RE: [Declude.Virus] RE Mass mailing maybe new virus
I love declude Junkmail as I have it on my personal domain on a shared mail server that an ISP friend/client allows me to use. I must now use a local spam product on my personal mail and everyone else fends for themselves on the company domain which works for some but it is still local meaning everything already made it through the network. So you lost half the battle before you start basically. Eventually I am hoping to convince them to go with declude but they are pestering me for an Exchange 2003 server. I was thinking of Using GFI for that unless Declude releases something for Exchange by then... Anything in the works Scott. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, May 11, 2004 5:43 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.Virus] RE Mass mailing maybe new virus Take note that there was a virus payload at the link as Greg pointed out, but it appears that Terra-Lycos has killed the domain in question.It is too bad that the power that be aren't buying JunkMail. I find it to be a very effective last line of protection for viruses, as virtually everything that slips through before definitions are updates, ends up getting caught by a good JunkMail config. It can be very time consuming though, especially if you enjoy it too much :)MattDouglas Cohn wrote: Thanks I was thinking about adding the rule as well but also assumed that any legit mail to yahoo would be blocked and stopped myself. Too bad the powers that be here are not buying JUNK Mail. DC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Tuesday, May 11, 2004 4:57 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.Virus] RE Mass mailing maybe new virusThis is likely just spam. The technique with the URL is someone exploiting Yahoo's redirection scheme to land you on another site. They do this to hide from URL parsers that don't recognize the exploit.It is possible that the site tries to install an exploit such as Java Byte Verify, which can be used to place just about anything on your computer, but typically just drops browser helper objects (adware/spyware) onto your system. Norton stops this stuff cold, and it's been around for a while. Note that I didn't bother with the payload link.Anyway, it just looks like it's forging spam to me.Your block of that address also isn't very wise because it is a legitimate link that could stop valid E-mail from Yahoo and their partners from getting through. If you are running JunkMail Pro, there is a filter for this technique listed on my site (link in the sig) called !YDIRECTED.Matt-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =Email Admin wrote: Hello Our Mail server recevied a mass mailing earlier today.The email is address to [EMAIL PROTECTED] and is coming from[EMAIL PROTECTED]Copy of headers:Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400From: mail.citravel.com<[EMAIL PROTECTED]>To: [EMAIL PROTECTED]Subject: RE:X-Mailer: Microsoft OutlookMime-Version: 1.0Content-Type: text/html; charset=us-asciiMessage-Id: <[EMAIL PROTECTED]>X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52]X-Declude-Spoolname: Df06e0595011c829f.SMDX-Note: This message was scanned for SpamX-RBL-Warning: Total weight value: 0X-Spam-Tests-Failed: Whitelisted [0]X-Note: Recipient Host: citravel.comX-Note: Sender Address: [EMAIL PROTECTED]X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52])Precedence: bulkSender: [EMAIL PROTECTED]Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.comStatus: UX-UIDL: 384277933This person's email client does not show they sent this message but the IPof the sending host is the senders system.I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic.User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/newsGet sent to a pornography site. After they close this site there systemkeeps having pop ups appearing regularly. this link redirects to h t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I thin
Re: [Declude.Virus] RE Mass mailing maybe new virus
I've found Declude Junkmail to be almost an addiction. Is there a 12 step program available? Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 05/11/04 04:42PM >>> Take note that there was a virus payload at the link as Greg pointed out, but it appears that Terra-Lycos has killed the domain in question. It is too bad that the power that be aren't buying JunkMail. I find it to be a very effective last line of protection for viruses, as virtually everything that slips through before definitions are updates, ends up getting caught by a good JunkMail config. It can be very time consuming though, especially if you enjoy it too much :) Matt Douglas Cohn wrote: > Thanks > > I was thinking about adding the rule as well but also assumed that any > legit mail to yahoo would be blocked and stopped myself. > > Too bad the powers that be here are not buying JUNK Mail. > > DC > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Matt > Sent: Tuesday, May 11, 2004 4:57 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] RE Mass mailing maybe new virus > > This is likely just spam. The technique with the URL is someone > exploiting Yahoo's redirection scheme to land you on another site. > They do this to hide from URL parsers that don't recognize the exploit. > > It is possible that the site tries to install an exploit such as Java > Byte Verify, which can be used to place just about anything on your > computer, but typically just drops browser helper objects > (adware/spyware) onto your system. Norton stops this stuff cold, and > it's been around for