The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

big@boss.com

Discussion in 'General Discussion' started by mrprez, Jan 14, 2003.

  1. mrprez

    mrprez Well-Known Member

    Joined:
    Jun 14, 2002
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    16
    Has anyone noticed email sitting in the queue from this email address? I have two servers and there is mail on both servers with this same return address. Each email has a virus attached. They seem to originate from different IP addresses or are spoofed. Here is a sample from one of them:

    [quote:602ac91469]
    Return-path:
    Received: from cable-213-132-133-57.upc.chello.be ([213.132.133.57] helo=IMEDIA-VDB)
    by xxxxxxxxxxx.net with esmtp (Exim 3.36 #1)
    id 18YWHl-00045V-00
    for info@xxxxxxxx.com; Tue, 14 Jan 2003 13:59:41 -0500
    From:
    To:
    Subject: Re: Movies
    Date: Tue, 14 Jan 2003 20:01:23 +0100
    Importance: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MSMail-Priority: Normal
    X-Priority: 3 (Normal)
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary=&CSmtpMsgPart123X456_000_01BD22CB&
    Message-Id:

    This is a multipart message in MIME format

    --CSmtpMsgPart123X456_000_01BD22CB
    Content-Type: text/plain;
    charset=&iso-8859-1&
    Content-Transfer-Encoding: 7bit

    Attached file:
    --CSmtpMsgPart123X456_000_01BD22CB
    Content-Type: application/octet-stream;
    name=&Document003.pif&
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
    filename=&Document003.pif
    [/quote:602ac91469]

    Since the IP address is different there isn't a way to block based on that. Is there a way to block based on the return address?
     
  2. Robert

    Robert Member

    Joined:
    Aug 14, 2001
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Getting them here as well...

    I have flushed about 50 of these messages since Monday and have another 25 that have collected in the queue.

    This is another windows virus at work.

    http://vil.mcafee.com/dispVirus.asp?virus_k=99950



    Virus Information
    Name: W32/Sobig@MM

    Risk Assessment
    - Home Users: Medium
    - Corporate Users: Medium

    Date Discovered: 1/9/2003
    Date Added: 1/9/2003

    Origin: Unknown

    Length: 65,536 bytes (tElock packed)

    Type: Virus

    SubType: E-mail worm

    DAT Required: 4242

    Virus Characteristics

    -- Update January 14, 2003 --
    It was discovered that in some cases the virus attachment may arrive with a filename having &.PI& extension instead of &.PIF& (it would not get run if double-clicked on, of course). This extension is added to the default list in 4243 DATs.
    -- Update January 11, 2003 --
    This threat was upgraded to a Medium risk due an increase in prevalence over the past 36 hours.

    -- Update January 10, 2003 --
    This threat is considered to be Low-Profiled due to the The Inquirer article Four viral worms spreading across the Windows Web

    This worm is written in MSVC and attempts to spread via network shares and email. The worm contains its own SMTP engine.

    Email Propagation

    Outgoing messages are formatted as follows:

    From: big@boss.com
    Subject: One of the following:
    Re: Movies
    Re: Sample
    Re: Document
    Re: Here is that sample
    Attachment: 65,536 bytes with one of the following filenames:
    Movie_0074.mpeg.pif
    Document003.pif
    Untitled1.pif
    Sample.pif
    Email addresses may be harvested from files on the victim machine with the following extensions:

    WAB
    DBX
    HTM
    HTML
    EML
    TXT
    Network Propagation

    The worm enumerates shares on the network, intending to copy itself to one of the following folders on remote machines:

    \WINDOWS\ALL USERS\START MENU\PROGRAMS\STARTUP
    or

    \DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP

    Indications Of Infection

    Existence of the file WINMGM32.EXE in the Windows directory, file size 65,536 bytes.
    Existence of the file SNTMLS.DAT in the Windows directory
    Existence of the file DWN.DAT in the Windows directory

    Method Of Infection

    At least one field sample AVERT has received was dropped by a multidropper package. This package dropped two files - a pornographic image (which is displayed) and the worm. The multidropper package is detected as MultiDropper-FB with the 4242 DATs.

    When run the worm installs itself into the Windows directory as WINMGM32.EXE. Two registry hooks are added to hook system startup, for example:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    &WindowsMGM& = C:\WINDOWS\winmgm32.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    &WindowsMGM& = C:\WINDOWS\winmgm32.exe
    Email addresses harvested from the local machine are written to the file (confirmed via field reports, not observed in testing):

    %WinDir%\SNTMLS.DAT
    The worm retrieves a text file from a Geocities user page(http://www.geocities.com/reteras). At the time of writing, this file contained a single URL:

    http://www.doesnotexist.com/blah.txt
    If retrieved successfully, this URL is written to the file %WinDir%\DWN.DAT.

    Since analysis started, the URL has been updated, and references a remote PE file which the worm subsequently attempts to download. This file is detected as BackDoor-AOT with the 4242 DATs.

