"Virus removed from your message!"

[Brian Kendig]

My spam filters are pretty good - but now the largest source of messages in my junk mailbox are the bounces from antivirus software that's trying to be helpful, but is too stupid to realize that the address on the spam is forged.

WARNING: eShield has detected a virus in file

attached to this e-mail message!

The attachment has been automatically removed to

protect your network.

Found virus WORM_LOVGATE.V in file document.txt.exe (in document.zip)

The uncleanable file is deleted.

That sort of thing. I'm getting really annoyed by them, because they're a form of spam, too. I'd like opinions - should I use SpamCop to report these?

I'm also getting really tired of the "delivery failed" bounce messages from servers which only decide to bounce a message *after* they've accepted delivery. I don't understand why anyone would configure a server to accept first and bounce later. Does anybody here have a good methodology for dealing with these?

And, is there a service like SpamCop that I can use to report worm emails, like all the "Good day" and "hello" messages I'm getting, to automatically figure out what network they're coming from so that network's administrators can cut off the infected PCs?

[turetzsr]

Hi, Brian!

...Looks like you can find the answer by browsing to the link (the first message on the "home" page of all of the fora here) labeled "Pinned: Original SpamCop FAQ Plus - Read before Posting," clicking the link on that page labeled "Rules - everybody read! (recent changes made ... you may need to re-look)" and finally the link on that page labeled "On what type of email should I (not) use SpamCop?"

...If, after reading this, you still have questions, please do return here to post a follow-up message.

[Brian Kendig]

Thanks for that link! I did read the pinned post in question, but I missed that one link among the dozens of others on the page. I didn't think this was a rules issue - I was looking specifically for links about bounce messages. (Perhaps that pinned post could be made a summary of what people need to know, rather than a site map.)

So, from that link you gave me, it looks like the second part of the definition of spam is no longer as strict - a message doesn't have to be bulk, if it was misdirected to me unsolicited, and not just due to human error?

Thank you for the info!

[turetzsr]

Thanks for that link! I did read the pinned post in question, but I missed that one link among the dozens of others on the page. I didn't think this was a rules issue - I was looking specifically for links about bounce messages. (Perhaps that pinned post could be made a summary of what people need to know, rather than a site map.)

27261[/snapback]

...Perfectly understandable! After long experience, I am quite familiar with the "official" SpamCop FAQ (which is where those "rules" actually reside) and it took me quite a while to figure out which link in the "Pinned ... FAQ" gets you there. Hopefully one of the helpful volunteers here (perhaps me) will take it upon her/himself to come up with a graceful way to make it easier to find the "On what type of email..." page.

So, from that link you gave me, it looks like the second part of the definition of spam is no longer as strict - a message doesn't have to be bulk, if it was misdirected to me unsolicited, and not just due to human error?

27261[/snapback]

...Essentially correct. Another way to look at it is that while you may have gotten what appears to be a "private" e-mail, a bounce to a forged e-mail address is in principle "bulk" because it would go to everyone whose e-mail address is forged (and presumably would go to many e-mail addresses if the forged "from" line contained a list of addresses).

Thank you for the info!

27261[/snapback]

...Glad to have been of help! <g>

[Wazoo]

...Perfectly understandable!  After long experience, I am quite familiar with the "official" SpamCop FAQ (which is where those "rules" actually reside) and it took me quite a while to figure out which link in the "Pinned ... FAQ" gets you there.

After catching the last major changes there, the Forum Faq entry was changed to read;

Rules - everybody read! (recent changes made ... you may need to re-look)

Further changes needed?

Hopefully one of the helpful volunteers here (perhaps me) will take it upon her/himself to come up with a graceful way to make it easier to find the "On what type of email..." page....

Notmally one would use "anchor tags" and put a link to the seb-section desired. However, the www.spamcop.net FAQ page doesn't have those tags embedded, so there's really no way to point to a paragraph there from here.

Essentially correct.  Another way to look at it is that while you may have gotten what appears to be a "private" e-mail, a bounce to a forged e-mail address is in principle "bulk" because it would go to everyone whose e-mail address is forged (and presumably would go to many e-mail addresses if the forged "from" line contained a list of addresses)....Glad to have been of help! <g>

I seem to recall adding stuff to the Glossary here, but it's been long enough that I'd need to go back and see how far I went with this 'blowback' issue (from appearances at this point, I'm way behind in reading all the new postings this morning/today <g>)

[shmengie]

I wouldn't report those messages, other than striking up a conversation with the person who's bounced the message to you.

Someone who has you in their address book is infected with a virus. The only way I know to resolve this type of issue is to write the isp of the origniating infected message.

Bounces too often have any/all useful information removed from the original e-mail. Appearently the author of the anti-virus wares chooses to blame the named "originator" instead of pinpointing the actual originating address as the culprit.

If you recieve an infected e-mail, you need to report to the isp where the infection originated, unless you can guess who might be the infected party. In that case contact them directly and point them to some of the free tools or have their anti-virus wares updated.

ISP's will shut off infected computers connections, so if it's a friend of yours it would be nice of you to contact them first. But you're stuck guessing, because ip address often don't provide very difinative identification.

