Virus and IMAP on Linux?
Hello everybody, I run a postfix/Cyrus IMAP mail server and a webmail program called V-Webmail which is a typical web mail interface program that speaks IMAP. Some of my users, who should only by accessing their mail via the IMAP web interface appear to be getting bounces indicating that they are sending out the virus messages, you know, the ones with the *.pif file and subject lines of "Thank You!" and "My Details" etc. Obviously, these mails are being forged. Question is, does anybody know if IMAP users are vulnerable to this thing? I do have a user who may have accessed his mail via POP and Outlook Express. I'm guessing that may be how this starting. The virus was able to get his addressbook. ?? Also, anybody know how one might go about stopping the forged mails? What little I know about this stuff, I'd think not.. but then again I don't know.. :-) -Jim-
Some of my users, who should only by accessing their mail via the IMAP web interface appear to be getting bounces indicating that they are sending out the virus messages, you know, the ones with the *.pif file and subject lines of "Thank You!" and "My Details" etc. Obviously, these mails are being forged.
Question is, does anybody know if IMAP users are vulnerable to this thing?
I do have a user who may have accessed his mail via POP and Outlook Express. I'm guessing that may be how this starting. The virus was able to get his addressbook. ??
Also, anybody know how one might go about stopping the forged mails? What little I know about this stuff, I'd think not.. but then again I don't know.. :-)
I'm pretty sure that the email addresses used for sending out those pif files were harvested from web forums and such, not from address books. I've been getting bounces for an address I set up for use in the MozillaZine forums. I highly doubt that anyone put that address in an address book as the only email I've received to that address (aside from viruses/spam) has been from the forum itself (reply notifications, etc.). As for stopping forged mails, there isn't really anything you can do. It's unfortunately really easy to send email fake/forged addresses either with open relays or by running your own mailserver. (People in my high school loved to send mail as god@heaven.org or satan@hell.com all the time) -- trey
The 03.09.03 at 08:29, Jim Norton wrote:
Some of my users, who should only by accessing their mail via the IMAP web interface appear to be getting bounces indicating that they are sending out the virus messages, you know, the ones with the *.pif file and subject lines of "Thank You!" and "My Details" etc. Obviously, these mails are being forged.
Question is, does anybody know if IMAP users are vulnerable to this thing?
Once I got an angry email from somebody (unknown person to me) that was getting virus-loaded emails, with my address in the from field. That address is one I seldom use, only my friends know it, so I knew it couldn't be got from web archives or such. And I only use it from Linux, so there is no way I could have sent such emails loaded with a word macro virus or something of the sort. Finally, we knew how it had happened. We both have a common friend that uses outlook, and had got the virus active. His machine, with an adsl connection, was sending those mails to his full address book - me included, of course.
I do have a user who may have accessed his mail via POP and Outlook Express. I'm guessing that may be how this starting. The virus was able to get his addressbook. ??
Yes, that sounds like it. It has happened in the past, so it is possible (kind of "I love you" virus/worm) But also, right now I'm getting spammed with emails that contain a .pif attachment (about 107K), on the address I use for the list. I don't know if it comes from subscribers using outlook - it has being mentioned on the radio news here - or is just malintentioned spam, curse them.
Also, anybody know how one might go about stopping the forged mails? What little I know about this stuff, I'd think not.. but then again I don't know.. :-)
No... we suffer. -- Cheers, Carlos Robinson
participants (3)
-
Carlos E. R.
-
jrn@oregonhanggliding.com
-
Trey Gruel