a while. Note that I didn't bother with the > payload link. > > Anyway, it just looks like it's forging spam to me. > > Your block of that address also isn't very wise because it is a > legitimate link that could stop valid E-mail from Yahoo and their > partners from getting through. If you are running JunkMail Pro, there > is a filter for this technique listed on my site (link in the sig) > called !YDIRECTED. > > Matt > >-- >= >MailPure custom filters for Declude JunkMail Pro. >http://www.mailpure.com/software/ >= > > > > > > Email Admin wrote: > >> Hello >> Our Mail server recevied a mass mailing earlier today. >> The email is address to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> and is coming from >> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> >> Copy of headers: >> Received: from mail.citravel.com [10.215.43.52] by citravel.com >> (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 >> From: mail.citravel.com<[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]>> >> To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> Subject: RE: >> X-Mailer: Microsoft Outlook >> Mime-Version: 1.0 >> Content-Type: text/html; charset=us-ascii >> Message-Id: <[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]>> >> X-Declude-Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> [10.215.43.52] >> X-Declude-Spoolname: Df06e0595011c829f.SMD >> X-Note: This message was scanned for Spam >> X-RBL-Warning: Total weight value: 0 >> X-Spam-Tests-Failed: Whitelisted [0] >> X-Note: Recipient Host:citravel.com >> X-Note: Sender Address:[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> >> X-Note: Sender Host Name: (Private IP) >> X-Note: Sender IP Address: 10.215.43.52 >> X-Note: Sender Country ID: >> X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) >> Precedence: bulk >> Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> Date: Tue, 11 May 2004 11:32:11 >> X-RCPT-TO: citravel.com >> Status: U >> X-UIDL: 384277933 >> >> This person's email client does not show they sent this message but >> the IP >> of the sending host is the senders system. >> I have scanned this system and it is showing virus free. Using >> SOPHOS latetest defs as of 2pm est 5/11/2004 >> I am also sniffing the network now looking for other SMTP Traffic. >> >> User who receive the email which has a link of h t t p:// d r s . y a >> h o o . com / citravel.com/news >> Get sent to a pornography site. After they close this site there system >> keeps having pop ups appearing regularly. >> this link redirects to h t t p:// d r s . y a h o o . com / >> citravel.
Re: [Declude.Virus] RE Mass mailing maybe new virus
Take note that there was a virus payload at the link as Greg pointed out, but it appears that Terra-Lycos has killed the domain in question. It is too bad that the power that be aren't buying JunkMail. I find it to be a very effective last line of protection for viruses, as virtually everything that slips through before definitions are updates, ends up getting caught by a good JunkMail config. It can be very time consuming though, especially if you enjoy it too much :) Matt Douglas Cohn wrote: Thanks I was thinking about adding the rule as well but also assumed that any legit mail to yahoo would be blocked and stopped myself. Too bad the powers that be here are not buying JUNK Mail. DC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, May 11, 2004 4:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] RE Mass mailing maybe new virus This is likely just spam. The technique with the URL is someone exploiting Yahoo's redirection scheme to land you on another site. They do this to hide from URL parsers that don't recognize the exploit. It is possible that the site tries to install an exploit such as Java Byte Verify, which can be used to place just about anything on your computer, but typically just drops browser helper objects (adware/spyware) onto your system. Norton stops this stuff cold, and it's been around for a while. Note that I didn't bother with the payload link. Anyway, it just looks like it's forging spam to me. Your block of that address also isn't very wise because it is a legitimate link that could stop valid E-mail from Yahoo and their partners from getting through. If you are running JunkMail Pro, there is a filter for this technique listed on my site (link in the sig) called !YDIRECTED. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = Email Admin wrote: Hello Our Mail server recevied a mass mailing earlier today. The email is address to [EMAIL PROTECTED] and is coming from [EMAIL PROTECTED] Copy of headers: Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 From: mail.citravel.com<[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: <[EMAIL PROTECTED]> X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52] X-Declude-Spoolname: Df06e0595011c829f.SMD X-Note: This message was scanned for Spam X-RBL-Warning: Total weight value: 0 X-Spam-Tests-Failed: Whitelisted [0] X-Note: Recipient Host: citravel.com X-Note: Sender Address: [EMAIL PROTECTED] X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52 X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) Precedence: bulk Sender: [EMAIL PROTECTED] Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.com Status: U X-UIDL: 384277933 This person's email client does not show they sent this message but the IP of the sending host is the senders system. I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic. User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/news Get sent to a pornography site. After they close this site there system keeps having pop ups appearing regularly. this link redirects to h t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m (space added) I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~ -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.Virus] RE Mass mailing maybe new virus
