Well now I am into the second day of this ****. Just turned on the comp and 600 emails or so later am still to receive a genuine email!

The BBC is quoting some experts as saying it is bigger than Sobig with 1 in every 12 emails affected, compared to Sobig's 1 in 17 and it is not showing any signs of slowing.

When people talk about using AV software on the server level - any recommendations?

Mailwasher only works on a per domain basis on the server right?

I want something that will work on a server basis for all the domains on that server, and will either simply delete any emails with the .exe .pif etc attachments or just reject them.

<<For the guys running Mailwasher, what filters have you set up to blow this thing off the server?>>

I don't use filters I just delete/bounce them on a one by one basis - at least they don't get through to my PC this way.

This thing is a real pig - why do people do this?

I'm just happy to say that for my part, I'm no longer contributing to the spread of this thing. It was an
effort, but I finally got a copy of NAV to work for me.
Meanwhile I had what... 5000 addresses it had time to scour.

Crap!

It's not so much why they do it ( although I did read the company thinks it has something to do with their lawsuit against MS regarding open source/linux stuff and that this entire event is malicious. ), as it is why do people open attachments?

http://australianit.news.com.au/articles/0,7204,8515154%5E15841%5E%5Enbv%5E,00.html

Described as a "cornered rat" by Linux creator Linus Torvalds, SCO is in an apparently never-ending legal battle over intellectual property rights related to the System V Unix code.

http://www.computerworld.com/securitytopics/security/virus/story/0,10801,89470,00.html

<<why do people open attachments?>>

Why do people buy cheap rubbish just because of an ad campaign?

You have to understand the way people think en mass to get the answer to that one.

<<why do people open attachments?>>

Why do people buy cheap rubbish just because of an ad campaign?

You have to understand the way people think en mass to get the answer to that one.

And because people don't think it's their fault. It's Microsoft's fault for making unsecure software. ;-)

Uhm, that was a rhetorical question complete with supportive link.

We're only human. ;-)

PC or MAC, won't make a difference while drowning in mail

Once again, we have a virus that attacks windows system files and folders, and comes in the form of windows executable...
Open that attachment in Windows and then the virus is in.. open in any other system and it only will give an error message like "unreconized mime type", "file data corrupted", "uncomplete file", or get it open with an editor showing a lot of binnary instructions in ASCII. But it only can run in windows (is there somebody who uses linux and opens attachs with DOSemu? XD), so if you use a mac, don't problem. But if you use a PC, even if you need to work under windows, you can have a multibooting system and put a linux in the same PC where a Windows is installed, so you can open mail much more securely.
The difference is not between PC or MAC, but between Win32 and anything else...
Windows or not Windows... this is the question
not windows: this is the answer ;) :P

Greetings,
Herenvardö

My Norton Antivirus is doing a great job however it had to block one that came as a .htm attachment. I see no reference to this on any Anti Virus web sites.

I am blocking all the .exe .scr .pif .zip and others because I dont require people to send these to me. However with Norton Anti Virus blocking a .htm that got through it shows that it could easily open up with out you opening the attachment.

So far all is well, just have be careful.

please dont bounce emails you get from this virus .. at server or user level .. the from email addresses are invariably spoofed.

If you want to do any more than delete them then check the whois on the sending IP and contact the abuse email at that ISP and ask them to take the infected user's outgoing email offline until their computer is cleaned.

The "incorrect bounces" are just as time wasting as the real thing imho.

user's outgoing email offline until their computer is cleaned.

Yes but their computer may be clean. I have blocked this virus from my own domain name with words like peter@mydomain.com or john@mydomain.com and we don't have these addresses at all.

Somehow its finding a domain name and putting and name like "peter" in the front to appear as the sender but the email address does not exsist.

95% of mine still getting blocked at the server thank goodness then Norton Anti Virus picks up the remaining 5%

Definetly the most fastest virus ever!

if their computer was clean it would not be sending infected emails out :-)

The point is it will only slow when infected machines stop transmitting .. and when the false bounces stop coming as a result of that or the admins realising that they are contributing to the noise around the virus.

I have contacted 3 ISP so far whose users have caused about 300 infected emails which I know about so they probably sent out thousands of infected emails through that ISPs network.

IMO the ISPs are the folks who could kill this off the fastest as they monitor all sent mail at source so can identify infected machines the fastest.

The thing ist's not slowing down... everytime is more and more agressive. I hope it settles this week, is annoying!

One infected user can account for hundreds of emails arriving at your machine .. as direct mails or bounces ...

I think this is the right response:

If you are adequately protected .. i.e. if your av software is sterelising the emails then check the sending IP address from the email headers (that of the original infected email).

visit [network-tools.com...]
to find the ISP who is responsible for that user .. find their abuse@ email addess and send them a couple of example copies of the emails (as text in a text email only) asking them to take the outgoing email service of their infected user offline to stop the flow.

