Email Viruses

[Trimoor]

Has anyone else been getting dozens of email viruses lately?
They consist of the "I-Worm/Netsky.Q" virus in an attatchment.
No body text.

The reason I post this here is because they started immediately after I presented my rotary joystick hack.
The address I gave on the site was freshly created, and has been given out only there and on this site.

Anyone have any ideas how to stop this?
I tried contacting the server admins that spamcop pointed me to.

Here is a header: (my email has been censored)

Return-Path: <user@domain.com>
Delivered-To: ******
Received: (qmail 7356 invoked from network); 5 Oct 2004 00:10:53 -0000
Received: from dsl-201-128-229-57.prod-infinitum.com.mx (HELO trimoor.com) (201.128.229.57)
 by 1002-15.lowesthosting.com with SMTP; 5 Oct 2004 00:10:53 -0000
From: user@domain.com
To: *******
Subject: Re: Mail Authentification
Date: Mon, 4 Oct 2004 19:10:46 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
   boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal

[daywane]

Yes I have. but not the same ones you are getting
I just got this from my internet provider
Hello user of DCR.NET e-mail server,

We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.

Pay attention on attached file.

For security purposes the attached file is password protected. Password --

Cheers,
    The DCR.NET team                 http://www.DCR.NET

I opened the atachment and this is what I got

Norton AntiVirus removed the attachment: Information.zip.
The attachment was infected with the W32.Beagle@mm!zip virus.

[Robopede]

I have also noticed a huge increase in junk e-mails within the past few days, but only one virus. My e-mail address on the BYOAC site is private, however...

[RayB]

Nevrr post email addresses ANYWHERE. Use PMs if you have to give it to someone.

[SirPoonga]

I'll post my email address, it isn;t a pop account.

Anyway for my pop account I use Eudora.  I have yet to have a single virus in the last 3 months running eudora and mozilla.

[Craig]

Nevrr post email addresses ANYWHERE. Use PMs if you have to give it to someone.

Or even better, use a yahoo.com mail account as a second account. That way if any junk gets through, it can be sorted for you easily.

[Minwah]

Forgetting it's faults Hotmail saves me a ton of trouble - no viruses (yet) and the junk filter is pretty good.  I don't even use any other account for personal use.

[Jakobud]

PEOPLE!  Just stop using IE and Outlook / Express and you don't have to worry about it.  Look toward Mozilla and you will be safe.

[Trimoor]

I use mozilla/firefox for a browser, but mozilla email wont import my outlook settings. (it keeps crashing)

Plus, my mother would be frightened by yet another mysterious application.

I can create infinate *@trimoor.com accounts, so I can kill one off if it gets too much crap.

[Justin Z]

Trimoor,

One handy way to keep bots from obtaining your e-mail is to make a small GIF or JPG of your e-mail address.  Then just insert it on the page wherever you would normally have typed your e-mail address.  It'll be a minor inconvenience for anybody who wants to truly e-mail you to type it out by hand.

~Justin

[Trimoor]

The best way that I read somewhere is to have a contact page, where they type their message in the browser, and it uses a script to send it to my email, all without them ever seeing the address.

Unfortunately, I have no idea how to do this.
Does anyone?

[Craig]

Look on the Web for free formmail/form to email services.
Though sometimes the email of the recipient (you) may be visible in the html code. Find one that hides it like going by a ID number or something.

[Jakobud]

The best way that I read somewhere is to have a contact page, where they type their message in the browser, and it uses a script to send it to my email, all without them ever seeing the address.

Unfortunately, I have no idea how to do this.
Does anyone?

You will find a PHP email form on my website I use for this purpose, even though I am not worried about giving out my gmail address.  The PHP form is rad though.  You can't tell what email address it's being sent to at all, even if you look at the source of the php page.

[daywane]

Yes I have. but not the same ones you are getting
I just got this from my internet provider
Hello user of DCR.NET e-mail server,

We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.

Pay attention on attached file.

For security purposes the attached file is password protected. Password --

Cheers,
    The DCR.NET team                 http://www.DCR.NET

I opened the atachment and this is what I got

Norton AntiVirus removed the attachment: Information.zip.
The attachment was infected with the W32.Beagle@mm!zip virus.

I found out some one is tring to pass them selfs off as my internet provider here

[Trimoor]

Jacobud, this is exactly what I'm looking for.
Could you send me the php source?

[Jakobud]

Jacobud, this is exactly what I'm looking for.
Could you send me the php source?