Thanks I was thinking about adding the rule as well but also assumed that any legit mail to yahoo would be blocked and stopped myself. Too bad the powers that be here are not buying JUNK Mail. DC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, May 11, 2004 4:57 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.Virus] RE Mass mailing maybe new virus This is likely just spam. The technique with the URL is someone exploiting Yahoo's redirection scheme to land you on another site. They do this to hide from URL parsers that don't recognize the exploit.It is possible that the site tries to install an exploit such as Java Byte Verify, which can be used to place just about anything on your computer, but typically just drops browser helper objects (adware/spyware) onto your system. Norton stops this stuff cold, and it's been around for a while. Note that I didn't bother with the payload link.Anyway, it just looks like it's forging spam to me.Your block of that address also isn't very wise because it is a legitimate link that could stop valid E-mail from Yahoo and their partners from getting through. If you are running JunkMail Pro, there is a filter for this technique listed on my site (link in the sig) called !YDIRECTED.Matt-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =Email Admin wrote: Hello Our Mail server recevied a mass mailing earlier today.The email is address to [EMAIL PROTECTED] and is coming from[EMAIL PROTECTED]Copy of headers:Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400From: mail.citravel.com<[EMAIL PROTECTED]>To: [EMAIL PROTECTED]Subject: RE:X-Mailer: Microsoft OutlookMime-Version: 1.0Content-Type: text/html; charset=us-asciiMessage-Id: <[EMAIL PROTECTED]>X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52]X-Declude-Spoolname: Df06e0595011c829f.SMDX-Note: This message was scanned for SpamX-RBL-Warning: Total weight value: 0X-Spam-Tests-Failed: Whitelisted [0]X-Note: Recipient Host: citravel.comX-Note: Sender Address: [EMAIL PROTECTED]X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52])Precedence: bulkSender: [EMAIL PROTECTED]Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.comStatus: UX-UIDL: 384277933This person's email client does not show they sent this message but the IPof the sending host is the senders system.I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic.User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/newsGet sent to a pornography site. After they close this site there systemkeeps having pop ups appearing regularly. this link redirects to h t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m(space added)I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~
Re: [Declude.Virus] RE Mass mailing maybe new virus
This is likely just spam. The technique with the URL is someone exploiting Yahoo's redirection scheme to land you on another site. They do this to hide from URL parsers that don't recognize the exploit. It is possible that the site tries to install an exploit such as Java Byte Verify, which can be used to place just about anything on your computer, but typically just drops browser helper objects (adware/spyware) onto your system. Norton stops this stuff cold, and it's been around for a while. Note that I didn't bother with the payload link. Anyway, it just looks like it's forging spam to me. Your block of that address also isn't very wise because it is a legitimate link that could stop valid E-mail from Yahoo and their partners from getting through. If you are running JunkMail Pro, there is a filter for this technique listed on my site (link in the sig) called !YDIRECTED. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = Email Admin wrote: Hello Our Mail server recevied a mass mailing earlier today. The email is address to [EMAIL PROTECTED] and is coming from [EMAIL PROTECTED] Copy of headers: Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 From: mail.citravel.com<[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: <[EMAIL PROTECTED]> X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52] X-Declude-Spoolname: Df06e0595011c829f.SMD X-Note: This message was scanned for Spam X-RBL-Warning: Total weight value: 0 X-Spam-Tests-Failed: Whitelisted [0] X-Note: Recipient Host: citravel.com X-Note: Sender Address: [EMAIL PROTECTED] X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52 X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) Precedence: bulk Sender: [EMAIL PROTECTED] Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.com Status: U X-UIDL: 384277933 This person's email client does not show they sent this message but the IP of the sending host is the senders system. I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic. User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/news Get sent to a pornography site. After they close this site there system keeps having pop ups appearing regularly. this link redirects to h t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m (space added) I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~
Re: [Declude.Virus] RE Mass mailing maybe new virus
