Sign in to follow this  
Followers 0
Lodewijk

[Resolved] Receiving 50 Malware E-mails A Day

74 posts in this topic

This is my first post on this forum. I am glad someone on the Wilders Security forum gave me a link to it.

Since a week I am receiving some 50 e-mails a day with the following malware according to my Avira AV:

"TR/Crypt.XPACK.Gen.Trojan"

"TR/Dldr.FakeAV.XD Trojan"

"HIDDENEXT/Crypted"

All these e-mails supposedly come from DHL, UPS, FEDEX, and USPS. I see they are all send to addresses of clients of the same provider -Alice- I am also a client of.

I always run my default browser -Opera- sandboxed by Sandboxie, and since I am using Opera's build in Mail program, all e-mails stay in the sandbox.

I have not opened any of the attachments as far as I remember.

Avira quarantines all of those as soon as they come in, but Opera besides showing them in my In box also shows them in my spam folder where it also puts all of them. So there -and in the waste basket- I still have them intact. Avira only puts those in quarantine when I open them.

As a total newbie I have no idea how to report these malicious e-mails to SpamCop, and I don't understand most of the instructions I read.

Can I just send the e-mails on to a SpamCop address? Or how does it work?

Share this post


Link to post
Share on other sites

Hi, Lodewijk,

...Welcome!

...My suggestion would be to look at the following "SpamCop FAQ" (there is a link near the top left of each SpamCop Forum page, including this one) articles:

  • "What is this? How does it work? How do I use it?"
  • "What do I need to know to get started reporting spam?"

(and perhaps other promising-looking articles under the "SpamCop Parsing and Reporting Service" label). If you have further questions after reading this, please post them here as a reply in this Forum "thread."

...Good luck!

Share this post


Link to post
Share on other sites
...My suggestion would be to look at the following "SpamCop FAQ" (there is a link near the top left of each SpamCop Forum page, including this one) articles:
  • "What is this? How does it work? How do I use it?"
  • "What do I need to know to get started reporting spam?"

(and perhaps other promising-looking articles under the "SpamCop Parsing and Reporting Service" label). If you have further questions after reading this, please post them here as a reply in this Forum "thread."

Thank you!

I decided to make it easy on myself: I just paid the $30 and now have a SpamCop e-mail account.

To my surprise a whole new batch of the -to me now- usual UPS and DHL spam with malware appeared as soon as I hit the Inbox.

But also to my surprise I saw the option of reporting the e-mails as spam. So I did, all 20 (at least) of them.

Yet checking the 'Quick reporting data' afterwards I also saw that I had by mistake reported the legit PayPal confirmation e-mail for the payment of my new SpamCop account... :blush:

1. So now how do I "un-report" that PayPal one?

To have SpamCop fetch my mail from my Alice mail server I used 'in.alice.nl' -as I had it until now in my Opera Mail, but just removed it from there- and it is obviously working.

2. But what do I have to fill into my Opera Mail now to have it fetch my mail from the SpamCop server?

Share this post


Link to post
Share on other sites
Thank you!
...My pleasure!
<snip>

1. So now how do I "un-report" that PayPal one? <snip>

...The answer to this is in another SpamCop FAQ entry: "How can I unsend a Report?"
2. But what do I have to fill into my Opera Mail to have it fetch my mail from the SpamCop server?
...Sorry, for this one I have nothing to offer. Hopefully someone who can answer will happen by soon. In the meantime, you might have a look at SpamCop Forum entries "FAQ about POP'ing out of SpamCop" and "http://forum.spamcop.net/forums/index.php?showtopic=152" to see if either or both of these are relevant to Opera.

Share this post


Link to post
Share on other sites
...My pleasure!...The answer to this is in another SpamCop FAQ entry: "How can I unsend a Report?"...Sorry, for this one I have nothing to offer. Hopefully someone who can answer will happen by soon.

Speaking of getting a fast helpful reply here...! B)

I was still editing my above post!

Thank you again! :D

Share this post


Link to post
Share on other sites
1. So now how do I "un-report" that PayPal one?

You cannot

To have SpamCop fetch my mail from my Alice mail server I used in.alice.nl and it is obviously working.

