Advise on Worm/Phishing Emais
Hi all, I'd like some advise on how to handle worm and phishing emails coming to one user on my postfix server. For about 3 weeks now, Clam-AV is advising that emails have been detected and not delivered due to them containing a worm. In this case it is Worm.Mydoom.M. About 8 to 10 a day are arriving, with ClamAV advising that the trace is to 2 different IP addresses. Ripe shows both to be registered thru an outfit in Paris (La Defense). I sent an email to the listed report-to email address but no reply. The worms keep crawling! I do get similar messages about phishing, but not near as many, and not from the same repeated IP addresses. My question is, is it OK to just continue to ignore these messages as my server is catching them and not delivering them, or is there another "best practice" that I should be doing. FYG I'm running Suse 10.0 with clamav, freshclam, and spamassassin. Not too many users, just family and friends. Many thanks any advise, Jim F
On Thursday 05 October 2006 10:44, Jim Flanagan wrote:
Hi all,
I'd like some advise on how to handle worm and phishing emails coming to one user on my postfix server. For about 3 weeks now, Clam-AV is advising that emails have been detected and not delivered due to them containing a worm. In this case it is Worm.Mydoom.M. About 8 to 10 a day are arriving, with ClamAV advising that the trace is to 2 different IP addresses. Ripe shows both to be registered thru an outfit in Paris (La Defense). I sent an email to the listed report-to email address but no reply. The worms keep crawling! I do get similar messages about phishing, but not near as many, and not from the same repeated IP addresses.
Short of hiring a hit man and sending him to Paris there is nothing you can do. Sending complaints is a fools errand, since they are largely ignored by over worked admins of legitimate ISPs and laughed at by admins of the ISPs owned by the spammers. Keep your SA and Clam up to date and ignore what gets through or set up bayes training procedures and feed them back to bayes. You already have good defenses up, with SA and Clam. If your SA is not running razor, get that working system wide, and give it a high score. Enable network tests in SA. If your box is serving up mail to windows machines, then they too should run an Anti Virus, because Clam is not fool-proof. If you are serving mail to your family and friends, then you already have a captive audience who you can educate to NEVER click anything they don't understand, and the method to tell when a phish is a phish as opposed to a REAL letter from their bank. Dont chase spammers. Its a waste of time. -- _____________________________________ John Andersen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2006-10-05 at 11:00 -0800, John Andersen wrote:
Dont chase spammers. Its a waste of time.
Even worse: dangerous. They learn that you are there with a real address they can keep spamming with relish and confidence. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFJV3KtTMYHG2NR9URAvvcAKCHdaCQ8JVE4JPcJVSFA6B1DXHEZgCggKGH Fr4gWVWAiuuAZ8lNPGj3PG0= =0ibM -----END PGP SIGNATURE-----
Carlos E. R. wrote:
The Thursday 2006-10-05 at 11:00 -0800, John Andersen wrote:
Dont chase spammers. Its a waste of time.
Even worse: dangerous.
They learn that you are there with a real address they can keep spamming with relish and confidence.
I was wondering about that, disreputable ISP. Jim
John Andersen wrote:
On Thursday 05 October 2006 10:44, Jim Flanagan wrote:
Hi all,
I'd like some advise on how to handle worm and phishing emails coming to one user on my postfix server. For about 3 weeks now, Clam-AV is advising that emails have been detected and not delivered due to them containing a worm. In this case it is Worm.Mydoom.M. About 8 to 10 a day are arriving, with ClamAV advising that the trace is to 2 different IP addresses. Ripe shows both to be registered thru an outfit in Paris (La Defense). I sent an email to the listed report-to email address but no reply. The worms keep crawling! I do get similar messages about phishing, but not near as many, and not from the same repeated IP addresses.
Short of hiring a hit man
Hummm....
Sending complaints is a fools errand, since they are largely ignored by over worked admins of legitimate ISPs and laughed at by admins of the ISPs owned by the spammers.
Keep your SA and Clam up to date and ignore what gets through or set up bayes training procedures and feed them back to bayes.