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WALLON.A Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 05/11/04 03:23PM >>> Hello Our Mail server recevied a mass mailing earlier today. The email is address to [EMAIL PROTECTED] and is coming from [EMAIL PROTECTED] Copy of headers: Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 From: mail.citravel.com<[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: <[EMAIL PROTECTED]> X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52] X-Declude-Spoolname: Df06e0595011c829f.SMD X-Note: This message was scanned for Spam X-RBL-Warning: Total weight value: 0 X-Spam-Tests-Failed: Whitelisted [0] X-Note: Recipient Host:citravel.com X-Note: Sender Address:[EMAIL PROTECTED] X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52 X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) Precedence: bulk Sender: [EMAIL PROTECTED] Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.com Status: U X-UIDL: 384277933 This person's email client does not show they sent this message but the IP of the sending host is the senders system. I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic. User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/news Get sent to a pornography site. After they close this site there system keeps having pop ups appearing regularly. this link redirects to h t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m (space added) I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE Mass mailing maybe new virus
I received a similar e-mail. Sent to a user who doesn't normally get spammed. Made to look like a Yahoo link to my company. http://drs.yahoo.com/farmprogress.com/NEWS/*http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs.yahoo.com/farmprogress.com/NEWS";>http://drs.yahoo.com/farmprogress.com/NEWS Headers: Received: from imail.Farmprogress.com by fpmain.farmprogress.com; Tue, 11 May 2004 10:04:20 -0500 Received: from webgate.bg [212.50.2.129] by imail.Farmprogress.com (SMTPD32-8.11) id AB5E15D70268; Tue, 11 May 2004 10:03:58 -0500 Received: (qmail 16825 invoked from network); 11 May 2004 15:17:58 - Received: from voka-gw.customer.0rbitel.net (HELO [EMAIL PROTECTED]) (195.24.34.138) by lea.webgate.bg with SMTP; 11 May 2004 15:17:58 - From: [EMAIL PROTECTED]<[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [Possible SPAM] RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: <[EMAIL PROTECTED]> Declude JunkMail for spam. X-Note: Reverse DNS lea.webgate.bg . X-Country-Chain: BULGARIA->destination Date: Tue, 11 May 2004 10:04:19 -0500 Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 05/11/04 03:23PM >>> Hello Our Mail server recevied a mass mailing earlier today. The email is address to [EMAIL PROTECTED] and is coming from [EMAIL PROTECTED] Copy of headers: Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 From: mail.citravel.com<[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: <[EMAIL PROTECTED]> X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52] X-Declude-Spoolname: Df06e0595011c829f.SMD X-Note: This message was scanned for Spam X-RBL-Warning: Total weight value: 0 X-Spam-Tests-Failed: Whitelisted [0] X-Note: Recipient Host:citravel.com X-Note: Sender Address:[EMAIL PROTECTED] X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52 X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) Precedence: bulk Sender: [EMAIL PROTECTED] Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.com Status: U X-UIDL: 384277933 This person's email client does not show they sent this message but the IP of the sending host is the senders system. I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic. User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/news Get sent to a pornography site. After they close this site there system keeps having pop ups appearing regularly. this link redirects to h t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m (space added) I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE Mass mailing maybe new virus
Looks like a match for this new worm W32/Wallon.worm.a http://vil.nai.com/vil/content/v_125096.htm The message body simply contains a hyperlink, which is designed to trick users into thinking that they are going to a Yahoo News site, when in fact they are redirected to a page on the www..security-warning..biz domain. Extra "."s added to address. Greg Email Admin wrote: Hello Our Mail server recevied a mass mailing earlier today. The email is address to [EMAIL PROTECTED] and is coming from [EMAIL PROTECTED] Copy of headers: Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 From: mail.citravel.com<[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: <[EMAIL PROTECTED]> X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52] X-Declude-Spoolname: Df06e0595011c829f.SMD X-Note: This message was scanned for Spam X-RBL-Warning: Total weight value: 0 X-Spam-Tests-Failed: Whitelisted [0] X-Note: Recipient Host: citravel.com X-Note: Sender Address: [EMAIL PROTECTED] X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52 X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) Precedence: bulk Sender: [EMAIL PROTECTED] Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.com Status: U X-UIDL: 384277933 This person's email client does not show they sent this message but the IP of the sending host is the senders system. I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic. User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/news Get sent to a pornography site. After they close this site there system keeps having pop ups appearing regularly. this link redirects to h t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m (space added) I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~ --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.