Have you set-up your mail-hosts?

http://mailsc.spamcop.net/mcgi?action=mhed...Lom13dMULktheLJ

Helps stop you shooting your toes off

2. But what do I have to fill into my Opera Mail to have it fetch my mail from the SpamCop server?

My set-up

Sending Mail / SMTP Server

smtp.cesmail.net Port 587

Receiving Mail (regular connection)

pop.spamcop.net

User/Logon Full SpamCop Email address

Password (Maximum 30 Characters)

You should stop using your other email address (let it run dry over time) and use your SpamCop one only anddirectly.This removes the incompetence problems your provider sticks you with

Share this post


Link to post
Share on other sites
You should stop using your other email address (let it run dry over time) and use your SpamCop one only anddirectly.This removes the incompetence problems your provider sticks you with

Thank you.

In the mean time I have hit the 'Report as spam' button at least some 70 times since yesterday, but new ones of the same variety keep pouring in, all obviously from the same source masking as DHL, USP, USPS, and FEDEX.

Since my provider normally blocks nearly all spam -only one or two a month slip through, and those often are marked as spam by my Opera Mail, plus my Avira AV moves all of these reported ones to quarantine from my Opera Mail- it makes no sense to me to continue to report these same e-mails over and over again, nor to keep my SpamCop e-mail account. I did my duty to report these malware e-mails, and hope they will soon appear on some blacklists, in which case my provider will also block this stream. Although I guess for that to be effective someone has to trace it to the source, which I hope will be done.

So I requested that my SpamCop e-mail account be canceled and the $30 refunded.

For others who don't have a provider who blocks spam -or not as much as mine- SpamCop is a great solution! I will always recommend it.

I thank all of you for you friendliness and help.

With kind regards,

Lodewijk

Share this post


Link to post
Share on other sites
<snip>

In the mean time I have hit the 'Report as spam' button at least some 70 times since yesterday

<snip>

...Thank you!
Since my provider normally blocks nearly all spam -only one or two a month slip through, and those often are marked as spam by my Opera Mail, plus my Avira AV moves all of these reported ones to quarantine from my Opera Mail- it makes no sense to me to continue to report these same e-mails over and over again,

<snip>

...It is of course up to you whether to take the time to report your spam and I, for one, thank you for your efforts so far. However, because of the way the SpamCop blacklist works (see SpamCop FAQ entry labeled "What is on the list?" for details), I believe there is value to your continuing to report (although perhaps not an immediate value to you).
For others who don't have a provider who blocks spam -or not as much as mine- SpamCop is a great solution!

<snip>

...Also for those of us whose provider blocks (well, quarantines) spam but who care about the the health of the internet and want to contribute by reporting spam, hoping that some providers and law enforcement officials take notice. :) <g>

Share this post


Link to post
Share on other sites
...Thank you!...It is of course up to you whether to take the time to report your spam and I, for one, thank you for your efforts so far. However, because of the way the SpamCop blacklist works (see SpamCop FAQ entry labeled "What is on the list?" for details), I believe there is value to your continuing to report (although perhaps not an immediate value to you)....Also for those of us whose provider blocks (well, quarantines) spam but who care about the the health of the internet and want to contribute by reporting spam, hoping that some providers and law enforcement officials take notice.

I get your point. Thing is all the e-mails with malware attachments I'm getting are from the same source. It's always DHL, UPS, USPS, and FEDEX. The bodies of the texts in the e-mails are identical, only some details in the headers change slightly. Like "DHL MANAGER 39" <manager.708[at]dhl.com>, "DHL TEAM 247" <manager.578[at]dhl.com>, "Fed Ex SUPPORT 09" <support.56[at]fedex.com>, "Fed Ex MANAGER 64" <manager.892[at]fedex.com>, etc., followed by a 'Send to' e-mail address and a 'Reply to' address I don't recognize, and they also vary. Endless slight variations of the headers seem to be made up constantly.

I just hope some authority can do something about this with the nearly 100 I have reported by now. If that is not enough, nothing will be... :P

Share this post


Link to post
Share on other sites
<snip>

Thing is all the e-mails with malware attachments I'm getting are from the same source. It's always DHL, UPS, USPS, and FEDEX.

<snip>

...But please note that a "From" address is not the spam source -- some machine is the source. "From" addresses are easily (and, in my experience, almost always) forged. The objective of SpamCop is to identify those machine sources and, if the admin doesn't address the problem, put them on the SCBL (SpamCop blacklist).

