unwanted virus infected email spam
![](https://seccdn.libravatar.org/avatar/4e59e018f82410ad66457a56a735a45f.jpg?s=120&d=mm&r=g)
(kind of off topic) Has anyone been receiving periodic emails with virus infected attachments from an address proporting to be hahaha@sexyfun.net? It is really annoying me at this point because this w**ker seems to be sequentially trying all combinations ********@storm.ie and I am getting a couple of quarantine notifications every week from the antivirus software on our mail server. I did try adding a REJECT rule for hahaha@sexyfun.net to /etc/mail/access - this seemed to work for a week or two but the problem has since returned. Any ideas as to what I might try next as this kind of mindless activity really does my head in ... Thanks, Michael
![](https://seccdn.libravatar.org/avatar/f3ae47c47274d830c6cde92a78f50134.jpg?s=120&d=mm&r=g)
On Wed, 18 Jul 2001 michael.ryan@storm.ie wrote:
I did try adding a REJECT rule for hahaha@sexyfun.net to /etc/mail/access - this seemed to work for a week or two but the problem has since returned. Any ideas as to what I might try next as this kind of mindless activity really does my head in ...
I doubt this works. IIRC the Hybris worm uses an empty envelope address (MAIL FROM: <>) and /etc/mail/access matches envelope addresses only (and not the From: line in the message itself). But blocking mails with empty MAIL FROM violates RFC 1123. This is/was discussed again and again in comp.mail.sendmail, please read through http://groups.google.com/groups?q=sexyfun.net&safe=off&btnG=Google+Search&meta=site%3Dgroups%26group%3Dcomp.mail.sendmail You may write your own sendmail milter (sendmail shipped on SuSE 7.2 comes with libmilter support) which checks if From: matches, after the complete header of the mail has been transfered (the xxfi_eoh callback) and then discards the message by simply returning SMFIS_REJECT or SMFIS_DISCARD. (no I haven't tried that myself yet) best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts link@suse.de | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
![](https://seccdn.libravatar.org/avatar/856c537cee0ccf495d1d0dbec4882e52.jpg?s=120&d=mm&r=g)
Hi, On Wednesday 18 July 2001 15:39, michael.ryan@storm.ie wrote:
(kind of off topic) Has anyone been receiving periodic emails with virus infected attachments from an address proporting to be hahaha@sexyfun.net?
Yes. I've got three of them during the last three days. This is a virus worm known as "Hybris". It's modular nature makes allows for uploading new "features" all the time.
It is really annoying me at this point because this w**ker seems to be sequentially trying all combinations ********@storm.ie and I am getting a couple of quarantine notifications every week from the antivirus software on our mail server.
I did try adding a REJECT rule for hahaha@sexyfun.net to /etc/mail/access - this seemed to work for a week or two but the problem has since returned. Any ideas as to what I might try next as this kind of mindless activity really does my head in ...
Blocking this email-Adress won't help, because there are other senders with the same virus. The subject line and attachment names are also highly variable. The only solution to identify it is to run "strings" on the attachment and looking for the appearance of the string "HYBRIS".
Thanks,
Michael
Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany
![](https://seccdn.libravatar.org/avatar/45ad223dafbcc98e0ea71ee0b0dcd3c1.jpg?s=120&d=mm&r=g)
I did try adding a REJECT rule for hahaha@sexyfun.net to /etc/mail/access - this seemed to work for a week or two but the problem has since returned.
Perhaps you should just block the whole sexyfun.net domain from sending you mail. It doesn't even look like a domain you would want to be receiving mail form in any case. Noah.
![](https://seccdn.libravatar.org/avatar/d1fa340dd0cbb328b697a0d70a47c83f.jpg?s=120&d=mm&r=g)
----- Original Message -----
From:
(kind of off topic) Has anyone been receiving periodic emails with virus infected attachments from an address proporting to be hahaha@sexyfun.net?
[...] yes, I do (well, what I really get is the virus notification from avmailgate... much better than amavis...) jump to www.antivir.de, their products are free for private use. avmailgate sits in front of your sendmail and filters all mail through a antivirus program. bye MH
participants (5)
-
Martin Leweling
-
Mathias Homann
-
michael.ryan@storm.ie
-
Rainer Link
-
semat