Monday, > > > > the flow slowed down, just maybe a hundred or so all day, and, I assumed > > > > the worst was over, so to speak. > > > > > > > > However, between Tuesday and Wed this week, I received in excess of 1,000 > > > > emails in say 12 hours, and, when I looked at it in the afternoon, I was > > > > getting one new mssg every minute. > > > > > > I had the same problem. It was all coming from one machine at > > > cornell.edu so I put in a .procmail rule to redirect all mail > > > with a header "Received: (from that machine)" line in it back > > > to the complaints address I found on their web site (which > > > otherwise wasn't responding when I sent them mail asking them > > > to fix it). > > > > > > After that the flood lasted another 2-3 hours then stopped, > > > all by magick. > > > > Newbie question here. Is this definitive? > > > > I've read that this virus spoofs the return address, which I understand > > to mean the text, but what about the IP chain? > > > > I've read in separate articles about "untraceable" spam. Is this > > happening here? > > > > If there's a definitive way to be sure of the origin of an email, I'd > > like to know that's so, and how to determine it. > > When a mail comes into a server, they usually put in a "received" > line which nowadays usually reports the IP address of the > connecting server and what it says it's hostname is. > > You can send a mail message with a few recieved messages of your own like I've done > with this one. Sorry, looks like postfix and/or mutt strips it out. What a responsible program. This is what I had: > Received: from momandpop.com (cia.whitehouse.gov [4.3.2.1]) by > beast.switchonline.com.au (Postfix) with ESMTP id C08CC53B for +<[EMAIL PROTECTED]>; Fri, 29 Aug 2003 08:57:54 +1000 (EST) > momandpop.com is what the server said it was, cia.whitehouse.gov is the reverse > lookup of the actual ip address sent from (4.3.2.1) > > cheers, > Woody > -- > SLUG - Sydney Linux User's Group - http://slug.org.au/ > More Info: http://lists.slug.org.au/listinfo/slug -- Woody -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] targeted virus or paranoia central ?
On Thu, Aug 28, 2003 at 10:49:51AM -0400, Bret Comstock Waldow wrote: > On Thu, 2003-08-28 at 02:36, Del wrote: > > [EMAIL PROTECTED] wrote: > > > during last weekend, I received several hundred of the the latest ms > > > 'virus' emails, all about 100k, with about 7 different subjects. on Monday, > > > the flow slowed down, just maybe a hundred or so all day, and, I assumed > > > the worst was over, so to speak. > > > > > > However, between Tuesday and Wed this week, I received in excess of 1,000 > > > emails in say 12 hours, and, when I looked at it in the afternoon, I was > > > getting one new mssg every minute. > > > > I had the same problem. It was all coming from one machine at > > cornell.edu so I put in a .procmail rule to redirect all mail > > with a header "Received: (from that machine)" line in it back > > to the complaints address I found on their web site (which > > otherwise wasn't responding when I sent them mail asking them > > to fix it). > > > > After that the flood lasted another 2-3 hours then stopped, > > all by magick. > > Newbie question here. Is this definitive? > > I've read that this virus spoofs the return address, which I understand > to mean the text, but what about the IP chain? > > I've read in separate articles about "untraceable" spam. Is this > happening here? > > If there's a definitive way to be sure of the origin of an email, I'd > like to know that's so, and how to determine it. When a mail comes into a server, they usually put in a "received" line which nowadays usually reports the IP address of the connecting server and what it says it's hostname is. You can send a mail message with a few recieved messages of your own like I've done with this one. momandpop.com is what the server said it was, cia.whitehouse.gov is the reverse lookup of the actual ip address sent from (4.3.2.1) cheers, Woody -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] targeted virus or paranoia central ?