...It is possible that what you are experiencing is the result of a spam run using a Botnet.

Share this post


Link to post
Share on other sites
I get your point. Thing is all the e-mails with malware attachments I'm getting are from the same source. I just hope some authority can do something about this with the nearly 100 I have reported by now. If that is not enough, nothing will be...

Most email spam malware/virus are sent from via "Botnets" if your ISP had any conscience or brains it would virus scan your email and delete virus infected email before delivery (it's not a brain challenge to do this). Your SpamCop Email account does this and why you are best to stop using your ISP's one (start advising contacts of an email change of address). Even Gmail offer a better safer email address than a major majority of ISP's (they are just good at milking bank accounts)

Share this post


Link to post
Share on other sites

Thank you both.

Yes, I also thought it was a botnet deal. I guess someone with my address in his/her address book opened the attachments, the malware recorded my e-mail address -among others- and now the e-mails keep coming. I just received another batch of 30 or so.

My Opera Mail recognizes them as spam, and my Avira AV puts them in quarantine. All within the sandbox.

So I guess SpamCop and the agents it forwarded this have not traced the flow to the source (yet) and it will continue until either the culprit it stopped -by one of those agents, as I guess SpamCop does not do that- or I no longer use my ISP e-mail address given by my provider, using only Spycop's for example.

Or I could change my ISP -provider- e-mail address.

Do I understand this right?

PS:

I feel that changing my e-mail address would be a cop-out. Others will still receive the malware until some agency traces it to the source and stops it.

So I just send an e-mail to the Dutch governmental agency set up to fight cyber crime -I live in Holland- explaining this thing to them.

Edited by Lodewijk

Share this post


Link to post
Share on other sites
Or I could change my ISP -provider- e-mail address.

Do I understand this right?

PS:

I feel that changing my e-mail address would be a cop-out. Others will still receive the malware until some agency traces it to the source and stops it.

So I just send an e-mail to the Dutch governmental agency set up to fight cyber crime -I live in Holland- explaining this thing to them.

Botnets are growing faster than they can be shut down along with the spread of malware/viruses.

Your ISP email address was never any good. You would do better dumping it and demanding compensation for their lousy service that is actually helping the spread of malware. By not accepting an ISP email address means your bill should also be cheaper (they stink at providing one anyhow)

If you turn on SpamCop Greylisting it stops non-email servers from delivering to your email address for starters (although it will slow down receiving email in time by about 30 min, if email is not whitelisted)

Providers should be blocking Port 22 (this is the outgoing smpt port which would stop 99% of spam being sent without going through a local mail server)

It would pay to ask your "Dutch governmental agency" to advise all Dutch ISP's to block port 22 if they are not already doing so. I got this message through to Australian ISP's and is why little spam comes from Australia. Spammers now need passwords to send spam using Grandma and Grandpa (naive user) types computers

Share this post


Link to post
Share on other sites

Thank you.

In fairness I have to say that this is the first time am getting all these malware e-mails since I am with this provider (Alice), as its spam filter has -during the 4 years I am with them- until now put 99% of all spam in a separate 'Unwanted mail' folder. I clean it out once every few weeks going to my e-mail box on their website after checking to make sure there are no false positives, which there seldom are.

I just now called them and spoke with someone from their technical team. He said that lately they have received lots of reports on this issue, and are in contact with the US company who provides the spam filter service for them.

He also said that they'll call me back about me getting a new e-mail address.

I had a phone/Internet connection not working once -I had to use my cell phone to call them- and they checked the line while I waited. They found out that it was in one of the phone centrals, and fixed it right away from their end (to me it was 'spooky action' at a distance). While I was still on my cell phone the lady told me to try again and see if my home phone worked now. So I tried and it did. So did my Internet connection of course.

Share this post


Link to post
Share on other sites

I just now noticed that my provider's spamfilter has begun to put the rows of fake DHL, UPS, USPS, and FedEx with malware in my 'Unwanted mail' folder.

Looks like they made work of it. I feel greatly relieved.

Share this post


Link to post
Share on other sites
I just now noticed that my provider's spamfilter has begun to put the rows of fake DHL, UPS, USPS, and FedEx with malware in my 'Unwanted mail' folder.

