Jump to content

Tracking down a virus infected machine


StevenUnderwood
 Share

Recommended Posts

I have been receiving 5-10 virus infected (W32/Mydoom.a[at]MM) from the same source address (63.110.41.117) since at least the secnd week of February. I am also getting the normal bounces from other peoples virus protection saying I sent a virus because my address is forged as the sender. All of these infected messages are being held by our spam filtering company (postini) with only a few bounces coming through, so it is not terrible, just annoying.

On February 23, 2004, after all other infections of Mydoom.a had stopped arriving, I sent an email to several addresses at mci.com, the owner of that address (through UUNET).

On February 24, 2004, I also sent an email to abuse[at]cypresscom.net since the rDNS is 63-110-41-117.client.cypresscom.net.

I have since sent a couple more emails and called the cypresscom.net help desk a couple of times, but the messages still come daily.

I have never had a situation where the first or second email to a company did not stop the garbage, once even with a thank you for helping locate the problem. I don't know what else I can do.

Link to comment
Share on other sites

It is always to good to ask for a supervisor if you don't get adequate help from the first person you talk to. Or in this case, since you have called twice and the worms are still coming.

Sometimes you also have to convince the help desk that you are not going to accept the 'bot answer. You may have to convince them also that you are fully aware of how email works.

I haven't dealt with abuse desks very much, but I always ask for supervisor in other situations when I don't get satisfaction. Very often if you can get past the first level, things work out very quickly.

Miss Betsy

Link to comment
Share on other sites

Thank you Miss Betsy. I will try that as well in a couple of days.

I have fixed MY immediate problem by finding a setting at postini to block an IP connection from occuring for the next 30 days and generating a 500 lever error. That will not stop the spew from going to other people or the bounce mesages, but it should limit the number I see.

Link to comment
Share on other sites

And in contrast to Miss Betsy's cherrful outlook, there are days that no amount of being nice helps <g> .. I distinctly remeber getting hold of an individual that on one call call was the Network Operations Chief, on another call he was a vice-president ... at one point he suggested that his lawyers had advised him that is was a Federal Offense for him (as NOC) to block any traffic coming across their network and he'd be glad to have his/their lawyers call me and set me straight ... I invited him to immediately forward the call to his/their legal office and I'd set his/thier lawyers straight .. All of a sudden, the threat of legal power didn't seem so strong to him and the phone line went dead for some reason <g> ... It was funnier yet to notice that within a couple of months, Covad had this strange notice about their lawyers getting involved and discovering some serious breaches in contracts, dealing with the amount of spam coming through their system, and in order to get out of so many blocking lists and outright banned connections, their lawyers had advised them to start shutting down some accounts. Nothing there tht I feel I can take personal credit for, yet thinking that I helped get to the point of the "one straw that broke the camel's back" ...

In your case, the alleged upstream (MCI) may take action, but it's probably the "customer of a customer" routine, so time passes while all the legal niceties are observed. Your cypress.som outfit, either they're overwhelmed, don't have an effective abuse team/person, or they just don't care (yet) ... No idea how big they are, or how much technically qualified staff there might be.

Link to comment
Share on other sites

No idea how big they are, or how much technically qualified staff there might be.

The two different days I have called tech support, I got two different people. However, the last time I called (yesterday) I got "disconnected" at a specific "high stress" time. When I called back immediately, the help desk phone was answered by the same person, Doc.

Link to comment
Share on other sites

  • 2 weeks later...

I'm having the very same issue with cypresscom.net. Daily reports to their abuse email address have done nothing to stop the virus spew. I've decided to change the order of my filters and the antivirus on my mail server to relay all messages from that ip address back to them. Normally my antivirus kicks in first. I did get some bogus reply from the help desk, where they sent me when I called them directly. At first he told the truth I think, "well we only deal with viruses if the affect our system. Its the clients probelm if they have them". Then it was "well maybe it was a night guy in the abuse department and he doesn't know how to handle it". Maybe I should try setting a repeating loop to their abuse address or maybe add the sales department for every virus sent to my server. I suppose the loop wouldn't be too nice of me, but I probably will have to expand the number of people that are getting the complaints until something happens. I think all their abuse complaints about viruses immediately go into the circular bin bucket.

Edited by caryh
Link to comment
Share on other sites

I am able to blacklist certain IP's through our anti-spam vendor (postini) and reject with a specific error (I used ERROR 554 transaction failed). I did that for 1 week so the admin should have been getting a reject message for each virus message sent and when the block expired this weekend, I have not have a message from them since.

I am still using the manual report method first, but if after 3 days Ithe messages don't stop, I am going to use this method.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...