fake spam...

[dank]

I just received an email alert saying I had sent a potential virus to someone. It would appear to be someone faking the "From" address with my own, as the address it says I sent it from is only one I post on the site that forwards to my main account, not an actual POP box... (I suppose it's also possible the alert is a hoax that's trying to get people to visit some questionable site.)

Question is, if it becomes common for such a thing to be faked, do I or FutureQuest run a risk of being blacklisted? Anything that can be done? Here's the email I received:

Quote:

The Star Internet anti-virus service, powered by MessageLabs, discovered
a potential virus or unauthorised code (such as a joke program or
trojan) in an email sent by you.

The email has now been quarantined and was not delivered.

To help identify the mail:

The message sender was
rmg-alec@intekom.co.za
run@run-down.com

The message was titled S.replace(re,
The message recipients were
finch1@tewkesburybc.gov.uk

The message date is (empty)
The virus or unauthorised code identified in the email is:
F-Secure Anti-Virus for i386-linux Release 4.13 build 3360
Frisk Software International F-PROT engine version 3.10 build 701

665466_2MAUDIO-X-WAV_CTrrHome-1-.exe infection: W95/Klez.H@mm

3 files scanned
1 infections found


Some viruses forge the sender address. For more information on this
please use the link to the FAQ's at the bottom of this page.

The message was diverted into the virus holding pen on
mail server server-5.tower-17.messagelabs.com (pen id 665466_1020940242)
and will be held for 30 days before being destroyed.

For more information please visit
http://www.star.net.uk/Support/Faq/FAQ.asp

Corporate Users:
If you sent the email from a corporate network, you should first
contact your local IT Helpdesk or System Administrator for advice.
They will be able to help you disinfect your workstation.

If you would like further information on how to subscribe to the Star
Internet anti-virus service, a proactive anti-virus service working
around the clock, around the globe, please visit
http://www.star.net.uk/products/requestaquote/quote.asp and complete the
enquiry form.

Personal or Home Users:
If you sent the email from a personal computer or home account,
you will need to disinfect your computer yourself. Please contact
your anti-virus software vendor for support or obtain help from
http://www.star.net.uk/Support/Faq/FAQ.asp

Dan

[ljvideo]

Sounds very much like some lying hack trying to get you to visit their web site.

[TheEgo]

Quote:

Originally posted by dank:
665466_2MAUDIO-X-WAV_CTrrHome-1-.exe infection: W95/Klez.H@mm

I'd consider the message a genuine one -- it came from an ISP that has a virus scanner running on their email server. But you can ignore this particular message.

Klez is an email virus that fakes the "From" address. It picks an address at random from the victim's Windows address book (and a few other sources), adopts that as its "From" address, and then emails itself to everyone else in the address book.

So the guy who really got infected just happened to have your address -- which would be one that you use publicly in your emails, not necessarily a POP box -- and Klez decided it likes you.

The Ego

[dank]

Gotcha, thanks for the explanation.

Would places like Spamcop be intelligent enough to take such things into account if abuse reports were filed?

Dan

[TheEgo]

They have to know what's going on, since this has been well publicized for weeks. As long as there are humans making the decisions, we can hope they're not reflexibly blacklisting people based on Klez.

The real worry is that someone you know will get a Klez-o-gram with your name on it. People are afraid they're going to lose clients or customers over this -- imagine if you were in the security business. It would be embarrassing to say the least.

This one also has a habit of grabbing random document files from the victims' hard drives like SirCam does, which could make things even worse if it's a sensitive file. Sometimes it even masquerades as a "Returned Mail" message. Very, very sneaky.

I hope you're keeping Outlook Express up to date and have a virus scanner running. Just too many uglies out there -- not worth taking chances anymore.

The Ego

[dank]

That does sound troublesome.

Quote:

Sometimes it even masquerades as a "Returned Mail" message. Very, very sneaky.

I've been wondering about that for a while now. Seems like an easy way to slip malicious attachments in under the radar, since most Returned Mail messages are very generic in initial appearance.

Quote:

I hope you're keeping Outlook Express up to date and have a virus scanner running.

Yeah, I run a anti-virus program and a firewall (two, actually), which has kept me clean so far... That reminds me, my E Trust AntiVirus has stopped running automatically in the taskbar. I don't see a config option anywhere to make it run automatically (other than a full scan at startup), oddly. It says real-time protection is enabled... Probably time for a re-boot to see if that will get it back to its normal resting place.

Dan

[TheEgo]

Quote:

That reminds me, my E Trust AntiVirus has stopped running automatically in the taskbar. I don't see a config option anywhere to make it run automatically (other than a full scan at startup), oddly. It says real-time protection is enabled... Probably time for a re-boot to see if that will get it back to its normal resting place.

It might just be the icon itself that's AWOL (I've been seeing a lot of disappearing icons lately). But you should take a look at the Task Manager and see if the scanner really is running. Auto Protection has saved quite a few butts around here -- I get nervous when I can't tell if it's working or not.

The Ego

[dank]

That's possible. I don't see it running in the Task Manager, but I don't recall it's 'Image Name' under Processes and some of them tend to not be overly indicative of the actual program name.

Please, no one send me any viruses until I'm sure it's working correctly.

Dan