VOGONS

spoofed mail

Topic actions

First post, by Qbix

Posted on 
User metadata
Rank DOSBox Author
Rank
DOSBox Author

Hi,

Somebody is sending virus infected email spoofed with my email adress (the sourceforge one)

It's a message with a attachment -> zip file in which is a .pif file which contains the virus.

I don't have the virus. neither do i send the messages (I'm a linux user and it's a win32 virus)

Today alone I got 50 delivery failure mesages. So go thinking how many the virus send.

Anybody got an idea how to find the infected pc who is creating the message s ?

Qbix

Water flows down the stream
How to ask questions the smart way!

Reply 1 of 7, by Harekiet

Posted on 
User metadata
Rank DOSBox Author
Rank
DOSBox Author

Hehe got about 800 mails today, hurray for people still using outlook or whatever other crappy mail client.

Reply 2 of 7, by MajorGrubert

Posted on 
User metadata
Rank Member
Rank
Member
Qbix wrote:

Today alone I got 50 delivery failure mesages. So go thinking how many the virus send.

Anybody got an idea how to find the infected pc who is creating the message s ?

Depending on how the destination servers handled the delivery failure messages, they may contain all the original headers with clues leading to the original sender. Do you want some help taking a look at them?

Regards,

Major Grubert

Athlon 64 3200+/Asus K8V-X/1GB DDR400/GeForce FX 5700/SB Live! 5.1

Reply 3 of 7, by Snover

Posted on 
User metadata
Rank l33t++
Rank
l33t++

They don't. The virus, SoBigg.F@mm, does a nice job of masking the true sender. Good thing it dies September 10.

Yes, it’s my fault.

Reply 4 of 7, by MajorGrubert

Posted on 
User metadata
Rank Member
Rank
Member
Snover wrote:

They don't. The virus, SoBigg.F@mm, does a nice job of masking the true sender.

Any virus/worm can try to mask the e-mail address of the sender, but as soon as it sends a message the SMTP server that receives it will certainly log the IP address that originated the message and a timestamp. This should be true for all servers that are involved in handling the message, starting with the relay server at the sender's ISP. Take a look at the full header of a message and look for lines starting with "Received by:".

Regards,

Major Grubert

Athlon 64 3200+/Asus K8V-X/1GB DDR400/GeForce FX 5700/SB Live! 5.1

Reply 5 of 7, by Qbix

Posted on 
User metadata
Rank DOSBox Author
Rank
DOSBox Author

I actually checked quite some headers myself.

No good use for them (quite some originate from 127.0.0.1)

I would glad if the virus died. I still get +100 each day which is 10 mb for my mailbox.

Water flows down the stream
How to ask questions the smart way!

Reply 6 of 7, by MajorGrubert

Posted on 
User metadata
Rank Member
Rank
Member
Qbix wrote:

I actually checked quite some headers myself.

No good use for them (quite some originate from 127.0.0.1)

That's strange. Even if someone uses his own PC as an SMTP server, the next server (problably at your ISP) would add a header identifying the public IP address for the sender. There's no way to masquerade this, since the SMTP server will log the IP address from the other server talking to it as informed by the TCP/IP stack. In other words, some traces must remain.

BTW, are you sure that your Linux box is not receiving malformed mails and/or non-delivery reports that end up "bouncing" inside your own machine?

Regards,

Major Grubert

Athlon 64 3200+/Asus K8V-X/1GB DDR400/GeForce FX 5700/SB Live! 5.1

Reply 7 of 7, by Qbix

Posted on 
User metadata
Rank DOSBox Author
Rank
DOSBox Author

Nope the mail is on an imap server (which isn't my linux box)

I'm gratefull for that as else i would have to download all that shit as well. Now I only have to delete it on the server !;)

Water flows down the stream
How to ask questions the smart way!

Go to top of page Go to top of page
Back to Milliways
Close window
Close window