Looks like they made work of it. I feel greatly relieved.

This has done more on stopping spam than simply one person reporting.

Good work

Still wil help further to put then in your SpamCop "held folder" and report them

Even "Quick report" (this attempts to notify provider sending them)

Share this post


Link to post
Share on other sites
<snip>

Even "Quick report" (this attempts to notify provider sending them)

...The Quick Reporting FAQ is at URL http://forum.spamcop.net/forums/index.php?showtopic=163. Please take special note of the WARNING. It is because of that warning that I do not use Quick Reporting, especially since my e-mail provider has added and switched IP addresses on routing servers in the past, causing me to accidentally report my e-mail provider!

Share this post


Link to post
Share on other sites

Because I wanted to keep using my ISP e-mail address, and my provider is beginning to place some of the mentioned malware e-mails in the 'Unwanted mail' folder, I canceled my SpamCop account and got a refund.

I wanted to have SpamCop fetch my mail from my ISP address -which it did- and then have my Opera Mail fetch it from my SpamCop account. While I wanted to send e-mails directly from my Opera Mail through my ISP mail address, thus bypassing my SpamCop account for outgoing mail. But I did not see how to set that up. My Opera Mail can only be set to one same provider or e-mail account for incoming and outgoing mail it seems.

But since my provider has begun to filters out only about 20 % yet of the fake DHL, UPS, USPS, and FedEx mails with malware attachments, I would still like to report the unfiltered ones to SpamCop.

The 'Quick Reporting' is "dangerous" it warns, as it might register your ISP as spam (if I understand it well.)

The headers of the malware e-mails I get are all similar to these examples:

"UPS MANAGER 630" <support.195[at]ups.com>

"UPS TEAM 139" <support-120[at]ups.com>

I see no info on my ISP there. Can I just report those headers -of part of them, like "support-120[at]ups.com" to SpamCop, and if so, how exactly?

Edited by Lodewijk

Share this post


Link to post
Share on other sites
<snip>

The headers of the malware e-mails I get are all similar to these examples:

"UPS MANAGER 630" <support.195[at]ups.com>

"UPS TEAM 139" <support-120[at]ups.com>

I see no info on my ISP there.

...Your ESP and/ or ISP would appear as a IP address in a different header line. You may not recognize it as such.

...We've now come full cycle to my initial reply to your very first post 78311[/snapback]. :) <g>

...To avoid reporting your ESP and/ or ISP as a spam source, just review the e-mail addresses to which SpamCop is offering to send reports and "uncheck" those e-mail address offerings or Cancel. Completing the SpamCop "MailHosts" process will also help but you must always ensure that SpamCop is not going to send reports to your ISP or ESP.

Share this post


Link to post
Share on other sites
I see no info on my ISP there. Can I just report those headers -of part of them, like "support-120[at]ups.com" to SpamCop, and if so, how exactly?

To Set-up a free spamCop reporting account.

Then you must register your email host. Its just a matter of clicking the TAB "MAILHOSTS" then click "Add new hosts" put your email address in the box (give the email host a name in 2nd box) and click send

You will be sent a number of emails to that address, with a URL link in email.

"Please return this complete email, preserving full headers and the special

tracking codes below. Visit this address:"

For EACH email you are sent copy FULL HEADERS & BODY as if you are reporting spam. Paste in box provided,

Then click button "Process Sample"

You have now report proofed your email host/s

Quick Reporting is initially disabled. Once you become experienced you can then enable "Quick Reporpting"

Once this is done you may wish to try a program called "MailWasher" (do not use it's "feature" to bounce email) This windows program acts as your own mail server allowing you to sort your spam using/selecting your own online blocklists and automatically submitting them to SpamCop via your super-secret Submitting SpamCop email reporting address

Share this post


Link to post
Share on other sites
<snip>

Then you must register your email host. Its just a matter of clicking the TAB "MAILHOSTS" then click "Add new hosts" .... You have now report proofed your email host/s

<snip>

...With all due respect to a long-serving and knowledgeable fellow volunteer, no, you have not (IMHO). Please see my post in SpamCop Forum article "FAQ Entry: What is Quick Reporting?" Caution must still be exercised in sending reports.

Share this post


Link to post
Share on other sites

Thank you all very much.