Now it seems strange to me that a virus would send mail under your e-mail address, yet never send e-mail to you. So if you've recieved infected messages with somone elses address (would would make sense), it may be coming from the same infected computer, trying to entice you into clicking on the infection. Report these!

If you don't recieve viri in the mail, encourage the bounce originators to report the infected mail.

If the viri continue to spread, we'll never see an end of the spam. So far, they propogate better than rabbits.

80 percent (if not more) of all spam is relayed thru zombies this viri creates.

I've taken it upon myself to report all viri I recieve to the originating ISP. After living with a years worth of viri in the mail, after a couple of months reporting (LOL?) it's completely ceased.

[turetzsr]

I wouldn't report those messages, other than striking up a conversation with the person who's bounced the message to you.

Someone who has you in their address book is infected with a virus.  The only way I know to resolve this type of issue is to write the isp of the origniating infected message.

<snip>

27285[/snapback]

...IIUC, that is not the only way for this to happen. I would report them (unless SpamCop can only find my own e-mail service as the source) and encourage everyone who receives them to do so.

[Lking]

turetzsr is correct, this whole thread assumes that there really was an infected messages that bounced.

Looking at the "bounced" messages I have receive of late I tend to think the whole thing is a fake designed to get me (you) to open the message to see which of your messages didn't get delivered. If you take the bate you get the hook or virus. When I run these "bounced" messages through SC the list of links and reports seems to include ROK, china, and .ru domains. Now I have some well traveled friends but it would take several degrees of freedom to make the net send a message from a friend of a friend, through china to me. Although there is some truth to 6 degrees of freedom, a totally stochastic net would have a low probalility of sending all my bounced messages through Russia.

On the other hand about 2 yrs ago I pissed off some one, that turned out to be a kid, who spewed the world with obscene emails with my address as the FROM: Reply-TO: About 1/2 of the messages he sent either bounced or generated "don't send this stuff to me" responses. It was fun to take the ~400 messages and tracking to the local metro HS.

Some of your may be real bounced messages, some may not. As the 'Read me first' directs some is spam and should be reported. Some should lead to other action.

[agsteele]

My spam filters are pretty good - but now the largest source of messages in my junk mailbox are the bounces from antivirus software that's trying to be helpful, but is too stupid to realize that the address on the spam is forged.

That sort of thing. I'm getting really annoyed by them, because they're a form of spam, too. I'd like opinions - should I use SpamCop to report these?

27257[/snapback]

Whilst you could LART this type of message, manually if not using the SpamCop system.

To my my kind, though, this type of message is an entirely different quality to the more common or garden spam.

As others have suggested, if you want to tackle these messages then strike up a conversation with the postmaster of the destination concerned.

I've got one or two filters in my mail program which move this type of message to a junk folder and they are quietly deleted. Personally, I'd consider reporting via SpamCop to be rather too aggressive an approach.

Andrew

[Brian Kendig]

Wazoo: I think my eye reflexively skipped over that "Rules - everybody read!" link because it was red, the usual color of links I've already visited. I probably assumed I'd already visited that page as I was wandering around looking for information.

turetzsr: I've started using SpamCop to report everything that ends up in my "junk" folder, including worm emails and erroneous bounces. Thank you again!

I have one more question: when I use SpamCop to report a worm email or an improper bounce, what does the message say that gets sent to the site administrators? Does it say "you allowed spam on your network", or is it smart enough to recognize what kind of message is being dealt with and say "a PC on your network has a virus" or "stop making your mail server send out bounce messages" instead?

[Jeff G.]

when I use SpamCop to report a worm email or an improper bounce, what does the message say that gets sent to the site administrators? Does it say "you allowed spam on your network", or is it smart enough to recognize what kind of message is being dealt with and say "a PC on your network has a virus" or "stop making your mail server send out bounce messages" instead?

27342[/snapback]

The message sent to the site admin remains the same. Currently, it says:

[ SpamCop V1.439 ]

This message is brief for your comfort.  Please use links below for details.

...

[Tracking URL]

[ Offending message ]

[Offending message]

[Wazoo]

Wazoo: I think my eye reflexively skipped over that "Rules - everybody read!" link because it was red, the usual color of links I've already visited. I probably assumed I'd already visited that page as I was wandering around looking for information.

OK, I'll go with that ... will change something ....

I have one more question: when I use SpamCop to report a worm email or an improper bounce, what does the message say that gets sent to the site administrators?

Not clue on the e-mail submittal, but use of the paste-your-spam-in-the-box web-form offers a "Preview" button to see what is actually going to go out.

[turetzsr]

Wazoo: I think my eye reflexively skipped over that "Rules - everybody read!" link because it was red, the usual color of links I've already visited. I probably assumed I'd already visited that page as I was wandering around looking for information.

27342[/snapback]

OK, I'll go with that ... will change something ....

<snip>

27361[/snapback]

...Seems to me we actually need a separate link to call up the "On what type of email..." page directly.

