wolfox
Gentle Wolfox
join:2002-11-27
Dunnellon, FL
| Bogus Admin Message Circulating:
There is a bogus e-mail circulating that looks like it is from SBC support. Attached is a copy of "Mydoom" virus. Be careful folks, and keep your AV up to date! The message body looks as such:
From: SBC Yahoo! Mail Virus Protection
To: xxxxxxxx@sbcglobal.net
Date: Fri, 16 Dec 2005 19:28:55 -0500
Subject: Alert: Virus Detected but not Cleaned - Attachment Removed [Returned mail: see transcript for details]
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="0-856137568-1134957276-87652"
Dear user xxxxxxxx@sbcglobal.net,
Your account has been used to send a large amount of spam messages during this week.
Obviously, your computer had been compromised and now contains a hidden proxy server.
We recommend you to follow our instruction in order to keep your computer safe.
Have a nice day,
The sbcglobal.net support team.
--
Nothwest Arkansas' ONLY all Techno Radio Webcast, powered by SBC DSL! |
|
Corona
It's cool, I'm takin it back
Premium
join:2000-03-14
Aubrey, TX | LOL - if you fall for this, you deserve what you get. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
 ·Pacific Bell - SBC
1 edit | reply to wolfox
Is there more to that message than you showed us? My last legitimate message from SBC Yahoo! about a virus laden email:
From: "SBC Yahoo! Mail Virus Protection <mail-antivirus@yahoo-inc.com>"
To: ******@pacbell.net
Date: Thu, 3 Mar 2005 22:39:48 -0800
Subject: "Alert: Virus Detected but not Cleaned - Attachment Removed" [Your day]
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="0-2072999201-1109925880-75257"
--0-2072999201-1109925880-75257
Content-Type: text/plain; charset=us-ascii
Content-Id:
Content-Disposition: inline
"Your SBC Yahoo! Mail Virus Protection detected the virus '"W32.Netsky.P@mm"' in the file '"letter.scr"', attached to the enclosed email message. We scanned the file using Norton AntiVirus but were unable to clean it. Therefore, we removed the content of the attachment from the message. Please contact the message sender if you want to receive the attachment. They must clean the file and resend it before we can deliver it to you safely.
"
"SBC Yahoo! Mail successfully cleans most infected attachments, which protects you from viruses.
"
--0-2072999201-1109925880-75257
Content-Type: message/rfc822
X-Apparently-To: ******@pacbell.net via 206.190.37.77; Thu, 03 Mar 2005 22:40:03 -0800
X-YahooFilteredBulk: 66.81.31.54
Authentication-Results: mta800.mail.scd.yahoo.com
from=aol.com; domainkeys=neutral (no sig)
X-Originating-IP: [66.81.31.54]
Return-Path: <15f.1e950c13.2bc3ce0c@aol.com>
Received: from 207.115.57.81 (EHLO ylpvm50.prodigy.net) (207.115.57.81)
by mta800.mail.scd.yahoo.com with SMTP; Thu, 03 Mar 2005 22:40:03 -0800
X-Header-Maps: tagged.as.spam.by.relays.prodigy.net.list.66.81.31.54
X-Originating-IP: [66.81.31.54]
Received: from pacbell.net (host-66-81-31-54.rev.o1.com [66.81.31.54])
by ylpvm50.prodigy.net (8.12.10 083104/8.12.10) with ESMTP id j246dfi7011125
for <******@pacbell.net>; Fri, 4 Mar 2005 01:39:47 -0500
Message-Id: <200503040639.j246dfi7011125@ylpvm50.prodigy.net>
From: 15f.1e950c13.2bc3ce0c@aol.com
To: ******@pacbell.net
Subject: Your day
Date: Thu, 3 Mar 2005 22:39:48 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal
This is a multi-part message in MIME format.
------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Best wishes,
your friend.
------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: application/octet-stream;
name="letter.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="letter.scr"
------=_NextPart_000_0016----=_NextPart_000_0016--
--0-2072999201-1109925880-75257
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
etaadmin
join:2002-01-17
Dallas, TX | reply to wolfox
Those are legitimate emails from yahoo AV. Post the full headers and you'll see.
