The Old Joel on Software Forum: Part 3 (of 5)

Some questions about spam

Okay so I am playing the budding detective at the moment. But just recently (actually yesterday) we became indundanted with spam of two types:
1) spam directly to our domain name (sometimes with correct staff names, sometimes with random names) containing a ‘test.zip’ etc attachment.
2) ‘return to sender’ type spam that is a response from another valid company who believes we have sent them the nasty stuff.

It is interesting that all of the ‘return to sender’ stuff is local (ie the local university, the local electricity supplier, ie all firms within a 200km radius).

I had a look at the ‘properties’ of the emails, and each piece of spam has one ‘received from’ address in common, this being:
Received: from CPE-203-51-193-3.qld.bigpond.net.au (203.51.193.3)

Now my interpretation of this would be that the nasty things are coming from 203.51.193.3, not that I really have any course of action if this is the case, but is it?

Sincerely,
The Detective Chick

Aussie Chick
Wednesday, January 28, 2004

The Received: headers will tell you where they're coming from. The reality is, they're coming from someone who got duped, and has you (and others) in their address book. It fakes the from address on the messages, using people out of the infected person's address book, in the hopes of gulling more people into opening the virus (and spreading it farther).

Clearly, the world is packed with naive people, because these things spread like wildfire. :-p

Brad Wilson (dotnetguy.techieswithcats.com)
Wednesday, January 28, 2004

This sounds like the latest email virus, called "Novarg" or "MyDoom."

http://enterprisesecurity.symantec.com/article.cfm?articleid=2420

It sends itself to addresses in the infected computer's address book, which would explain why you're getting emails from other companies in your area.

FWIW, you can look up this IP address first by searching here,

http://www.arin.net/whois/

This tells you that the IP address is registered to "Telstra Internet," which probably won't help you.

Robert Jacobson
Wednesday, January 28, 2004

Yes, but a lot of the addresses are fake.

Eg. There is no bob@fb.com.au and although there is a kspringolo@fb.com.au, I can tell you for a fact she does not know this email address is useful, she tells all her clients to send data to mail@fb.com.au, the only place this address could be obtained is from the website www.fb.com.au (okay so fb is not our real name, but you get the picture).

So although the emails seem to contain viruses, they all have this once address in common, and rather then getting spammed from some poor sod who opened a virus in their inbox, it seems that this spam is being generated from someone who has harvested our email addresses.

Okay, I know I am making a big deal out of nothing.

Well yes spam is incredibly annoying, but what can really be done??? Very little apparently…

Aussie Chick
Wednesday, January 28, 2004

It's the current email virus. Haven't you watched the news ? Read any IT websites ?

Damian
Wednesday, January 28, 2004

Modern viruses don't only send themselves to the addresses found in the address book. They also go through the browser cache and find email addresses there. Next thing it does is send itself to all those addresses and use others to set a spoofed FROM field. And sometimes they play a bit more with the addresses like sending it to common_name@yourdomain.com.

Anyway you have received the emails from people that are infected and visited your website. The bounces are from non existing addresses where a virus was sent with your domain in the FROM field. Or from a company that checks for viruses but is too brainless to understand that some viruses spoof the FROM field.

Just delete the buggers.

Jan Derk
Wednesday, January 28, 2004

Jan Derk,

Ah I see now. Thanks for the explanation.

I probably should pay more attention to the IT news...

Aussie Chick
Wednesday, January 28, 2004

Aussie Chick - That IP addres is a Brisbane based Bigpond Cable or ADSL customer who has an open SMTP relay - its actually an Exchange server I see by connecting to the IP on port 25 - the domain is leaselink.com.au

Give Bigpond a bell , abuse@bigpond.com.au

They HATE open SMTP relays and will shut the customer down

Dan G
Wednesday, January 28, 2004

Just had a look on wired.com for a good article to read.

Saw all the articles about myDoom etc.

Now I feel like a goose for even asking the above question.
I really need to get out more, read some techie articles etc…

Thanks for being nice to me anyhow.

Aussie Chick
Thursday, January 29, 2004

Just a suggestion: Don't post valid email addresses into forum posts.

If kspringolo isn't getting any email at that address at the moment, they could be looking at a mountain of spam a year from now. Basically, if the address gets picked up by a webcrawler looking for email addresses, and ends up in 1 (most likely more) spam databases, kspringolo will be getting offered viaga, banned cd's and a whole lot more...

(I think this is the main reason why Joel built the reply through website option in, rather than post email addresses in forums posts).

Gordon Hartley
Thursday, January 29, 2004

(Makes note to self to read the stuff in ()'s next time). Oh well.

Gordon Hartley
Thursday, January 29, 2004

Interestingly (at least to me ;-) I've been getting a lot of copies sent to me at an alias I didn't even know I had and have *never* used. I figured the virus was combining known domains with randomised names in the hope of getting hits. Anyone know if there's any truth to this or have I just invented it?
Sadly I'm getting as many anti-virus spams (from mail servers that mistakenly believe i sent them the virus) as I am copies of the virus itself. Ho hum

SteveM
Thursday, January 29, 2004