[Dshield] Swen related 'qmail' question

Doug White doug at clickdoug.com
Wed Oct 1 02:53:18 GMT 2003

The ones that are crafted as bounces or returned mail actually contain Iframe
code which will infect a windows machine when the mail is previewed.   They were
specially added to the virus signature files.  While it contains no attachment,
it will infect an unprotected windows box when security is set low enough to
allow execution of the Iframe script.

Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "Guy Barnum" <GuyBarnum at Armscole.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Tuesday, September 30, 2003 2:19 PM
Subject: [Dshield] Swen related 'qmail' question

| Question regarding a flood of fake failed emails since Swen has been breeding
in the wild:  I have recently been flooded with the fake microsoft support
swen-attached emails (getting this one under control) but now I'm flooded with
fake failed emails, some of which (%25 or less?) claim to be an undeliverable
qmail message.  You can tell the messages that don't mention qmail are still
from the same general source, they all look the same with 3 or 4 lines in the
subject regarding a failed email message with the same text in the email bolded
or not bolded in all of them.
| I know this has been reported as one of the emails sent by the swen virus
strain but ALL of these messages piling up on my system have no attachments and
are not html emails with any macros or malicious code.
| My system in question passes the latest virus scans per norton corporate and
all of the to and from addresses in these messages are fake so they aren't being
pulled from my address book.  So where are they coming from and how-why are they
getting delivered to my address?  Is this just a symptom of infected machines
out there on the net which my email address has ended up on somehow and is being
flooded until they clean their system?
| Also with no infected or 'bad' file attachments and with the faked to & from
info how can you block these emails?
| I'm looking into the email headers of these msgs and even though the fake from
address doesn't match the sending email host can I assume they were sent from a
real email server?  If so then they could be informed of infected machines on
their network to clean up and stop flooding me right?
| Any advice or explanations of how this all works is greatly appreciated, or
pointing me to where this has already been covered of course.  I would be happy
to post up a header or two from these emails, if you want to see one just ask on
or off list.
| Guy
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:

More information about the list mailing list