[Lking]

I have one more question: when I use SpamCop to report a worm email or an improper bounce, what does the message say that gets sent to the site administrators? Does it say "you allowed spam on your network", or is it smart enough to recognize what kind of message is being dealt with and say "a PC on your network has a virus" or "stop making your mail server send out bounce messages" instead?

27342[/snapback]

Reading the FAQ there is a quote in there some where about using the NOTE section to give 'credibility to your report.' This is where I report that the message contained W32.netsky.P[at]mm or that I don't read Russian or what ever.

[Wazoo]

Forum FAQ updated .... ready to allow the tag on this Topic as resolved?

[eric]

Someone who has you in their address book is infected with a virus.  The only way I know to resolve this type of issue is to write the isp of the origniating infected message. 

27285[/snapback]

Unfortunately, this is not totally correct. What it means is that some infected PC has you in an address book, or has your email address in any of the myriad text files that a virus might scan and "phone home". This has resulted in your email address being added into a virus-fed list. Some [possibly other] infected PC sent the virus to your email address because it appeared on a list of live email addresses known to the virus. (or has been published in a Usenet news article, or any kind of Internet message, even IM/SMS to an infected PC/phone.)

Your email address got added to the virus's list somehow. Bummer.

This list is especially "target-rich" because it includes email addresses culled from actual live email inboxes, as well as email addresses [valid or not] scraped from address books, bookmarks, and plain text files on the victim's PC, all of which are very likely to be live addresses. Moby bummer.

The virus-infected PC is not necessarily the source of the spam; indeed, it is very unlikely to be the actual source of the spam. The virus has transmitted your email address (and many others) back to the Mother Ship, so that spam can be sent to the harvested addresses. Molto moby bummer!

[Jeff G.]

Of course, when a virus or worm infects a spammers computer, it can use the email addresses found in spammee lists from Millions CDs, scraping, trades, and purchases. Yet another bummer.

FYI, some of the accounts I monitor have been getting hit in the last 24 hours with the Sober.O worm, which was just discovered yesterday (May 2nd) per Symantec, and which AVG Anti-Virus Free Edition (latest update: Program version 7.0.308; Virus base 266.11.2; and Release date 2005/05/02) is misidentifying as "I-Worm/Sober.P". Please see http://free.grisoft.com/doc/7/lng/us/tpl/v5/idv/170565 and mm.html]http://www.sarc.com/avcenter/venc/data/w32.sober.o[at]mm.html for more info.

[Brian Kendig]

FYI, some of the accounts I monitor have been getting hit in the last 24 hours with the Sober.O worm,

The problem with reporting this worm thru SpamCop is that the worm emails will mention the domain that the email is falsely claiming to be sent thru, as in:

ok ok ok,,,,, here is it

*** Server-AntiVirus: No Virus (Clean)

*** "MAC" Anti-Virus

*** http://www.mac.com

In this example, SpamCop will think that www.mac.com is a domain being advertised by the spam, and will send an abuse email. (Well, not to mac.com in particular because it says that site doesn't accept reports, but it'll send abuse emails to other sites when named.) The result is that if you report these worm emails through SpamCop, you've got to uncheck the addresses for the domain which has nothing to do with the spam.

[Wazoo]

I'd rather see a Tracking URL of what you're trying to demonstrate .. hard to guess where and what the piece of data you are showing actually comes from ....

[DavidT]

This has resulted in your email address being added into a virus-fed list.

I've been tracking and dealing with email worms for years, and I disagree. The typical scenario doens't involve any remote master list of "live" addresses to attack. Most of the email worms install and activate an SMTP process on the infected machine, and then proceed to (pretty randomly) assemble outgoing infected messages with "To" and "From" addresses inserted from many sources on *that* PC...not downloaded from a remote list, or included with the infection.

I have been successful in stopping specific sources of worm spewage by doing just what the other posted suggested, which is reporting the spew and the nature of the worm involved to the ISP of the source IP address. Furthermore, in some cases, I've been able to figure out exactly which one of my professional colleagues had been infected (especially when the source was at an educational institution, rather than a large national broadband provider), and have called them and walked them through the disinfection process. I've done that many times with Klez, Bugbear, Sircam, Badtrans, Magistr, and others.

So, although there may be *some* infections that behave in the manner that you describe, that's not the way the common email worms that I've dealt with behave.

DT

[DavidT]

hard to guess where and what the piece of data you are showing actually comes from

Wazoo, it's from the body text of the worm. Their point is that because these worms contain URLs of innocent parties, when they are parsed/reported, the SC system will notify those parties unnecessarily.

So I agree with Brian...you'll have to manually "uncheck" the reports headed for all but the source of the infection.

DT

[Jank1887]

So I agree with Brian...you'll have to manually "uncheck" the reports headed for all but the source of the infection.

27545[/snapback]

Hmmm. I'm assuming there wouldn't be any easy way to automate this in the parser. Would need to recognize a 'virus spam' from a 'normal spam', and then default to leaving everything other than the source IP unchecked. Or even just throwing out a 'looks like a virus, please double check reporting addresses' message.

[eric]

[must ... sleep ... before ... posting ...]