Am I being attacked?

Forum Moderators: phranque

Message Too Old, No Replies

Am I being attacked?

or am I paranoid.....ż

tbear

2:48 pm on Dec 14, 2002 (gmt 0)

I'm getting the distinct impression that someone is aiming at getting a virus through to me.
I'm getting the same virus laden e-mails arriving at 4 e-mail accounts related to a specific (successful) client of mine.
Now, I'm not one to get carried away with the paranoia thing, but I would like to know if it is just coincidence.
Is it possible for one hotmail account to 'automatically' mail another hotmail account (unconnected) with a returned to sender, 'cos of a virus detect?
Would any of you good peeps be able to explain to me how to sort out the real sender of an e-mail from the header?
In the message ID section the server(bit after @) is always the same.
Is there a way (legally) that I can not just stop this but actually turn it around and get this situation in front of a law enforcement agency? (I'm in the spain - the server is in UK - I believe the culprit is also here in spain but English)
Be real grateful for any help......:)

bird

3:15 pm on Dec 14, 2002 (gmt 0)

Would any of you good peeps be able to explain to me how to sort out the real sender of an e-mail from the header?

There's no way to determine the real sender, as almost all of the information in the headers can be forged. The only thing you can tell for certain is the last host that initiaed the transmission to yours (in the topmost "Received: from..." header).

In the message ID section the server(bit after @) is always the same.

That doesn't necessarily mean anything, as this header can be faked just like any other. It could, however, be an indicator that the origin of the transmissions is indeed always the same.

Is there a way (legally) that I can not just stop this but actually turn it around and get this situation in front of a law enforcement agency?

Sue someone because they failed to detect a virus on their system?

Actually, it's not really a virus, the correct technical term is a "worm". Once it has infected a machine, everything else is fully automatic, without any user interaction. First, it will get all addresses from the local outlook address book. Then it will send itself to all those addresses, each time using another one of them as a faked sender. In other words, if you see more than one sender in different message instances, then you already know that none of those is likely to be the real originator. If you can think of someone who has all of your recipient addresses as well as all the purported sender addresses in their address book, then you might want to inform them of the problem. Could be one of their customers, or even someone at their own office.

tbear

3:40 pm on Dec 14, 2002 (gmt 0)

Hmmm, thanx bird.
I realise it is somewhat hard to tie down.
I don't think it is coming from an infected computer because they are all 'pretending' to come from me (my hotmail accounts) and I don't believe I am infected.
They all, also, contain the same message ID source.
The 'recieved from' is also always the same, regardless of the supposed sender address..
We're talking about 20 mails so far to 4 accounts. Just 1 mail so far to the clients domain account.
I'm not thinking of sueing for getting infected, I'm talking about sueing for puposefully trying to infect me. I have half an idea who it is, but wouldn't want to jump the gun and accuse without proof.
I would not have thought hotmail could be infected (host to a trojan/worm) and start sending out mails from 'my hotmail' accounts.

jimbeetle

4:06 pm on Dec 14, 2002 (gmt 0)

tbear, it wouldn't be your hotmail account that's infected. What many of these do is as bird says "Then it will send itself to all those addresses, each time using another one of them as a faked sender."

You might also see postmaster undeliverable mail notices. Some of these are worm-laden messages themselves, others spoofed your e-mail address and were bounced by the servers anti-virus routine.

It's a dangerous world out there. We get 20 to 30 suspicious e-mails a day, the delete key gets a good workout.

tbear

4:30 pm on Dec 14, 2002 (gmt 0)

Sure is a dangerous world out there, I've been involved in it around 7 years now and have caught, suffered from and noticed, on others machines, a whole bunch of virus etc.

What concerns me is that the spoofed senders, bouncers and recievers are all my hotmail accounts. All relate to one client of mine. All appear to come from the same source/route. It seems to be a very persistent and semi-intelligent worm here (LOL), that my client does not have, nor do I.

I can of course block the source, I just wanted to get a little revenge ;)

Well, I'll keep my eyes open. Thanx all for your help and support.

robertito62

1:31 pm on Dec 16, 2002 (gmt 0)

Some ISPs have a security team in place you can email to. Trace route the email's IP address shown in the headers and then contact anyone on that loop, letting them know about the spam/virus.

However, the most effective thing for me has been...to just delete or block on my browser.

I get email bombs every now and then and Monday mornings usually represent wasting 30 minutes on 200 emails with viruses in my box.

Oh, here is what I did once and was effective:
Instead of leaving your clickable email address on pages I wrote them unclickable as follows:

mycontactname AT mydomain.com

This prevents email collectors from collecting address for spam related issues. Bad guys will always get you, but there are not too many instances when someone will single you out. Perhaps I am wrong in this last point, don't know...

Reflect

2:13 pm on Dec 16, 2002 (gmt 0)

I would try to convert the e-mail address so it is still clikable.

One, from a member on this board is (broken link)..

www.fantomaster.com/fantomasSuite/mailShield/famshieldsv-e.cgi

Another is here (broken link)...

www.manastungare.com/asp/preventspam.asp

Brian

creative craig

2:31 pm on Dec 16, 2002 (gmt 0)

This is a good article from the good people at CERT. With a few tips of how to trace back to the original sender, I have done it a few times a work (tech help desk for an ISP) with good results.

[cert.org...]

[investigateanyoneonline.com...]

Craig

<added>Better URL with descriptions</added>