RE: [Declude.Virus] RE Mass mailing maybe new virus

[Douglas Cohn]

Thanks   I was thinking about adding the rule as well but also assumed that any legit mail to yahoo would be blocked and stopped myself.   Too bad the powers that be here are not buying JUNK Mail.   DC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, May 11, 2004 4:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] RE Mass mailing maybe new virus This is likely just spam.  The technique with the URL is someone exploiting Yahoo's redirection scheme to land you on another site.  They do this to hide from URL parsers that don't recognize the exploit. It is possible that the site tries to install an exploit such as Java Byte Verify, which can be used to place just about anything on your computer, but typically just drops browser helper objects (adware/spyware) onto your system.  Norton stops this stuff cold, and it's been around for a while.  Note that I didn't bother with the payload link. Anyway, it just looks like it's forging spam to me. Your block of that address also isn't very wise because it is a legitimate link that could stop valid E-mail from Yahoo and their partners from getting through.  If you are running JunkMail Pro, there is a filter for this technique listed on my site (link in the sig) called !YDIRECTED. Matt -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== Email Admin wrote: Hello Our Mail server recevied a mass mailing earlier today. The email is address to [EMAIL PROTECTED] and is coming from [EMAIL PROTECTED] Copy of headers: Received: from mail.citravel.com [10.215.43.52] by citravel.com   (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 From: mail.citravel.com<[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: <[EMAIL PROTECTED]> X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52] X-Declude-Spoolname: Df06e0595011c829f.SMD X-Note: This message was scanned for Spam X-RBL-Warning: Total weight value: 0 X-Spam-Tests-Failed: Whitelisted [0] X-Note: Recipient Host:    citravel.com X-Note: Sender Address:    [EMAIL PROTECTED] X-Note: Sender Host Name:  (Private IP) X-Note: Sender IP Address: 10.215.43.52 X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) Precedence: bulk Sender: [EMAIL PROTECTED] Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.com Status: U X-UIDL: 384277933 This person's email client does not show they sent this message but the IP of the sending host is the senders system. I have scanned this system and it is showing virus free.  Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic. User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/news Get sent to a pornography site.  After they close this site there system keeps having pop ups appearing regularly. this link redirects to h t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m (space added) I am seeing several hundred an hour being stopped.   Any help ideas thouhgt? Or should I just go golfing and forget about it??? :)   ~Paul~