SEO

I have received hundreds of emails from a single IP address with forged
names since yesterday. The subject is usually something like "Re: Approved"
or "That Movie", etc. Initially there was an approx. 100K attachment (what
is a PIF file anyway?) but now they refer to an attachment that isn't there.

First, my set up:
Firewall: MultiTech RF550VPN with only port 25 open
Mail Server: UnixWare 7.1.0 with ptf7130e installed
(I had to use my old sendmail.cf file as the new one
would not allow inbound mail and I don't speak sendmail.)

The domains are sometimes those of companies I have received mail from in
the past with bogus user names, e.g., bogus@supplier.com. While I do have a
M$ system on my LAN, it is never allowed to touch email; that is entirely
done from my UW7 and OSR5 systems. I do occasionally use it for browsing
when IE is required due to backwards web sites I must sometimes access;
otherwise I use Mozilla from SCO Linux or M$.

I have successfully put a stop to the messages showing up by adding a
Received: line in my .maildelivery file with the single IP address.

Question: Is this a fluke and I am the "winner" chosen to receive this ilk
or is this a coordinated attack? (The messages are not "normal" spam in that
they do not attempt to sell anything or lead me to their web site; it just
slows my systems down processing the trash.)

I also have a much smaller number of delivery failed messages where it uses
my return address in the From: line with the same bogus email addresses in
the
To: line. (This bothers me more than the in bound garbage; I do not want my
system used to inundate any one else' system. Perhaps low bandwidth does
have its benefits!)

Thank you,
Lucky

Lucky Leavell Phone: (800) 481-2393 (US/Canada)
UniXpress - Your Source for SCO OR: (812) 366-4066
1560 Zoar Church Road NE FAX: (812) 366-3618
Corydon, IN 47112-7374 Email: lucky@UniXpress.com
WWW Home Page: http://www.UniXpress.com

On Thu, 21 Aug 2003 15:18:06 GMT, Lucky Leavell <lucky@unixpress.com>
wrote:

>I have received hundreds of emails from a single IP address with forged
>names since yesterday. The subject is usually something like "Re: Approved"
>or "That Movie", etc. Initially there was an approx. 100K attachment (what
>is a PIF file anyway?) but now they refer to an attachment that isn't there.
>
>First, my set up:
> Firewall: MultiTech RF550VPN with only port 25 open
> Mail Server: UnixWare 7.1.0 with ptf7130e installed
> (I had to use my old sendmail.cf file as the new one
> would not allow inbound mail and I don't speak sendmail.)
>
>The domains are sometimes those of companies I have received mail from in
>the past with bogus user names, e.g., bogus@supplier.com. While I do have a
>M$ system on my LAN, it is never allowed to touch email; that is entirely
>done from my UW7 and OSR5 systems. I do occasionally use it for browsing
>when IE is required due to backwards web sites I must sometimes access;
>otherwise I use Mozilla from SCO Linux or M$.
>
>I have successfully put a stop to the messages showing up by adding a
>Received: line in my .maildelivery file with the single IP address.
>
>Question: Is this a fluke and I am the "winner" chosen to receive this ilk

Nope, we're all winners :-)
http://www.trendmicro.com/vinfo/viru...e=WORM_SOBIG.F

>or is this a coordinated attack? (The messages are not "normal" spam in that
>they do not attempt to sell anything or lead me to their web site; it just
>slows my systems down processing the trash.)
>
>I also have a much smaller number of delivery failed messages where it uses
>my return address in the From: line with the same bogus email addresses in
>the
>To: line. (This bothers me more than the in bound garbage; I do not want my
>system used to inundate any one else' system. Perhaps low bandwidth does
>have its benefits!)
>
>Thank you,
>Lucky
>
>Lucky Leavell Phone: (800) 481-2393 (US/Canada)
>UniXpress - Your Source for SCO OR: (812) 366-4066
>1560 Zoar Church Road NE FAX: (812) 366-3618
>Corydon, IN 47112-7374 Email: lucky@UniXpress.com
>WWW Home Page: http://www.UniXpress.com



Scott McMillan

On Thu, Aug 21, 2003, Lucky Leavell wrote:
>I have received hundreds of emails from a single IP address with forged
>names since yesterday. The subject is usually something like "Re: Approved"
>or "That Movie", etc. Initially there was an approx. 100K attachment (what
>is a PIF file anyway?) but now they refer to an attachment that isn't there.
>
.....

This is just the latest in a long line of worms that feed on the Microsoft
virus, Windows. It's been hitting big-time all over the 'net. All the
messages have forged headers so they appear to come from people you may
know (I'm getting large numbers of bounce messages saying my mail couldn't
be delivered, and anybody who knows me knows that I don't do M$ Windows in
any way shape or form :-).

Bill
--
INTERNET: bill@Celestial.COM Bill Campbell; Celestial Systems, Inc.
UUCP: camco!bill PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/

There is no distincly native American criminal class save Congress
-- Mark Twain

Lucky Leavell <lucky@unixpress.com> wrote:
>I have received hundreds of emails from a single IP address with forged
>names since yesterday. The subject is usually something like "Re: Approved"
>or "That Movie", etc. Initially there was an approx. 100K attachment (what
>is a PIF file anyway?) but now they refer to an attachment that isn't there.


And you think you are the only one?

:-)

We're ALL getting them: http://aplawrence.com/Blog/B394.html

--
tony@aplawrence.com Unix/Linux/Mac OS X resources: http://aplawrence.com
Get paid for writing about tech: http://aplawrence.com/publish.html
~
~