Current Virus and Spam affecting Dontronics and others:
SPAM News 
|
6-Oct-2003
28-Jul-2002
"Your email address was automatically
inserted into the To and From
8-Jul-2002 A Warning about Matt's Scripts: Do you use formmailer on your website to get users to send email to you? Some websites have been hacked, and your site could be used to send out millions of Spams. We warn all who still use one of the very popular free 'Matt's Scripts', in this case 'formmail.pl from the Internet. http://nms-cgi.sourceforge.net/scripts.shtml You should be aware that even Matt's patched formmail script is vulnerable.
A much better, secure script is available. Info at http://www.monkeys.com/anti-spam/formmail-advisory.pdf
3-Jul-2002 SpamCop Dropped the use of Spamcop completely. Not a mature program. Far too much down time. My Mailwasher.net front end is now modified to pick up and isolate viruses such as KLEZ. However I don't mind looking at the $30USD I paid to Spamcop as a donation towards fighting Spam, but it simply didn't work for me. I have far too much email to have to go through it manually. I now reject many free email addresses completely. See: contact.html#bounce 10-Jun-2002 I have decided that Spamcop is only complicating my life unnecessarily, so I'll use it as a virus catcher for the next 50 odd weeks, as it deletes half my viruses. It has a nice spam reporting system, but as it requires me to manually sort through my good mail and spam mail via a web page, I'll let my mailwasher.net do this for me, and drop all the Spamcop black lists. 22-May-2002 I got damn sick of all these viruses and spam being delivered to me, and decided to join Spamcop.net Spamcop's report on May 7, 2002 The virus filters are stopping a copy of the Klez virus every 40 seconds. 13-Jun-2002 A very interesting Spam Fighter Contest. The public record of the T3 Direct versus Joseph McNicol case.
KLEZ Virus Reported by me in the Newsgroups 21-Apr-2002, but not too many want to stop long enough to read the true ramifications of this virus. Only about 25% of people understand what is really going on. I simply can't understand why this one hasn't been reported in the press, as it had done more damage than any other virus to date, and you can be running Linux and still be affected by it. This virus randomly grabs two email addresses out of the infected computers address book, and sends the virus to one of them, and reports the virus as being sent from the other. This means that the person reported to have sent the virus, never did, which ends up in abusive emails and phone calls to the "reported sender". The more popular a business is on the internet, the more it is affected. Some businesses have received
this virus, and it appears as if they sent it to themselves.
There is a virus currently
doing the rounds: W32/Klez.e@MM
This explains it in full.
Off course we constantly run a virus checker.
We have had reports of other business associates, with the same problem. This means that the infected computer randomly selects a sender and recipient from their address book or any email address on their system, and sends a virus in the name of the sender to the recipient. If you get the virus sent to you, then it also means you are in this address book or listed on their system, and the sender isn't actually the sender. They are simply in the infected computers address book or somewhere on their system also. There is no need to panic. If you have a good virus checker, then you won't be infected, but you need to recognize that it is the W32/Klez.e@MM virus as your email address may be in the infected computers address book or on their system somewhere. Again we repeat, it isn't coming from Dontronics. The SimmStick Group appears to be on this list also, as requests are now going out for individuals to join the group. This could also mean that your name is on the list if you get this bogus request. The message that is auto generated from our SimmStick group, looks like this: > Hello support@company.com,
This is a group run by us, but we are getting similar emails from groups we know, as auto responders are being set off. NOTE **** This is a standard auto response that is kicked off simply by receiving an email. It doesn't contain a virus, it is just a standard Yahoo Group response to a message received, and the FROM: Field isn't forged. The only way to combat this virus (apart from your virus checker) appears to be by contacting the real sender of the email, not the forged FROM: field. To do this, you must be able to read, and understand the header information in the offending email. Quoting from the above
linked page:
Here is an example of one of these messages showing the headers in full: This one was generated in Poland, and appears to be sent from mcselec.com to dontronics.com. It certainly wasn't, and is a forged email. To: Don McKenzie <dontronics.com>
----------------------------------------------- And chasing up via Neotrace, gives 194.204.131.22 as: Name: ppp-cst22.warszawa.tpnet.pl
Registrant contact information is not available.