To be frank, I just had to google "What is ISP?" As I had guessed it means "Internet Service Provider", but otherwise I would not have been sure.

This as an example of the extend of my technical Internet knowledge. Nearly zilch.

Reading through the FAQ list I see so many abbreviations I have no idea what they stand for -let alone know what they would mean in the context of what I need to know to set up safely reporting spam- that I don't even want to begin studying it. It would take me many hours of reading, googling, and still asking lots of questions here...

I just now tried to register for the free reporting option, but I got a message that my e-mail address has already been registered. I did have a paid account, but for the given reasons in my last post had asked to cancel it and been given a refund:

"I wanted to have SpamCop fetch my mail from my ISP address -which it did- and then have my Opera Mail fetch it from my SpamCop account. While I wanted to send e-mails directly from my Opera Mail through my ISP mail address, thus bypassing my SpamCop account for outgoing mail. But I did not see how to set that up. My Opera Mail can only be set to one same provider or e-mail account for incoming and outgoing mail it seems."

I would like to be able to report the malicious e-mail stream I am still receiving -my provider still only filtering out maybe 20% of those fake UPS, USPS, DHL, and FedEx mails with malware attachments- but only the really safe way, not the Quick Reporting way, as I am liable to make mistakes with my limited knowledge. (Just reading what can go wrong -and even getting fines- scares me away from that.)

I looked at Mailwasher and would like to use it in combination with SpamCop as suggested.

I don't want to keep bugging you guys, but if it would not be a drag to you, how do I proceed now with my e-mail address already registered?

PS:

I installed Mailwasher free, and see the option to report spam to SpamCop. For that I guess I have to fill in my SpamCop e-mail address. But that has expired, and I only see the option "Renew" when I go to my account, but that is for a paid account. How do I get a free one, taking into account that my ISP e-mail address is already registered, and that my (paid) SpamCop account has expired?

Edited by Lodewijk

Share this post


Link to post
Share on other sites
<snip>

(Just reading what can go wrong -and even getting fines- scares me away from that.)

...First, you are not subject to fines as such fines are only assessed against paying members; now that you have a refund (or it is on its way), you are no longer a paying member. Next, it actually is not that hard to avoid reporting your ISP (or ESP -- e-mail Service Provider), you just have to review the e-mail addresses that SpamCop is offering to send reports on your behalf and if your provider appears there, uncheck that address or cancel the reports. And, in any event, paying careful attention to the e-mail addresses to which SpamCop is offering to send reports is a good practice for everyone to follow all the time (but something you can not do if you use Quick Reporting, which is why I recommend against using it).
<snip>

...how do I proceed now with my e-mail address already registered?

<snip>

...Seems like a special situation that might be best handled by directly contacting the SpamCop Deputies at e-mail address deputies[at]admin.spamcop.net.

...Good luck! :) <g>

Share this post


Link to post
Share on other sites

Thank you again very much!

If I remember well -I'm not sure- all those mentioned e-mails -or most of them- were already marked as spam by SpamCop during the short time I had the paid account. SpamCop works very well.

The last time I reported them as spam to SpamCop I did it while SpamCop had already marked them as spam, of that I'm certain. But I only realized it was an error right after I had reported them. :blush:

I just now added SpamCop's blacklist to the default Spamhaus' blacklist in my MailWasher settings.

I see that so far all the mentioned malware e-mails that are marked as spam by MailWasher have the message "Origin blacklisted by Spamhause." A few are undecided, and I mark them as spam.

(I just started a little experiment: I un-checked the Spamhause blacklist and only left SpamCop's blacklist checked in MailWasher... see if more are still left undecided. In any case I will ask the SpamCop administrator if my canceled paid account can be changed into a free one, so I can have MailWasher report eventual undecided e-mails to SpamCop.)

Question: Why might it be better not to utilize MailWasher's 'bounce back' option?

Edited by Lodewijk

Share this post


Link to post
Share on other sites
Question: Why might it be better not to utilize MailWasher's 'bounce back' option?

The so called "Bounce Back" option just bounces back to the "From" address which is mainly forged. Often from poisoned email addresses (spamtraps).

This is then often reported as spam by the "Joe" you "bounce" it back to, causing your own ISP's mailserver to get listed/blocked! Possibly by a "blacklist" that are far harder to get off than SpamCops

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0