OT: new type of e-mail SPAM?

[Xairbusdriver]

I noticed about a week ago that my wife was getting a lot of "Admin..." messages about bounced mailings. I assumed she must have inadvertently replied to some SPAM, but she assured me she knew better and I couldn't believe she would do that almost a dozen times!

I dutifully made filters for them in POPMonitor, but I soon realized that the trick was to have the filter look at the Body of the message. The 'message' is mostly a copy of garbage that is sometimes included with the 'bounced' warnings. But filtering for words/text in the 'Subject:, From:, To:" parts would not really work because they are actually just part of the 'Body' now. Of course, the real domain were valid, even if the name part is not, so you can't delete all messages from '...@mindspring.com' for instance. And the name part is probably bogus, randomly generated also, may never show up again. And the real subject is pretty standard 'mailer daemeon' stuff, so you need to watch for real bounce problems.

But I have not seen this thing in such quantity until the last few weeks. I had never seen one on my accounts until today after my recent purchase of the new iMac and its registration with Apple. And I have a temporary .Mac account now, too. But I'm sure Apple wouldn't have any holes in their servers, right?!   Still, makes one wonder...

So, has anyone else seen this kind of SPAM? Certainly another devious way to get people to open a message, many of which had images!

[Paddy]

Haven't seen that one yet, Jim. I've been getting some from Australia - offering me mortgages. GRRRR...not sure where those are coming from, since I guard my email so carefully. What did I inadvertently register for? Most of 'em land in my "Spamcheck" folder, since I have filters for "mortgage", "rate" etc. set. Not all though. Sent the latest off to SpamCop. They're being sent through open relays in China and actually may originate with a Comcast subscriber (according to SpamCop...)

The web site that one is directed to in the body of the email is registered to someone in Australia (New South Wales, NOT Queensland, as is listed for the snail mail address) and the "remove" link takes you to a domain registered to someone in Rio de Janeiro. The remove bit references S. 877 (the US "CanSpam" law) but of course, they're breaking the law in several ways with sending the email in the first place!

A regular melting pot of nasties!  

 

[gmann]

Since I deleted Mac mail from my computer I no longer get spam. I use .com websites for my mail. sure is peaceful know.

[Diana]

Hey,

I'm getting those. Mine just started in the last few days. The first few fooled me enough that I had to look at them because as server admin, I have to accept mail sent to Postmaster/Mailer-Daemon type mail.

You're right, those are usually bounces so I'm unsure why spammers would send what appears to be a bounce except that most people don't see them addressed to postmaster that way. Maybe they figured they'd get a few read. Note, they aren't really bounces at all.

My real curiosity though is why in the heck would these spammers send mail that almost surely gets read or at leasted noticed by the system admins...the very people who can make sure the spammer is blacklisted.  I guess they aren't concerned about blacklists anymore since they have thousands..(dare I say hundreds of thousands) of zombie machines on broadband and even dialup accounts and we just can't block them all. I figure the spammers are waging a war...one that they're winning at the moment...against the system admins. I hate to think I have to start taking this as personal, but I'm beginning to feel a bit "targeted"..and it makes me mad.

But, I have faith, we will win this war eventually. Not by any method Bill Gates dreams up, but somehow..

To ARMS! guys...educate, educate, educate everyone you know.

see ya,

[Xairbusdriver]

Don't take it personal, diana! I think they are just too stupid, immature or both to know what they are doing! OTOH, it's a pretty clever idea to use this format, as most people would just about atuomatically open it to see who didn't get the latest epistle!

About every 3 months my wife sends around 125 e-mails to a group. She had done that just a few weeks ago and, as usual, there were a dozen or so bounces. She just assumed these were from that batch.

[rant]
As an aside, I just love to get bounces saying that a persons mail box is over quota! That's like taking the phone off the hook randomly and without telling anyone, of course! And then there are the ones which require you to send a request to have your address added to the recipients list of approved senders! Come on, if your going to use an address for contact by a national list, at least have the courtesy of adding the people you know will be contacting you! And when you do change addresses, don't ever tell anyone! [/rant]

[jepinto]

Was watching the morning news (instead of my usual cartoons-much nicer way to start the day) and heard of theW32.Novarg.A@mm

Think that's what is doing it?

