| View previous topic :: View next topic |
| Author |
Message |
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
 Posted: Wed Jun 15, 2005 3:08 pm Post subject: TRUSTAbyss.com - Alert! |
 |
|
I found a message in my inbox today that wasn't written from me but it
came from my Server , if your going to use PHP for mail , make sure you
set it to allow localhost only. I guess they found a way to send spam.
The E-mail you may recieve could look like
| Quote: |
Dear user name,
You have successfully updated the password of your Trustabyss account.
If you did not authorize this change or if you need assistance with your account, please contact Trustabyss customer service at: support@trustabyss.com
Thank you for using Trustabyss!
The Trustabyss Support Team
+++ Attachment: No Virus (Clean)
+++ Trustabyss Antivirus - www.trustabyss.com
--------------------------------------------------------------------------------
Attachment accepted-password.zip has been removed by ArGoSoft Mail Server
|
Note: My E-mail Server automaticly removes attachments so if this was
a virus , you will not recieve it. This will never happen again. LateR! :-)
Sincerely , TRUSTpunk |
|
| Back to top |
   |
 |
MonkeyNation
-
Joined: 05 Feb 2005
Posts: 921
Location: Cardiff
|
| Posted: Wed Jun 15, 2005 5:11 pm Post subject: Re: TRUSTAbyss.com - Alert! |
|
|
| TRUSTpunk wrote: | I found a message in my inbox today that wasn't written from me but it
came from my Server , if your going to use PHP for mail , make sure you
set it to allow localhost only. I guess they found a way to send spam.
The E-mail you may recieve could look like
| Quote: |
Dear user name,
You have successfully updated the password of your Trustabyss account.
If you did not authorize this change or if you need assistance with your account, please contact Trustabyss customer service at: support@trustabyss.com
Thank you for using Trustabyss!
The Trustabyss Support Team
+++ Attachment: No Virus (Clean)
+++ Trustabyss Antivirus - www.trustabyss.com
--------------------------------------------------------------------------------
Attachment accepted-password.zip has been removed by ArGoSoft Mail Server
|
Note: My E-mail Server automaticly removes attachments so if this was
a virus , you will not recieve it. This will never happen again. LateR! :-)
Sincerely , TRUSTpunk |
I found that out the hard way too, saw 1000s of mesages in the queue =/
_________________
 |
|
| Back to top |
    |
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Wed Jun 15, 2005 7:41 pm Post subject: |
|
|
This is the result of the MyTob worm, nothing to do with anyone's PHP. I'm seeing a lot of variants on these messages in the rejected mail on the domains I manage at work.
I can't link directly to the explanation on Sophos's website, but go to http://www.sophos.com/virusinfo/analyses/w32mytobat.html and read the Advanced section for more details on one variant of the worm. |
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Thu Jun 16, 2005 1:53 am Post subject: |
|
|
Their is no way my Server is infected with this worm because I don't go
online with it , all my server does it serves up web pages. impossible!
I believe it was an Anonymous user doing it. |
|
| Back to top |
|
|
MonkeyNation
-
Joined: 05 Feb 2005
Posts: 921
Location: Cardiff
|
| Posted: Thu Jun 16, 2005 2:06 am Post subject: |
|
|
| TRUSTpunk wrote: | Their is no way my Server is infected with this worm because I don't go
online with it , all my server does it serves up web pages. impossible!
I believe it was an Anonymous user doing it. |
As long as it is connected, it is vunerable to a degree.
_________________
|
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Thu Jun 16, 2005 12:16 pm Post subject: Re: TRUSTAbyss.com - Alert! |
|
|
TRUSTpunk,
We get hundreds of such emails everyday (and 50% of them pretend they were sent by aprelium.com)! Check the headers of the these mails to see which IP was the cause of the this spam, then download "WhoIs View" from http://www.whoisview.com/products/whoisview/ (free tool), and use it to know which ISP/company the IP belongs to. "WhoIs view" will display also the abuse report addresses/phones. Contact them to report the spam (give them the mail with all its headers).
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
 |
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Thu Jun 16, 2005 2:17 pm Post subject: |
|
|
| TRUSTpunk wrote: | Their is no way my Server is infected with this worm because I don't go
online with it , all my server does it serves up web pages. impossible!
I believe it was an Anonymous user doing it. |
If I go to the trouble of giving you a reference, at least take the time to read it before squawking about your server being uninfected. I never said your server was infected, I said the spoofed emails you are receiving are the result of the MyTob worm.
A quick read of the explanation on Sophos would have given you
| Quote: |
W32/Mytob-AT can spread by sending itself as an email attachment to email addresses harvested from the infected computer. W32/Mytob-AT spoofs the sender's email address so that the sent email appears to be from the same domain from one of the following users:
admin
administrator
info
mail
register
service
support
webmaster
For example if sending itself to name@example.com, W32/Mytob-AT might send the email as if from admin@example.com.
|
|
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Thu Jun 16, 2005 2:24 pm Post subject: |
|
|
| Are you saying that this could have been from someone else's infected PC ? |
|
| Back to top |
|
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Thu Jun 16, 2005 4:51 pm Post subject: |
|
|
| I'm saying it is from someone else's infected PC. The email headers should show a different IP to your own server. |
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Thu Jun 16, 2005 6:07 pm Post subject: |
|
|
| I will check it out. Thanks for the reponse on this matter. LateR! |
|
| Back to top |
|
|
jlp09550
-
Joined: 05 Jun 2005
Posts: 123
Location: Louisiana, USA
|
|
| Back to top |
|
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Fri Jun 17, 2005 1:53 pm Post subject: |
|
|
| jlp09550 wrote: | I know how to fix it!
<snip pointless post> |
That's nice, but if you read the topic you'd see TRUSTPunk isn't infected. |
|
| Back to top |
|
|
jlp09550
-
Joined: 05 Jun 2005
Posts: 123
Location: Louisiana, USA
|
| Posted: Sat Jun 18, 2005 6:50 am Post subject: |
|
|
NO! You will not find out as NO anti-virus programs are updated to check for that! -chills down-
OK... I should say that is another computer is infected, you will have to live with it until it stops, like me... I had 100 emails one day in my inbox.... but, if you are very unlucky, it WILL use your email address to send to ALOT of people and you WILL get undeliverable messenges until it desides to move to someone else!
_________________
Hosted Abyss Sites-
http://jared.chibipaws.com/ - My Stuffs
http://jaredblog.chibipaws.com/ - My Blog |
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Sat Jun 18, 2005 3:21 pm Post subject: |
|
|
I believe you , Mail Servers need to be more powerful. I blocked the range
of the sender so that the virus cannot continue with its evil plans lol. LateR!
I haven't seen one e-mail after doing what Aprelium recommended.
Sincerely , TRUSTpunk |
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Sat Sep 24, 2005 1:38 am Post subject: |
|
|
Enable SMTP Authentication And Disable E-mail sendings with accounts that
don't exist on the server. This is how I got rid of the spammers. LateR! :-)
Sincerely , TRUSTpunk |
|
| Back to top |
|
|
|