I think you may find it to be just one or two infected users who are causing the most of your particular influx any infected machine will be likley to be sending out piles of this junk.

Sometimes it may actually be an advantage to have domains that are only known by few people and email addresses that are known by even fewer. ;) I have only been hit in the last few hours: One infected email and three "incorrect bounces".

But I have no idea how many emails to non-existing addresses my hosting company may have bounced. I disabled the catch all function long time ago. It caught nothing but spam.

sco.com announces that they will pay $250.000 for information leading to the arrest of the writer of MyDoom ....
[news.bbc.co.uk...]

I offer free webmail on my site. My site uses one domain.com; the webmail accounts are @another.com. Today, I've been noticing a lot of bounces that seem to indicate virus messages targeting my webmail users. But, the usernames seem to be randomly generated, and many of them don't exist on my system. This generates a bounce response to the original sender, which is in turn bounced back to me because the original sender's address is of course spoofed.

Unfortunately I don't understand viruses that much, and I don't get how spoofed addresses are helping spread this virus. I mean, I thought it was exploiting e-mail address books, and shouldn't that mean it's being sent from valid addresses?

I've been hit with the virus just seven times since yesterday afternoon. NAV has stopped it cold each time. Best investment I ever made for my computer! ;)

Can nobody answer my question started in message 16 of this post as to how to stop it at the server?

I have received well over 3,000 emails today with viruses, bounces etc.

Would appreciate any advice.

We have been receiving approx. 1 per minute this morning.

What we did was to divert the common subject lines like hello, hi, etc directly to our delete box on the mail server.

We then go in once an hour and delete them 20 at a time while scanning for legit mail. They are easy to recognise because they are all the same size and have an attachment.

I am using MailWasher and have setup the two following filters.

(1) If the To field contains "@domain.com" and not "name1@domain.com" and not "name2@domain.com" then mark the message as mail to be deleted.

[This marks messages to bogus addresses for deletion for each domain that I own.]

(2) If the Subject field is "Error" or "Failure Notice" or "Hello" or "Hi" or "Mail Delivery System" or "Mail Transaction Failed" or "Server Report" or "Status" or "Test" or "Failure Delivery" then mark the message as mail to be deleted.

These filters mark the messages to be deleted and allows me to review the messages and delete with one click. You have to be careful though since a few of these subjects may be used in valid emails.

> Windows or not Windows... this is the question

I'm running Windows. But:

I don't open attachments

I think this is the question :)

Using Mac OS X, receiving virii but having no effect anyway.

I don't open attachments

But sometimes I need to open attachments. To me the real question is why are email attachments allowed to write to system files in windows in the first place.

Adam

This one is doing something different with spoofing.

I got a couple of these Monday before I even saw any mention of the worm. The spoofed emails used two encoded email addresses that were on my domain. I immediately changed the htm files and replaced those encoded email addresses with new encoded addresses. Within 20 minutes I started getting more spoofed emails using these two new addreses!

I had not sent any emails out myself in hours, but I ran Norton just to be sure. Nothing found. I've run Norton twice more - just to be sure.

These were brand new email addresses that were never used before so no one could have them in their address books and they weren't, and still aren't, in my address book either.

I also use Mailwasher and delete probably 90% of emails from the server. Sometimes I get busy and there are so many emails on the server that I don't download any of them until I get time to preview them in Mailwasher where I delete the majority. When these started showing up I hadn't dowloaded any mail from the server since early Saturday!

I'm perplexed, anyone have any ideas how this could happen so fast.

I did a search for SPF (Sender Permitted From) and couldn't find any post here. Does anyone know about this. My host is supposed to be implementing this soon. From what I read about it, it looks like it could be a big help against spammers and spoofers.

One last note, I haven't gotten any for the two newly created emails since mid Tuesday, but I am still getting them for three other valid addresses that are encoded on my site, plus a number of other discontinued email addresses.

> I immediately changed the htm files and replaced those encoded email addresses with new encoded addresses. Within 20 minutes I started getting more spoofed emails using these two new addreses!

Checking your logs might give some clue.

Looks like "MyDoom" is the name that's catching on -- nice and apocalyptic.

I've heard that new mutations are now being found that target MS with a dos attack in Feb, instead of targeting SCO.

Thanks, I did check my logs and didn't find any hits to the two files with the new email addresses within an hour of when they were uploaded. These two files are deep in my site and get infrequent hits anyway.

Any other ideas or should I be looking for something different in the log?

Ahemmm.... ehrr.. how are you getting along with your hosting company?

But sometimes I need to open attachments. To me the real question is why are email attachments allowed to write to system files in windows in the first place.

because you have a system setup such that your account
has those privileges.

if you setup a user account without those privileges,
then it cannot do this.

this is a recommended security practice, however
it is a huge pain to operate this way.

linux and mac osx users need not feel smug. if
*everyone* switched over, so would the virus writers.