[Dreambird]

This reminds of two I got this morning... already trashed... one was a "failure of delivery" message with zipped archive I supposedly sent to "ulead.com" but I didn't and one was a test with a shaw.ca address with a zipped archive attached... I didn't recognize the person, no idea why someone would send me a zipped archive so... file 13.

[Paddy]

Hi Jennie - yup, that's what's doing it all right. A royal mess it's causing too - Peter Cohen at MacCentral got 600 of them in his inbox! Some companies are shutting down their email until they can secure everything. As usual, Macs are not affected - other than by receiving all the nuisance virus-laden email from Windoze-using friends and relations.

More info:

http://securityresponse.symantec.com/avcen...ovarg.a@mm.html

Updated virus definitions are available for download - so if you have a PeeCee that you use for email, get on right on it.

[Highmac]

At the risk of sounding naive:
We have VPC3 (Win98) on our iMac (OS9.1), but set up through Extensions Manager so that we cannot access the net while it is running (long story to do with a clash between a USB-serial connector and the internal modem which we blame for killing a motherboard). We use Outlook Express 4.5.

Could viruses that come in with emails find their way through the shared folder into VPC files and, if so, what should I be watching out for?

Thanks in advance.

[Xairbusdriver]

I'm not sure the 'bounced' messages are related to the latest PC virus. The ones I've seen started early last week. From what I've heard from the media, this latest PC bug just started. But what do they (or I know)!

As for getting infected while using a PC emulater, I don't think you'll have any problem, if you are not accessing e-mail with it. But that's just my opinion...

[Diana]

Hey,

You're safe enough. If you're using the Mac side and collect a virus, it is harmless until activated by a click on the file. Clicking that file from on Mac won't do anything because it can't be activated on a Mac. Even on a PC, the attachment can't do anything until it's clicked...(*shakes head that there still appear to be hundreds of thousands of people who click those things).

Now, if you did work in the Win98 emulator and _could_ access the internet, and _did_ click that file, you could really mess up your installation of Win98 and possibly propagate the virus back out. Since you're not doing any of those things, you're safe enough..

see ya

[Highmac]

Thanks Diana - you gave me just the answer I was hoping for

[tacit]

QUOTE(airbusdriver @ Jan 27 2004, 6:19 PM)

I'm not sure the 'bounced' messages are related to the latest PC virus.

 That's exactly what they are--they are indeed related to viruses.

There are two kinds of bounce messages you will receive.

The first kind looks exactly like a bounce message, but isn't. It is a message from the virus designed to trick you into believing it is a bounce. The idea is that people are more likely to look at bounces. GIBE-F and SWEN/A are two viruses that send out messages disguised to look like bounces.

The second type is a real bounce, but going to the wrong place. Most mass-mailing viruses, including Gibe, Swen, Minmail, and so on, also send out email with a forged From: address. Here's how it works:

Say Joe is infected. Joe's computers send out infected emails. But the emails don't have Joe's name in the From: field. The From; field is forged with Bob's name. That way, if a mail server bounces the message, the bounce goes to Bob, not Joe. It's easy to fake a From; address; I can send emails that seem to come From; your email address if I want to. If the email bounces, I don't get the bounce--you do.

[jepinto]

Now I don't feel left out.  I got my first one.

[sandbox]

http://start.earthlink.net/newsarticle?cat...D80B3LVO1_story
"This has all the characteristics of being the next big one," said Steven Sundermeier, Central Command's vice president of products and services.
.
.
.
Symantec also found code that would flood The SCO Group Inc.'s Web site with requests in an attempt to crash its server, starting Feb. 1. SCO's site has been targeted in other recent attacks because of its threats to sue users of the Linux operating system in an intellectual property dispute.

http://ir.sco.com/ReleaseDetail.cfm?ReleaseID=127545
 SCO announced that it is offering a reward of up to a total of $250,000 for information leading to the arrest and conviction of the individual or individuals responsible for creating the Mydoom virus.