I never sat down and figured out how to "feed" SA. I do have lots in a spam folder to feed it. Can you point me to a how too?
You already have good defenses up, with SA and Clam. If your SA is not running razor, get that working system wide, and give it a high score. Enable network tests in SA.
Same here. I've read about razor, but never got it up. Is there a good how to on this as well?
If your box is serving up mail to windows machines, then they too should run an Anti Virus, because Clam is not fool-proof.
If you are serving mail to your family and friends, then you already have a captive audience who you can educate to NEVER click anything they don't understand, and the method to tell when a phish is a phish as opposed to a REAL letter from their bank.
We do know this. These guys can be tricky. I try not to let anything with a script run, in email, or web, but that's harder with all the scripted pages these days. Many thanks, Jim
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2006-10-05 at 13:44 -0500, Jim Flanagan wrote:
I'd like some advise on how to handle worm and phishing emails coming to one user on my postfix server. For about 3 weeks now, Clam-AV is advising that emails have been detected and not delivered due to them containing a worm. In this case it is Worm.Mydoom.M. About 8 to 10 a day are arriving, with ClamAV advising that the trace is to 2 different IP addresses. Ripe shows both to be registered thru an outfit in Paris (La Defense). I sent an email to the listed report-to email address but no reply.
Typical.
The worms keep crawling! I do get similar messages about phishing, but not near as many, and not from the same repeated IP addresses.
Typical as well.
My question is, is it OK to just continue to ignore these messages as my server is catching them and not delivering them, or is there another "best practice" that I should be doing.
Simply ignore them, and keep your users informed that they should be very cautious about suspicious emails, and what to consider suspeicious. Reporting to an abuse address that you don't know if they only put because it is mandatory, but that is probably ignored, is useless to say the least. A phising atempt should be handled by the police, the interpol perhaps, in my opinion, but I don't think they have the resources nor interest. I receive dozens per day, all catched by SpamAssassin. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFJV0qtTMYHG2NR9URAolSAKCJ3K/nlCeZxHnZOVnN246lSC91ewCbBE80 jugQT5SmtyCgGBGGKkDUufU= =szA/ -----END PGP SIGNATURE-----
Jim Flanagan wrote:
I'd like some advise on how to handle worm and phishing emails coming to one user on my postfix server. For about 3 weeks now, Clam-AV is advising that emails have been detected and not delivered due to them containing a worm. In this case it is Worm.Mydoom.M. About 8 to 10 a day are arriving, with ClamAV advising that the trace is to 2 different IP addresses. Ripe shows both to be registered thru an outfit in Paris (La Defense).
La Defense is large skyscraber area of about 11 hectars and 3mill m2 business property. 30000 people and 2600 hotelrooms.
My question is, is it OK to just continue to ignore these messages as my server is catching them and not delivering them, or is there another "best practice" that I should be doing.
DISCARD. /Per Jessen, Zürich
Per Jessen wrote:
Jim Flanagan wrote:
I'd like some advise on how to handle worm and phishing emails coming to one user on my postfix server. For about 3 weeks now, Clam-AV is advising that emails have been detected and not delivered due to them containing a worm. In this case it is Worm.Mydoom.M. About 8 to 10 a day are arriving, with ClamAV advising that the trace is to 2 different IP addresses. Ripe shows both to be registered thru an outfit in Paris (La Defense).
....
A few times I've forwarded the email to the bank, to their "abuse" userid, e.g., abuse@target-bank.com and have gotten some "thank you" replies from them. The ISP might not care, but the banks do, especially the security team who's going to reap the sweat and overtime if something goes wrong. And the bank has the legal know-how and clout with authorities to make something happen. -- In a time of universal deceit, telling the truth becomes an act of rebellion. --George Orwell
Hi, On Thursday 05 October 2006 13:27, ken wrote:
Per Jessen wrote:
Jim Flanagan wrote:
I'd like some advise on how to handle worm and phishing emails coming to one user on my postfix server. For about 3 weeks now, Clam-AV is advising that emails have been detected and not delivered due to them containing a worm. In this case it is Worm.Mydoom.M. About 8 to 10 a day are arriving, with ClamAV advising that the trace is to 2 different IP addresses. Ripe shows both to be registered thru an outfit in Paris (La Defense).
