[Dshield] Re: list Digest, Vol 10, Issue 1
superc at visuallink.com
Wed Oct 1 16:32:36 GMT 2003
Most of the newer viruses create a mail server in the infected machine.
Initially, they use the infected machines address list not yours. Likewise
some of them also make reports confirming their existence and location, at
least once, to a pre determined IP address and then await further
instructions while replicating through email. It is not improbable that
received instructions can include new email addresses and spoofed IP
numbers to use for email sources. Some ISP's are now filtering outgoing
mail for viruses from the infected machines. This results in emasculated
emails (i.e., stripped of harmful instructions) arriving at your machine.
If you are paranoid, consider that someone somewhere wants your IP added to
his list of slaves, so the attempts at infecting you continue. :)
Subject: [Dshield] Swen related 'qmail' question
From: "Guy Barnum" <GuyBarnum at Armscole.com>
Date: Tue, 30 Sep 2003 15:19:56 -0400
To: "General DShield Discussion List" <list at dshield.org>
Question regarding a flood of fake failed emails since Swen has been
breeding in the wild: I have recently been flooded with the fake microsoft
support swen-attached emails (getting this one under control) but now I'm
flooded with fake failed emails, some of which (%25 or less?) claim to be
an undeliverable qmail message. You can tell the messages that don't
mention qmail are still from the same general source, they all look the
same with 3 or 4 lines in the subject regarding a failed email message with
the same text in the email bolded or not bolded in all of them.
I know this has been reported as one of the emails sent by the swen virus
strain but ALL of these messages piling up on my system have no attachments
and are not html emails with any macros or malicious code.
My system in question passes the latest virus scans per norton corporate
and all of the to and from addresses in these messages are fake so they
aren't being pulled from my address book. So where are they coming from
and how-why are they getting delivered to my address? Is this just a
symptom of infected machines out there on the net which my email address
has ended up on somehow and is being flooded until they clean their system?
Also with no infected or 'bad' file attachments and with the faked to &
from info how can you block these emails?
I'm looking into the email headers of these msgs and even though the fake
from address doesn't match the sending email host can I assume they were
sent from a real email server? If so then they could be informed of
infected machines on their network to clean up and stop flooding me right?
Any advice or explanations of how this all works is greatly appreciated, or
pointing me to where this has already been covered of course. I would be
happy to post up a header or two from these emails, if you want to see one
just ask on or off list.
More information about the list