And a running list of infected computers: 21-Apr-2002 Received: from Zywth (ppp-cst22.warszawa.tpnet.pl [194.204.131.22]) by mtp2.netservers.net Return-Path: <gentec@cablenet.com.ar> Received: from overnight.request.net (somehost.affinity.com [207.150.192.30] (may be forged)) by mail015.syd.optusnet.com.au (8.11.1/8.11.1) with ESMTP id g3L029011124 for <donmck@optushome.com.au>; Sun, 21 Apr 2002 10:02:15 +1000 Received: from furina.request.net ([207.150.192.11]) by overnight.request.net with ESMTP id <138571-17874>; Sat, 20 Apr 2002 18:58:37 -0400 Received: by furina.request.net id <157773036-106501341>; Sat, 20 Apr 2002 19:53:34 -0400 Received: from coquito.cablenet.net.ar ([200.50.161.2]) by furina.request.net with ESMTP id <157774328-112760458>; Sat, 20 Apr 2002 19:53:19 -0400 Received: from Zpecuh (host-162-154.cablenet.net.ar [200.50.162.154]) by coquito.cablenet.net.ar (8.9.3/8.9.3) with SMTP id UAA06139 for <dontronics.com>; Sat, 20 Apr 2002 20:50:51 -0300 Date: Sat, 20 Apr 2002 20:50:51 -0300 Message-ID: <200204202350.UAA06139@coquito.cablenet.net.ar> From: j_kattilakoski <j_kattilakoski@yahoo.com> To: dontronics.com Subject: Honey 21-Apr-2002 and we are getting results coming in now: I have spam suppressed the full users email. Lionel <spam-suppressed@big.net.au> > Hi Don, > Thanks. Yes I know. I got sent a message with the virus the day
before
25-Apr-2002 Don, my thanks to you for the postings. For some reason, for the past week, I have been receiving a rash of viruses via e-mail attachments - one was the W32/Sir.Cam worm coming in every half hour from the same address - a hotel in Quebec [???]. Turns out this particular address was a real place, and not a
- dan michaels
25-Apr-2002 Hi Don, I know what you mean. I receive email virus sent from myself [to myself]. Too bad these programmers have nothing better to do with their time. I would bet if they chose to, they could actually be doing something useful. Regards, -Bruce http://rentron.com/
Canning spam without eating up real mail By Stefanie Olsen
Like a growing number of Web surfers, Audrie Krause faces a new uncertainty when she hits the send button on her e-mail these days: Will the message get through? As the head of a political action group, Krause uses members-only e-mail lists to help educate and organize fellow activists. So she was jarred recently when one message bounced back with a note accusing her of spreading unsolicited junk e-mail, or spam. Without warning, Krause's NetAction site had been blacklisted--an increasingly common occurrence as companies seek to block crushing loads of unwanted e-mail by any means necessary. "It's ironic because the work we do as an organization includes helping get the message out to other activists and nonprofits about how to use e-mail and the Net for outreach...without spamming," Krause said. "I'm sure it was a mistake." The incident, which was fixed within a day, highlights a growing problem for ordinary e-mail users now that sometimes-indiscriminate blacklists have become a key weapon in the war against unsolicited bulk e-mail. Blacklists--also known as blocklists--keep tabs on sites and numeric IP (Internet Protocol) addresses suspected of sending spam. Internet service providers, companies and individual Web site operators subscribe to the lists, bouncing any traffic directed to their servers that originates from those addresses. The result is that all blacklisted e-mail--legitimate or not--is returned to the sender. Blacklists are as old as the Internet, but their number has multiplied in recent years. Many on the receiving end are now adopting tougher policies as spam has grown to epidemic proportions. At the same time, more companies and Web site operators are using blocklists as a mainline defense against vast volumes of spam that can cripple their systems if left unchecked. The need is so great that some companies now are turning a blind eye toward militant tactics that may do too little to sort legitimate from illegitimate sites. "Almost every company now is looking at using blocklists because there's no choice--there's too much spam coming in," said Steve Linford, who maintains a London-based blacklist of mass e-mailers called the Spamhaus Block List. "The blocklists need to be run with an amount of responsibility and ensure that if any innocent user is caught on a blocklist there's a means to get off quickly." Spam invasion
Part of the problem stems from the economics of e-mail, which provides no incentive for marketers to cap the volume of messages they attempt to deliver. Blocklists such as Spamhaus, the Realtime Blackhole List, SPEWS and SpamCop.net have grown as a response to the resulting flood. But they are increasingly coming under fire for high incidents of "false positives," in which non-spammers are added to the lists.