I get two or three a day from the same IP address an infected computer in the comcast.com domain. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| reply to wolfox
said by wolfox  :Dear user xxxxxxxx@sbcglobal.net, Your account has been used to send a large amount of spam messages during this week. Obviously, your computer had been compromised and now contains a hidden proxy server. We recommend you to follow our instruction in order to keep your computer safe. Have a nice day, The sbcglobal.net support team. I should have paid more attention. Could this be your IP address?
T 20051218 073903 43a29052 Connection from 70.136.59.26
T 20051218 073905 43a29052 HELO adsl-70-136-59-26.dsl.pltn13.sbcglobal.net
T 20051218 073905 43a29052 MAIL FROM: <nxwczlbrqk@btcc.org>
E 20051218 073905 43a29052 Host 70.136.59.26 blocked by Spamhaus - message rejected.
T 20051218 073905 43a29052 QUIT
T 20051218 073905 43a29052 Connection closed with 70.136.59.26, 2 sec. elapsed.
»www.spamcop.net/sc?id=z840907266···88734ccz
That links to a SpamCop report I filed where the message did originate from a computer on an swbell.net PPPoX connection. Well, OK again; that seems to be a Richardson, Texas connection. Even so...
The verbose part of your message, which I overlooked, suggests that you have become some spammer's "Pea"; spammer speak for an open proxy running on an HSI connected computer, and remotely accessed by the spammer through which he sends high volumes of email.
Take the suggestion of the message to heart, and check your computer for malware.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
Flippant
So Much For Subtlety
Premium,Mod
join:2000-06-04
Katy, TX
Host:
Filesharing Software
Earthlink Cable
Texas Gulf Coast
AT&T U-verse
AT&T Southwest
| reply to Corona
said by Corona :LOL - if you fall for this, you deserve what you get. My parents would fall for it in a heartbeat. I hope they would call me before they did anything about it, but something official and dire looking like that could cause them to panic and do something stupid. I can see it is time to give them a call and refresh them about discounting all email unless expected. I bet a lot of people would fall for that. |
|
GB34
join:2004-12-08
Adrian, MO
| reply to wolfox
That is why I use a program called 'MailWasher' by Firetrust »www.firetrust.com
It allows you to look at your e-mail while it is still on the ISP server. If you are suspicious of it you can delete on the spot without ever downloading it to your computer.
All e-mail that I do not trust gets deleted this way. |
|
owlhooter
Premium,VIP
join:2002-01-19
Wylie, TX
| reply to NormanS
Actually, more than likely, this is the way the virus is trying to infect the customer. Pretending to be coming from the SBC support team, you can tell because if SBC was really going to send a message they would include more than just
quote:
Your account has been used to send a large amount of spam messages during this week.
Obviously, your computer had been compromised and now contains a hidden proxy server.
So, it looks like the antivirus did it's job and found the virus. But the virus itself tries to make it sound like you have been compromised and running the attachment will most likely fix it, thereby infecting you with said virus. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| Except that the message should have had more to the headers. The virus would have been external to the SBC Yahoo! system, and there would have been some "Received: * from * by" headers. Unless wolfox omitted part of the message, the headers he posted look very much like the headers of the raw code of the legitimate virus notice which I received.
I really suspect that the message, as presented, has been edited, though, so there is no telling what it is about.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
wolfox
Gentle Wolfox
join:2002-11-27
Dunnellon, FL
| reply to wolfox
Nope, my system's 100% clean. And nope, that is not my IP. Never had one in that range over in the Fayetteville area AFAIK. I do not bother with a local mail client at all, preferring the Yahoo! Webmail interface for just this very reason. I get ton's of e-mail spattering me filled with viruses, but this is the first one I had seen that reported it was from SBC. I had e-mails telling *me* that *my* *Comcast* e-mail address has been sending spam....I never had, nor never will have a Comcast account. 
--
Nothwest Arkansas' ONLY all Techno Radio Webcast, powered by SBC DSL! |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| I have an email from "Mail Delivery Subsystem <MAILER-DAEMON@ylpvm02.prodigy.net>", to my long time Netscape Webmail account, advising me that an email to my old, suspended @pacbell.net account (same username as the @netscape.net account) could not be delivered. The spammer had forged my Netscape email address as the sender.
The message is called, "backscatter", and was a surprise because I did not think the SBC SMTP servers would do that. They don't send "backscatter" when the RCPT TO is invalid; but, apparently, suspended accounts are not treated the same as non-existent accounts.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
