Noob Xtra users trying to send out trojans

Discussion in 'NZ Computing' started by Mark, Jun 14, 2005.

  1. Mark

    Mark Guest

    In the last 24 hours this IP has been trying to send me a trojan, along with
    a well written email pretending to be the network admin asking me to install
    this patch otherwise my email will be "cut off":

    [14/Jun/2005 07:35:47] SMTP: From: , To: <>,
    Size: 78475, Sender-Host: 219-89-114-151.adsl.xtra.co.nz
    [14/Jun/2005 07:35:49] Found virus in mail from , To:
    <>, : Generic Malware.a!zip

    I wonder if Xtra will do anything to stop them?
     
    Mark, Jun 14, 2005
    #1
    1. Advertising

  2. Mark wrote:
    > In the last 24 hours this IP has been trying to send me a trojan, along with
    > a well written email pretending to be the network admin asking me to install
    > this patch otherwise my email will be "cut off":
    >
    > [14/Jun/2005 07:35:47] SMTP: From: , To: <>,
    > Size: 78475, Sender-Host: 219-89-114-151.adsl.xtra.co.nz
    > [14/Jun/2005 07:35:49] Found virus in mail from , To:
    > <>, : Generic Malware.a!zip
    >
    > I wonder if Xtra will do anything to stop them?


    complain continuously for 4 days and they will :)

    to be fair, there must be a hell of a lot of compromised machines with
    Xtra accounts, and they do have to give the people time to patch their
    machines.

    --
    http://dave.net.nz <- My personal site.
    http://synaptic.net.nz <- Dunedin Based IT and ISP services
     
    Dave - Dave.net.nz, Jun 14, 2005
    #2
    1. Advertising

  3. Mark

    Mark Guest

    It doesn't look like a comprimised machine.

    The email proportes to be from the admin address on my network to a user
    address. It looks crafted specifically to my network. I get truckloads of
    the boring generic spam as well, so I know the difference ;)




    "Dave - Dave.net.nz" <> wrote in message
    news:...
    > Mark wrote:
    > > In the last 24 hours this IP has been trying to send me a trojan, along

    with
    > > a well written email pretending to be the network admin asking me to

    install
    > > this patch otherwise my email will be "cut off":
    > >
    > > [14/Jun/2005 07:35:47] SMTP: From: , To:

    <>,
    > > Size: 78475, Sender-Host: 219-89-114-151.adsl.xtra.co.nz
    > > [14/Jun/2005 07:35:49] Found virus in mail from , To:
    > > <>, : Generic Malware.a!zip
    > >
    > > I wonder if Xtra will do anything to stop them?

    >
    > complain continuously for 4 days and they will :)
    >
    > to be fair, there must be a hell of a lot of compromised machines with
    > Xtra accounts, and they do have to give the people time to patch their
    > machines.
    >
    > --
    > http://dave.net.nz <- My personal site.
    > http://synaptic.net.nz <- Dunedin Based IT and ISP services
     
    Mark, Jun 14, 2005
    #3
  4. Mark wrote:
    > It doesn't look like a comprimised machine.
    >
    > The email proportes to be from the admin address on my network to a user
    > address. It looks crafted specifically to my network. I get truckloads of
    > the boring generic spam as well, so I know the difference ;)


    It may not be compromised, but why else would it be sending so much spam?
    I've been getting ~20 a day for the last 3 days, all from admin@
    support@ help@ dave.net.nz... I only have one active address, and well,
    you can probably guess that one. :)

    I would say that they are just using the domain that they are sending
    to... see a message today about smarter spam

    --
    http://dave.net.nz <- My personal site.
    http://synaptic.net.nz <- Dunedin Based IT and ISP services
     
    Dave - Dave.net.nz, Jun 14, 2005
    #4
  5. Mark

    Mark Guest

    Ahh yeah bingo, same text. Hmmm very smart spam isn't it.


    "Dave - Dave.net.nz" <> wrote in message
    news:...
    > Mark wrote:
    > > It doesn't look like a comprimised machine.
    > >
    > > The email proportes to be from the admin address on my network to a user
    > > address. It looks crafted specifically to my network. I get truckloads

    of
    > > the boring generic spam as well, so I know the difference ;)

    >
    > It may not be compromised, but why else would it be sending so much spam?
    > I've been getting ~20 a day for the last 3 days, all from admin@
    > support@ help@ dave.net.nz... I only have one active address, and well,
    > you can probably guess that one. :)
    >
    > I would say that they are just using the domain that they are sending
    > to... see a message today about smarter spam
    >
    > --
    > http://dave.net.nz <- My personal site.
    > http://synaptic.net.nz <- Dunedin Based IT and ISP services
     
    Mark, Jun 14, 2005
    #5
  6. Mark

    Steve Guest

    The from: address does not necessarily have anything whatsoever to do with
    the sender. Have a look at rfc 821 and 2821. rfc822 defines message
    headers which are internal to a mail message.

