Insane amounts if virii


#1

The last two days I have been getting pummelled (to my standards anyhow) with virus laden emails.

It’s hard to get anything done when every 10 minutes Norton pops up warning of incoming.

I’ve got Norton set to destroy this stuff after it tells me it came in so I just get a proxy mail that says it deleted a mail from suchnsuch@asd.com TO soandso@mydomain.com

I realize that the TO address is probably forged since I have no catch all enabled and the addresses are nonsense, but Norton doesn’t give me the full headers. I can reconfigure Norton if it comes to that but just wanted to check in here and see if anyone else has been experienceing similar problems? It driving me quite crazy.

[color=#0000CC]jason[/color]


#2

I’ve been getting a ton of copies of Sober–this started just yesterday. (I thought they ran MIMEDefang, but I must be thinking of another account.) I’ll set up a procmail filter for it if it doesn’t stop on its own.


#3

yup yup, sober yesterday

!@#$%^ pullin my hair out, I’m about to say delete and don’t bother me with it

[color=#0000CC]jason[/color]


#4

procmail rule for Sober:

:0 HB

  • ^Content-.* (file)?name="?((error-)?(our_secret|(mail|account|Fifa|okTicket|PassWort)[-][Ii]nfo|autoemail|LOL)(-[Tt]ext)?).zip"?$
    .junk/

I’m not sure it’s perfect, that’s why it’s not going to /dev/null… yet

There must be a better way, though…


#5

ALCON

Mine also, the ONLY PLACE I have all these email addresses is in my Mysql Database…

Look familiar

brisbanecbd@signa.com.au: host mx.netspace.net.au[210.15.254.248] said:
550 Error: VIRUS Worm.Sober.P (in reply to end of DATA command)

http://www.sfahq.com/

PK


#6

headers from one:

X-Symantec-TimeoutProtection: 0 X-Symantec-TimeoutProtection: 1 Return-Path: <postmaster@somedomain.com> Delivered-To: myusername@gollum.dreamhost.com Received: from heyos.com (COX-##-###-###-#.coxinet.net [##.###.###.#]) by gollum.dreamhost.com (Postfix) with SMTP id C231F5B7AD; Fri, 6 May 2005 12:29:34 -0700 (PDT) From: postmaster@somedomain.com To: X-User@mydomain.com Date: Fri, 06 May 2005 18:20:40 UTC Subject: Your email was blocked Importance: Normal X-Priority: 3 (Normal) Message-ID: <674aeb6de7.b4866@somedomain.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="======4a6e00e.e1e78c271baaa" Content-Transfer-Encoding: 7bit what’s the explanation for these all hammering my proper DH system username @ myproperDHdomain name dot com?

the TO: is always false but the Delivered-To: is always my username at my mailserver?! What’s the deal?

[color=#0000CC]jason[/color]


#7

Most likely cause TO wasn’t supplied, but rather supplied by another means, so Sendmail alters the headers to deliver to your proper email address.

That’s Sendmail stuff going on and not due to somebody else knowing your direct email address.


#8

so what would be the point of disabling the catch all email address? I know it will deflect random spam but do you see what I’m saying?

how is this mail getting to me?!

[color=#0000CC]jason[/color]


#9

That’s how. I didn’t look in detail, there is a To: field. Sendmail added the Devlier-To: so it knows which user account to send it to.

Sometimes you’ll see ‘for’ within the sendmail deviler headers. Sometimes Deliver-to: is the actual email, sometimes it’s not. It really all depends on how sendmail’s configured. It’s a very conveluted and complicated mail system.