Sure it's a piece of cake:

There are four different php pages here:

contact.php <--- the page that people actually access and fill out the form and stuff
contactScript.php <---- the php script that no one can see (it contains your email address)
contactThankYou.php <--- the script/page that appears saying Thank You, afterword
contactError.php <---the script/page that appears saying error, you didn't fill the form out correctly

contact.php:
this is just a normal page in it.  But when you get to your FORM tags, make it say this:
<form action="contactScript.php" method="post">

contactScript.php (this is the brain of the process):
<?php

$mailto = 'myemailaddress@somewhere.com' ;

$subject = "This is the subject of the email to be sent!!!" ;

$formurl = "http://www.yoursite.com/contact.php" ;
$errorurl = "http://www.yoursite.com/contactError.php" ;
$thankyouurl = "http://www.yoursite.com/contactThankYou.php" ;

// -------------------- END OF CONFIGURABLE SECTION ---------------

$name = $_POST['name'] ;
$email = $_POST['email'] ;
$comments = $_POST['comments'] ;
$http_referrer = getenv( "HTTP_REFERER" );

if (!isset($_POST['email'])) {
   header( "Location: $formurl" );
   exit ;
}
if (empty($name))
   $name = 'Anonymous';
if (empty($email))
   $email = 'none';
if (empty($comments))
   {
         header( "Location: $errorurl" );
         exit ;
   }

$messageproper = "From: $name\nEmail: $email\n\n$comments";

mail($mailto, $subject, $messageproper, "From: \"$name\" <$email>\nReply-To: \"$name\" <$email>\nX-Mailer: chfeedback.php 2.01" );
header( "Location: $thankyouurl" );
exit ;

?>

contactThankYou.php and contactError.php:
There is nothing special about either of these.  They are just web pages that show up and say Thanks or Error.

There are a couple of nice things about this script.
1. All you have to do is fill out the top portion of the code.  You don't really need to understand or pay attention to the algorithms themselves.
2. Your email address is hidden.  The only place it's displayed is in the code of the contactScript.php.
3. Well what happens if someone knew that and typed in their browser: www.mysite.com/contactScript.php?  Well the browser simply opens up the contact.php.  You can't look at contactScript.php at all through the browser.

Cool huh?  Hope this helps.

[krick]

By the way, does anybody need a Google Gmail account?

1GB of space, spam filtering, nifty threading and sorting options, no ads.  Kicks the crap out of Hotmail, by invitiation only.

I've got 6 invitiations to give away.
The first 6 people to PM me can have them.
(I always seem to get more too)

...
Krick

[MonitorGuru]

> "The address I gave on the site was freshly created, and has been given out only there and on this site."

Doesn't matter if an account is "fresh" or not or suspected to have been "sold" or not.  DOMAIN SUBSTITUTION is how spammers are reaching more people with higher % hits.

Did you create the mailbox with a UNIQUE name that you have NEVER used before on any other domain?  If so, then they probably found it through botting this site or yours.  If it was a previously used name, just with a new domain attached, they they likely found it with domain substitution.


Here is how it works:
- Create account "arcadecontrols@aol.com"
- Post that address to tons of sites and email hundreds of people with it.
- Start getting spam there.
- Create a new account "arcadecontrols@hotmail.com"
- Day one, start receiving tons of spam.
- Post numerous complaints online about why MS is selling your email address to spammers
- Create a new account "arcadecontrols@myregionalisp.com"
- Day one, start receving tons of spam there.
- Post wondering why you got spam on a fresh account with a "trusted" ISP

See the pattern?  Spammers know that it's human nature to reuse the same login, e.g. "arcadecontrols" at every site you create an email account at.  Therefore they take a list of known good accounts at say, AOL, then replace @aol.com with every other known domain name.

It's a lot better attack than random dictionary attacks on the username. Human nature means you not only don't like changing your passwords, you also dont like changing your logins.

Create a new account with say, "arcad3_c0ntr0l$_Oct04@myisp.net" and then see how long it takes before you start receiving spam.  It will take much longer!

Likewise, my account is NOT monitorguru@hotmail.com... I'm sure that would be flooded by now. It's a totally unique account name used for signing up for this board, so it can't be guessed as easily.


Again--if you posted your email on your web page or here, it could have gotten out rather quickly. But I just want people to know that many times it's simple substitution that gets you spammed quickly instead.

Good luck!

[Trimoor]

Okay, this is getting creepy.....
I just checked my mail, and got yet another virus.
But the return address was from Saint!

Yes, our saint, the admin of this site!

Either saint got infected, or the spammers know enough about us to spoof his return address.

No body text, just my AVG warning about the "I-Worm/Bagle.AB" virus.

Here is the header:

Return-Path: <saint@null.net>
Delivered-To: (my address)
Received: (qmail 15095 invoked from network); 7 Oct 2004 17:00:50 -0000
Received: from 64-190-134-18.client.cypresscom.net (HELO EMachine42.net) (64.190.134.18)
  by 1002-15.lowesthosting.com with SMTP; 7 Oct 2004 17:00:50 -0000
Date: Thu, 07 Oct 2004 11:58:53 -0600
To: (my address)
From: "Saint" <saint@null.net>
Subject: Incoming message
Message-ID: <xxjhcwqbzmkfdypxtak@trimoor.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------cmqwgtymnsiwzirelyny"