Virus Question...

LawnMMLawnMM Colorado
edited August 2003 in Science & Tech
How hard would it be to send out email so it would appear to the recipients that it was from somebody other than yourself?

I got two auto return emails from mail servers that were undeliverable because the emails were apparently infected. I also got one back from a system administrator at some university saying the same thing.

Here's the catch...I don't have the damn Sobig virus. I've kept my definitions updated. Scanned for it several times. Checked for the registry entries and locations it supposedly copies itself to...no sign of it on my system now or ever.

I'm open to suggestions and ideas, but this one has me pretty frickin perplexed...

Comments

  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited August 2003
    That's what SoBig does - it spoofs the headers so it appears that it comes from someone else. That's why it's so damn annoying.

    If you don't have it, you're getting rejects because someone has it and they have your email addy in their address book, so rejects are getting sent back to you.

    Suck it up, and join the club of "I get 400 mails a day from SoBig and I'm not infected"
  • LawnMMLawnMM Colorado
    edited August 2003
    Thats what I figured :(

    Least its a short list of people to notify!
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited August 2003
    I got 16 returns from one email server in 24 hours. I sent the header to Comcast's abuse address, 2 hours later no more SoBig.f. My GeCAD AV software (RavAntiVirus Desktop) ID'd them and I knew it was SoBig.f from the subject lines combined with attachment names. At this point the FBI has tracked to one ISP for start point and is narrowing the focus with that ISP's help.

    So, if you get a bunch, sent everything above the lines that make no sense down near the bottom under the attachment name to your ISPs abuse address and the ISPs can and will use IPs and email server names and possibly Mail Transfer Agent names (in this case the MTA alias was MERRIHEW in all copies of Blaster I got including the rejects (I got 9 "real" ones first.).

    The IPS all traced to one server name and one class C subnetwork within one ISP and the understanding now is that one mass-mailer helped spread them first. Anything from xterra.ediets1.com now gets trashed here, that is the email server name. Good thing is one more SPAMMER will be out to lunch for years now.

    The FBI now has a subsection of it's Computer Crimes division working on virus backtracking and the US Government is treating it as a prosecutable Crime to distribute malware on public communications nets-- Felony type, AFAIK. Also, if tracked down the writer will get many very big bandwidth bills.

    Since Microsoft is discontinuing seperate IE after IE 6.0 SP1, I went looking and here is a tip for admins:

    IEAK (Internet Explorer Administrator Kit) is a full install of IE 6.0 SP1 which is what the new security patches for IE are mostly going to look for as a prerequisite now that IE is going to become fully integrated and not be called IE seperately as such in Longhorn and up. Microsoft will burn up to 25 copies of the IEAK per order and charges flat $10.00 for burn and package and about 10.40 shipping for units of 10. I and the company Iwork for will need them for installs on machines that should not go on the web except to patch with known patches and get AV updates before surfing again, and the default for 2000 and back is well before IE.

    So if you order one, might as well get 10 and not resell them but have aguaranteed good one for along time unless you want to shift your Windows boxes to Mozilla or possibly for a fee an ad-free Opera. this will let you recover install as needed also adn then fit a pack to needs as you can even customize a company name into the install adn make a standard install set with customizations that make one company-only browser install set and then almost all have same browser and both intranet and web support in-house gets easier.

    About SoBig, if the FBI does not move fast, they have been released about once a month so if author(s) is\are uncaught there could well be a SoBig.g in late Sepetember. At this point I woudl say be cautious about having very up to date AV very often, unlike a neighbor who thought he had updated his and discovered it was not last week but last month he did adn that since he was on dialup the only time it had actually updated itself was when I installed a legal Norton AV on this machine. Check by date please if you own Norton Av, and expect new ones at least weekly for viruses as a whole and expect viruses to be more sophisticated variants of older ones reworked more often than in the past.

    if you hear of w32.Melchia, this was also called Blaster.D and was the "fixer" Blaster variant that someone sent.
  • SlickSlick Upstate New York
    edited August 2003
    I never got any e-mails like that. I have however gotten the virus from an e-mail that said it was from 'Support@Microsoft.com'.
  • EnverexEnverex Worcester, UK Icrontian
    edited August 2003
    You can change the header yourself with Outlook very easily, scared the crap out of some (not so bright) friends when they recieved an e-mail from "Piracy@microsoft.com".

    NS
Sign In or Register to comment.