Forum Moderators: phranque
The problem with the Klez virus is that of ignorance: nobody knows that the sender is faked.
If we're getting the virus sent to us, then that means that the virus is getting sent to others with OUR EMAIL ADDRESS.
Granted, there are those who use anti-virus programs to filter this stuff out. But there are a great number who don't use it, including my clients. They don't need it.
They have been educated on how to deal with it, and they've been sending me copies of the headers that they've received. I take these and find the originating IP, track down who owns it (and it's usually owned by the Return-Path email), and send to the ISP (abuse dept). One of ten has contacted their customer, and the problem is gone. MOST have not fixed the problem. The ISP does not usually respond, except with an autoresponder. It's possible that the ISP has tried to contact the customer, but the email has been ignored.
In all emails that I send to the ISP, I indicate all of the clues that are there, just in case they don't know what Klez is or how to trace it in an email. I tell them that the from: email is faked, the to: came to me, and the return-path originates from your IP address, and sometimes, even I get an AOLer that uses OE and the X-Apparent-Sender field is filled in. I've sent hundreds of emails out to about 10 ISPs. Only one has been stopped.
How do you deal with this? Our main concern is that our email address is in someone's address book, and others will think that we're sending the Klez out.
I tried the email campaign and it was useless. I also use an AV program that writes a 'Certified Virus Free" note at the bottom of all emails.
I know it's frustrating but people are still opening infected attachments. One of my email addresses received 10 infected emails in one week.
My clients send emails to people that they do not know, they're just responding. They get on someone's address book because there's an option in OE something like this: 'add to my address book every email I send out' or something like that. So they're in the AB.
How do you tell the ISP to tell their customer that they're a a menace? I feel like I'm trying not only to help their customer, but that ISP. I understand privacy issues, but if I have the proof (the headers), why not let them know?
over the last couple of weeks, i've been getting a lot of emails containing the klez virus. i've been trying to trace who might have the virus so i can let them know how to remove it, but all i know is it's someone using XYZ ISP. therefore i'm sending this email to everyone i know who uses XYZ ISP and has my email address.
the klez virus sends emails to "random" email addresses without your knowledge. in the "to" and "from" fields, it will use any email addresses you have saved anywhere on your system, either in your incoming mail, your address book, in HTML files and so on. you never know that these emails are being sent as they will not show in outlook etc.
i'd appreciate it if you could run a check for the klez virus. there are several variations on it, but one simple tool to find and clean it can be found here:
[securityresponse.symantec.com...]
....
this approach has worked twice now, maybe because it's short and to the point, polite, and doesn't "target" that person or blame them in any way. it's even worked with some very rude and awkward people i know who would throw a major fit if i said outright that they did have the klez virus ......
a couple of tips :
i use eudora for email and i have some 25,000 emails going back over 2 years. eudora has a very handy search option under Edit > Find > Find Messages that allows you to search for text within headers. this makes it quick and easy to find everyone that uses specific ISPs. i don't know if outlook has something similar.
mail each suspect from different email aliases (ie, john1@yourdomain, john2@yourdomain, john3@yourdomain) and keep a record. don't use the same alias twice. if you start getting klez mails to or from john2@yourdomain then you know whoever you emailed from john2@yourdomain has the klez virus and you can call them or whatever. if you start getting klez mails with john55@yourdomain.com in the future then you know who has the virus straight away.
Really annoying though, to think that people might think I sent them a virus... because I can't think of any effective way of stopping it.