Special report
Recent complaints about blocklists have come from companies andorganizations, including British Telecom, the Libertarian Party and News.com publisher CNET Networks, among others. In general, blocklists are simple databases of spam-generating IP addresses. Most use the DNS (domain name system) protocol to block a IP address in real time so that if a number is added it will have an immediate effect on spam delivery. The blocklists rely heavily
on each other to locate spammers and create their lists. Many lists go
to SpamCop to see if a piece of e-mail has been reported and to determine
the offending IP address. Others use a Usenet
While the blocklists target spammers, legitimate sites such as NetAction.orgcan easily be caught in the net. Sites may find themselves on blocklists because of e-mail viruses or other tricks that spammers use to "spoof" or mimic addresses. The Klez virus, for example, caused at least one site to be listed by mistake on Relays.osirusoft.com, according to Joe Jared, who runs that list. Jared operates a blocklist database that carries SPEWS and other spam listings. Organizations running the blocklists have different policies for adding an IP address to the list. But many are now adopting an attitude of list-first-ask-questions-later, capturing an ever-widening circle of suspected offenders, guilty or not. Jared, for one, downplayed concerns about catching legitimate e-mail, saying that if an e-mail "looks like spam and it smells like spam, then it will get listed." Room for mistakes
"Every form of filtering
has false positives. As soon as you start to use filtering, you accept
that you're going to block some legitimate e-mail; it's just a question
of how much," Haight said, who advises site operators
"People in the past were opposed to filtering at all, but more and more system administrators have to be aggressive because they have no choice." He said that if innocents are listed, it takes a week to become automatically de-listed. One of the most controversial tactics involves adding entire ranges of IP addresses to a databases, even when it's clear that some legitimate Web sites may be affected--a outcome dismissed as "collateral damage" in the trade. Some militant blocklists have been accused of actively using collateral damage as a tool to spur legitimate sites into the battle against spam. Magdalena Donea, a system administrator at Web hosting company KIA Internet Solutions, found a set of her company's IP addresses blacklisted recently on SPEWS. She successfully lobbied to get the listing removed, but it was relisted a second time with additional IP addresses, a move that also affected a company client, the Libertarian Party. "The SPEWS system is unapologetic about false positives and even regards them as a plus. They've taken the 'ends justify the means' argument way farther than I've seen anyone else take it," Donea said. "Their philosophy appears to be that if innocent businesses and individuals on the periphery of spam-house blocklists are affected, then those innocents will have no other choice but to pressure their upstream provider to remove the spammers from their blocks, thereby solving the spam problem bit by a bit. Draconian, yes. Effective? Sure." The people who run SPEWS are anonymous and could not be reached for comment. Many blocklist operators seek the shadows because they are constantly slammed with complaints and requests for addresses to be removed. "We get harassed all the time," said Relays' Jared. But he added that blocklists are winning more converts every day. "There are lists that are
very hard core and lists that are very liberal," he said. "But basically
the tolerance for spam is decreasing in direct proportion to the increase
in spam."
|