    The worm contains the string:

    Worm.X

    Removal Instructions

    Detection and removal is included in the 4242 DAT files.
    Alternativly, the following EXTRA.DAT packages are available.
    EXTRA.DAT
    SUPER EXTRA.DAT

    Files detected as W32/SoBig@MM should be deleted.

    Additional Windows ME/XP removal considerations

    Aliases

    I-Worm.Sobig (AVP), W32.Sobig.A@mm (Symantec), W32/Sobig (Panda), W32/Sobig-A (Sophos), Win32.Sobig (CA), WORM_SOBIG.A (Trend)
     
  3. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    Not as serious here, yet. I just cleaned 12 out of the mail queue.
     
  4. JustinK

    JustinK Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    251
    Likes Received:
    0
    Trophy Points:
    16
    I've cleaned quite a few of those off of a handful of servers.
     
  5. brandonk

    brandonk Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    I am getting these in my mailbox. Is this a server attack or just email from other people? How can I clean them out of the queue?
     
  6. MikeMc

    MikeMc Well-Known Member

    Joined:
    May 8, 2002
    Messages:
    161
    Likes Received:
    0
    Trophy Points:
    16
    In the queue there is the delete option &Delete All Messages& and &delete& for each message.
     
  7. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    ~ 60 email on each of our server. We have blocked this address in /etc/spammers on all servers.
     
  8. mrprez

    mrprez Well-Known Member

    Joined:
    Jun 14, 2002
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    16
    How did you do this? Did you put in the email address big@boss.com?
     
  9. brandonk

    brandonk Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    I had never seen that mail queue... Now I see that one of my clients ASKS for SPAM, he has 30,000 messages in the queue!
     
  10. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    [quote:f5dad3ab51][i:f5dad3ab51]Originally posted by H2Hosting.com[/i:f5dad3ab51]

    ~ 60 email on each of our server. We have blocked this address in /etc/spammers on all servers.

    [/quote:f5dad3ab51]
    Interesting, never noticed this file. How should it be formated? is it just a new address on each line? or are there any peramiters needed?
     
  11. thomas

    thomas Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    [quote:7b53391661][i:7b53391661]Originally posted by iminteractive[/i:7b53391661]
    Interesting, never noticed this file. How should it be formated? is it just a new address on each line? or are there any peramiters needed?[/quote:7b53391661]

    One at each line

    e.g.

    big@boss.com #blocks a specific sender
    boss.com #blocks whole domain
     
  12. mrprez

    mrprez Well-Known Member

    Joined:
    Jun 14, 2002
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    16
    I tried that and it is still getting through.
     
  13. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    You can also try to add it to the blacklist in the main spamassassin local.cf

    /etc/mail/spamassassin/local.cf

    blacklist_from *@boss.com
     
  14. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    [quote:9a90027250][i:9a90027250]Originally posted by baileysemt[/i:9a90027250]

    [quote:9a90027250][i:9a90027250]Originally posted by mrprez[/i:9a90027250]

    I tried that and it is still getting through.[/quote:9a90027250]

    Still getting thru for me too. :( [/quote:9a90027250]

    add this line into /etc/exim.conf:

    sender_reject = /etc/spammers

    then create /etc/spammers and put &boss.com&
     
  15. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    You can also add &bossgame.com& as well -- owns &boss.com& and although both are registered domain names, they are only used for Spam.

    Also wanted to add, how does it work for &specific& eMail addresses?

    Others may have noticed a lot of &burgerba@gci.net& showing in their View Mail Stats & List of errors. As I don't want to block &gci.net& as whole, just &burgerba&, can one use &whoever@wherever.com& to specify?
     
  16. pats

    pats Well-Known Member

    Joined:
    Mar 13, 2002
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    hi,

    any luck in this?
    i added sender_reject = /etc/spammers
    in the end of into /etc/exim.conf
    and created the file /etc/spammers also.

    But after that when i restart exim it gives following error&
    Starting exim: 2003-02-12 04:21:25 Exim configuration error
    option &sender_reject& unknown in line 519 [FAILED]

    Any help?
     
  17. mrprez

    mrprez Well-Known Member

    Joined:
    Jun 14, 2002
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    16
    You have to place it in the right spot or it will generate and error. I put mine right after the RBL option and that seemed to stop the email from boss.com.
     
  18. pats

    pats Well-Known Member

    Joined:
    Mar 13, 2002
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    cool! Thanks mrprez, just after putting in RBL section solved the thing.

    Now will this block any emails coming from 'boss.com' as mentioned in the email header or will the IP of boss.com will be checked if really coming from boss.com.
    As i want if email headers contain 'boss.com' then it should be rejected.

    One more thing, can i reject emails if the email body contains like 'sex' or something?
    I want to do it here as it'd be serverwide :)

    Thanks!
     
  19. mrprez

    mrprez Well-Known Member

    Joined:
    Jun 14, 2002
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    16
    Glad it worked for you.

    Not sure about your second request, would have to research. That may slow down the mail delivery as it would then have to scan each email looking for the words you want excluded.

    Try looking over at www.exim.org, there is a fairly good sized FAQ over there.
     
Loading...

Share This Page