    Steve

    On Mon, 13 Jun 2005 20:11:02 -0500, Mark wrote:

    > Ahh yeah bingo, same text. Hmmm very smart spam isn't it.
    >
    >
    > "Dave - Dave.net.nz" <> wrote in message
    > news:...
    >> Mark wrote:
    >> > It doesn't look like a comprimised machine.
    >> >
    >> > The email proportes to be from the admin address on my network to a
    >> > user address. It looks crafted specifically to my network. I get
    >> > truckloads

    > of
    >> > the boring generic spam as well, so I know the difference ;)

    >>
    >> It may not be compromised, but why else would it be sending so much
    >> spam? I've been getting ~20 a day for the last 3 days, all from admin@
    >> support@ help@ dave.net.nz... I only have one active address, and well,
    >> you can probably guess that one. :)
    >>
    >> I would say that they are just using the domain that they are sending
    >> to... see a message today about smarter spam
    >>
    >> --
    >> http://dave.net.nz <- My personal site. http://synaptic.net.nz <-
    >> Dunedin Based IT and ISP services
     
    Steve, Jun 14, 2005
    #6
  7. Mark

    Rob J Guest

    In article <42ae1cfe$0$91648$> in nz.comp on 13 Jun
    2005 18:57:03 -0500, Mark <> says...
    > It doesn't look like a comprimised machine.
    >
    > The email proportes to be from the admin address on my network to a user
    > address. It looks crafted specifically to my network. I get truckloads of
    > the boring generic spam as well, so I know the difference ;)


    Rubbish.

    All they have to do is take your domain and put support@ on the front of
    it.

    It is called Mytob and is well documented on all the antivirus sites. The
    mails will be coming from an infected PC.
     
    Rob J, Jun 14, 2005
    #7
  8. Mark

    Robert Cooze Guest

    Mark wrote:
    > In the last 24 hours this IP has been trying to send me a trojan, along with
    > a well written email pretending to be the network admin asking me to install
    > this patch otherwise my email will be "cut off":
    >
    > [14/Jun/2005 07:35:47] SMTP: From: , To: <>,
    > Size: 78475, Sender-Host: 219-89-114-151.adsl.xtra.co.nz
    > [14/Jun/2005 07:35:49] Found virus in mail from , To:
    > <>, : Generic Malware.a!zip
    >
    > I wonder if Xtra will do anything to stop them?
    >
    >

    Did it look abit like this?

    Your e-mail account was used to send a huge amount of unsolicited spam
    messages during the recent week. If you could please take 5-10 minutes
    out of your online experience and confirm the attached document so you
    will not run into any future problems with the online service.

    If you choose to ignore our request, you leave us no choice but to
    cancel your membership.

    Virtually yours,

    I have sniped a lot and it camae with a Ziped Attachment esjmh.zip

    I am Investigating now

    --
    http://cooze.co.nz home of the RecyclerMan aka Robert Cooze

    / __/ / / / / /__ / / ___/ / __/ / / / |/ / /__ /
    / / / /_/ / / /_/ / _-' / __/ / / / /_/ / / /| / _-'
    ___\ ____/ ____/ /___/ /____/ /_/ ___\ ____/ /_/ /_/ |_/ /___/
     
    Robert Cooze, Jun 14, 2005
    #8
  9. Mark

    Bryce Utting Guest

    Dave - Dave.net.nz wrote:
    >> [14/Jun/2005 07:35:47] SMTP: From: , To: <>,
    >> Size: 78475, Sender-Host: 219-89-114-151.adsl.xtra.co.nz
    >> [14/Jun/2005 07:35:49] Found virus in mail from , To:
    >> <>, : Generic Malware.a!zip
    >>
    >> I wonder if Xtra will do anything to stop them?

    >
    > complain continuously for 4 days and they will :)


    you've had better luck with them than I have!

    > to be fair, there must be a hell of a lot of compromised machines with
    > Xtra accounts, and they do have to give the people time to patch their
    > machines.


    no, they don't: it's a simple matter of disabling the account until
    the user complains, at which point Xtra can break the news to them,
    and ask them to call back to be reconnected once the machine's cleaned
    up.

    anything else is a reason to drop Xtra in the deny tables.


    butting
     
    Bryce Utting, Jun 15, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matt B
    Replies:
    15
    Views:
    541
  2. Robert Feigel

    Is Xtra trying to lose customers?

    Robert Feigel, May 15, 2006, in forum: NZ Computing
    Replies:
    27
    Views:
    692
    Shane
    May 18, 2006
  3. JimDoire

    Here a noob, there a noob....

    JimDoire, Apr 10, 2008, in forum: MCSE
    Replies:
    0
    Views:
    433
    JimDoire
    Apr 10, 2008
  4. Hank Scorpio

    Xtra, mail won't send

    Hank Scorpio, Jul 14, 2009, in forum: NZ Computing
    Replies:
    9
    Views:
    1,239
    Lawrence D'Oliveiro
    Jul 27, 2009
  5. geopelia

    send xtra

    geopelia, Dec 1, 2013, in forum: NZ Computing
    Replies:
    53
    Views:
    740
    victor
    Dec 5, 2013
Loading...

Share This Page