[Dshield] Re: list Digest, Vol 10, Issue 1

Kenneth Coney superc at visuallink.com
Wed Oct 1 16:32:36 GMT 2003


Most of the newer viruses create a mail server in the infected machine. 
Initially, they use the infected machines address list not yours.  Likewise 
some of them also make reports confirming their existence and location, at 
least once, to a pre determined IP address and then await further 
instructions while replicating through email.  It is not improbable that 
received instructions can include new email addresses and spoofed IP 
numbers to use for email sources.  Some ISP's are now filtering outgoing 
mail for viruses from the infected machines.  This results in emasculated 
emails (i.e., stripped of harmful instructions) arriving at your machine. 
If you are paranoid, consider that someone somewhere wants your IP added to 
his list of slaves, so the attempts at infecting you continue.  :)



Subject: [Dshield] Swen related 'qmail' question
From: "Guy Barnum" <GuyBarnum at Armscole.com>
Date: Tue, 30 Sep 2003 15:19:56 -0400
To: "General DShield Discussion List" <list at dshield.org>

Question regarding a flood of fake failed emails since Swen has been 
breeding in the wild:  I have recently been flooded with the fake microsoft 
support swen-attached emails (getting this one under control) but now I'm 
flooded with fake failed emails, some of which (%25 or less?) claim to be 
an undeliverable qmail message.  You can tell the messages that don't 
mention qmail are still from the same general source, they all look the 
same with 3 or 4 lines in the subject regarding a failed email message with 
the same text in the email bolded or not bolded in all of them.

I know this has been reported as one of the emails sent by the swen virus 
strain but ALL of these messages piling up on my system have no attachments 
and are not html emails with any macros or malicious code.

My system in question passes the latest virus scans per norton corporate 
and all of the to and from addresses in these messages are fake so they 
aren't being pulled from my address book.  So where are they coming from 
and how-why are they getting delivered to my address?  Is this just a 
symptom of infected machines out there on the net which my email address 
has ended up on somehow and is being flooded until they clean their system?

Also with no infected or 'bad' file attachments and with the faked to & 
from info how can you block these emails?

I'm looking into the email headers of these msgs and even though the fake 
from address doesn't match the sending email host can I assume they were 
sent from a real email server?  If so then they could be informed of 
infected machines on their network to clean up and stop flooding me right?

Any advice or explanations of how this all works is greatly appreciated, or 
pointing me to where this has already been covered of course.  I would be 
happy to post up a header or two from these emails, if you want to see one 
just ask on or off list.

Guy







More information about the list mailing list