[ale] #$&#% virus writers!

James P. Kinney III jkinney at localnetsolutions.com
Tue Jul 27 10:36:46 EDT 2004 

We've been getting POUNDED the past 3 days with the new MyDoom variant
emails (5-10 per hour). They all look like an email bounce
(postmaster at blah) notices and contain a zip file with a .exe file that
has 20-30 spaces in the name before the .exe part. The beginning of the
file is username at emaildomain  so it looks like a return bounce.  For the
past 2 weeks my domain has been being probed for non-existent user users
by sending 2 emails a day to a generated list(better than 10,000
attempts). Simultaneously, ALE mail has dropped of the radar completely.

The headers are below for the morbidly curious: (I cut out the
attachment part as it is a virus.) Note the "originating" domain looks
to be mine. That is not part of my domain IP address scheme. I
tracerouted about 10 of the various IPs and the last resolvable domain
name (3 hops to final) were all .cn (China).

Return-Path: <postmaster at localnetsolutions.com>
Received: from zeverly.mail.atl.earthlink.net
        (zeverly.mail.atl.earthlink.net [207.69.200.46]) by
        moat.localnetsolutions.com (8.12.8/8.12.8) with ESMTP id
i6RDoHsP025170 for
        <jkinney at castle.localnetsolutions.com>; Tue, 27 Jul 2004
09:50:17 -0400
Received: from numerianus-z.mspring.net ([207.69.231.93]
        helo=numerianus.mspring.net) by zeverly.mail.atl.earthlink.net
with smtp
        (Exim 3.36 #1) id 1BpSLR-0008PB-00 for
        jkinney at castle.localnetsolutions.com; Tue, 27 Jul 2004 09:50:17
-0400
X-MindSpring-Loop: jkinney at localnetsolutions.com
Received: from localnetsolutions.com ([63.125.51.2]) by
        numerianus.mspring.net (Earthlink Mail Service) with ESMTP id
        1bPslj3c13Nl5tX0 for <jkinney at localnetsolutions.com>; Tue, 27
Jul 2004
        09:50:09 -0400 (EDT)
From: "Bounced mail" <postmaster at localnetsolutions.com>
To: jkinney at localnetsolutions.com
Subject: Mail System Error - Returned Mail
Date: Tue, 27 Jul 2004 09:49:30 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0002_371E2AE6.D6E1839E"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <200407270950.1bPslj3c13Nl5tX0 at numerianus.mspring.net>
X-LocalNetSolutions-MailScanner-Information: Please contact the ISP for
        more information
X-LocalNetSolutions-MailScanner: Found to be clean
X-MailScanner-From: postmaster at localnetsolutions.com
X-DSPAM-Result: Innocent
X-DSPAM-Probability: 0.000010
X-DSPAM-Signature: 41065d9d251811802013720
Status:   
X-Evolution-Source: pop://jkinney@192.168.0.1/

This is a multi-part message in MIME format.

------=_NextPart_000_0002_371E2AE6.D6E1839E
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

The original message was received at Tue, 27 Jul 2004 09:49:30 -0400
from localnetsolutions.com [83.155.71.253]

----- The following addresses had permanent fatal errors -----
jkinney at localnetsolutions.com





!DSPAM:41065d9d251811802013720!

------=_NextPart_000_0002_371E2AE6.D6E1839E
Content-Type: application/octet-stream;
name="jkinney at localnetsolutions.com.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="jkinney at localnetsolutions.com.zip"
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list