On Thu, 2003-08-28 at 02:36, Del wrote: > [EMAIL PROTECTED] wrote: > > during last weekend, I received several hundred of the the latest ms > > 'virus' emails, all about 100k, with about 7 different subjects. on Monday, > > the flow slowed down, just maybe a hundred or so all day, and, I assumed > > the worst was over, so to speak. > > > > However, between Tuesday and Wed this week, I received in excess of 1,000 > > emails in say 12 hours, and, when I looked at it in the afternoon, I was > > getting one new mssg every minute. > > I had the same problem. It was all coming from one machine at > cornell.edu so I put in a .procmail rule to redirect all mail > with a header "Received: (from that machine)" line in it back > to the complaints address I found on their web site (which > otherwise wasn't responding when I sent them mail asking them > to fix it). > > After that the flood lasted another 2-3 hours then stopped, > all by magick. Newbie question here. Is this definitive? I've read that this virus spoofs the return address, which I understand to mean the text, but what about the IP chain? I've read in separate articles about "untraceable" spam. Is this happening here? If there's a definitive way to be sure of the origin of an email, I'd like to know that's so, and how to determine it. Thanks, Bret -- bwaldow at alum dot mit dot edu -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] targeted virus or paranoia central ?
** Reply to note from Andrew McNaughton <[EMAIL PROTECTED]> Thu, 28 Aug 2003 16:37:41 +1200 (NZST) > We've got a bunch of accounts on our server, but it's only really two > addresses that are getting hit particularly hard (down to about 400K/min now). > Those accounts are very publicly known. They're widely publicised contact > addresses. > > My guess is that the reason you're being hit hard is because you send your > mail address to lots of list subscribers? Andrew, that's what I was guessing. I can't say I'm on that many list, probably only about 10, BUT, a number of them have web archives with full addresses I think I'll wait till tommorow before I cautiously re-enable my address Voytek Eymont -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] targeted virus or paranoia central ?
[EMAIL PROTECTED] wrote: during last weekend, I received several hundred of the the latest ms 'virus' emails, all about 100k, with about 7 different subjects. on Monday, the flow slowed down, just maybe a hundred or so all day, and, I assumed the worst was over, so to speak. However, between Tuesday and Wed this week, I received in excess of 1,000 emails in say 12 hours, and, when I looked at it in the afternoon, I was getting one new mssg every minute. I had the same problem. It was all coming from one machine at cornell.edu so I put in a .procmail rule to redirect all mail with a header "Received: (from that machine)" line in it back to the complaints address I found on their web site (which otherwise wasn't responding when I sent them mail asking them to fix it). After that the flood lasted another 2-3 hours then stopped, all by magick. I did get whacked with several GB of mail in that time however, most annoying. -- Del -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] targeted virus or paranoia central ?
Its all sobig.f stuff. Your experience is similar to mine. Not that I have had my turn in recieving it, but some customers are getting shiteloads of sobig.f and other are getting none. Its all part of the virus's master plan - check a recent slashdot article on some of the nasty implications. Anyway, its all going to go away soon as sobig.f will expire. Probably to be replaced by a worse sobig.g. dave [EMAIL PROTECTED] said: > > Suggestions were made to me that perhaps I was 'targeted' with it ? > > - how much of the crap are others getting ? > > the actual payload dosn't worry me, but, I don't want to pay for the > traffic, so, in the end, as an interim measure, I've deleted my own email > address (as to refuse this crap at smtp server) > > I suppose the only way to stop it, traffic-wise, would be to filter > upstream ? > > I thought ms tax only applied when you bought a new PC, seems, ms tax is a > lot broader > > > > Voytek Eymont > -- > SLUG - Sydney Linux User's Group - http://slug.org.au/ > More Info: http://lists.slug.org.au/listinfo/slug > > -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] targeted virus or paranoia central ?
during last weekend, I received several hundred of the the latest ms 'virus' emails, all about 100k, with about 7 different subjects. on Monday, the flow slowed down, just maybe a hundred or so all day, and, I assumed the worst was over, so to speak. However, between Tuesday and Wed this week, I received in excess of 1,000 emails in say 12 hours, and, when I looked at it in the afternoon, I was getting one new mssg every minute. looking at mailboxes of several hundred users, it was only my own email that was being hit so much, likewise, the admin of email on other servers where my server is hosted doesn't see *that many* virus hits across his servers. Suggestions were made to me that perhaps I was 'targeted' with it ? - how much of the crap are others getting ? the actual payload dosn't worry me, but, I don't want to pay for the traffic, so, in the end, as an interim measure, I've deleted my own email address (as to refuse this crap at smtp server) I suppose the only way to stop it, traffic-wise, would be to filter upstream ? I thought ms tax only applied when you bought a new PC, seems, ms tax is a lot broader Voytek Eymont -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