....
A few times I've forwarded the email to the bank, to their "abuse" userid, e.g., abuse@target-bank.com and have gotten some "thank you" replies from them.
The ISP might not care, but the banks do, especially the security team who's going to reap the sweat and overtime if something goes wrong. And the bank has the legal know-how and clout with authorities to make something happen.
I will reiterate this. The offender is to be ignored by those who recognize the phishing attempt. On the other hand, any responsible e-commerce or e-finance institution will welcome these reports. Don't expect a gift certificate, but they will be accepted and examined. Those that are repeats will, as with bug reports, be treated as such, but when a new one arises, it will be examined and added to their database of known phishing attacks. I know my employer takes these reports very seriously and has elaborate procedures in place to process them. Employees are expected to report phishing attacks against us when we happen to receive them, either at our personal email address or at our business addresses. Randall Schulz
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2006-10-05 at 16:27 -0400, ken wrote:
A few times I've forwarded the email to the bank, to their "abuse" userid, e.g., abuse@target-bank.com and have gotten some "thank you" replies from them.
Fortunate you. Banks here say they are interested, but do not provide an email address. Some mention a telephone number, or tell you to inform the nearest branch. Sorry, no email, no report from me. There was an organization here that collected phising attempts, studied them a bit and forwarded them to the proper channels. But it seems they have stopped caring. A few times my report bounced, because their antivirus rejected it. Can you imagine an email set up to collect malware rejecting malware? I had to archive it as a zip with password, a real bore. Finally, I stopped reporting: if they stopped caring, why should I? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFJYOKtTMYHG2NR9URAgoaAJ0Y4AiSO13zUGvmCsHXvMCaMJdGIgCggLK6 YwzOHgXv+FCU8vCPohapTEo= =c7F+ -----END PGP SIGNATURE-----
On Friday 06 October 2006 08:13, Carlos E. R. wrote:
There was an organization here that collected phising attempts, studied them a bit and forwarded them to the proper channels. But it seems they have stopped caring. A few times my report bounced, because their antivirus rejected it. Can you imagine an email set up to collect malware rejecting malware? I had to archive it as a zip with password, a real bore. Finally, I stopped reporting: if they stopped caring, why should I?
The following appeared on slashdot today PhishTank Taps Community To ID Scams "The AP has an article on PhishTank, OpenDNS's service for fighting e-mail fraud. The free service seeks to tap the wisdom of the Internet community in identifying phishing emails and sites." From the article: "Users simply submit to PhishTank.com the messages they believe are scams. Others then examine the message and the site to which it links and decide whether it is or isn't a scam. When an item gets enough votes and the margin is wide enough, it is either dropped or classified as a phishing message. To prevent scammers from trying to game the system, votes are weighed based on how long, how often, and how accurate one has rated other messages." http://it.slashdot.org/it/06/10/05/1636227.shtml -- Regards, Graham Smith
Carlos E. R. wrote:
The Thursday 2006-10-05 at 16:27 -0400, ken wrote:
A few times I've forwarded the email to the bank, to their "abuse" userid, e.g., abuse@target-bank.com and have gotten some "thank you" replies from them.
Fortunate you.
Banks here say they are interested, but do not provide an email address. Some mention a telephone number, or tell you to inform the nearest branch. Sorry, no email, no report from me.
There was an organization here that collected phising attempts, studied them a bit and forwarded them to the proper channels. But it seems they have stopped caring. A few times my report bounced, because their antivirus rejected it. Can you imagine an email set up to collect malware rejecting malware? I had to archive it as a zip with password, a real bore. Finally, I stopped reporting: if they stopped caring, why should I?
Sorry to hear about those. I'd feel and do the same as you. If you're trying to help someone and they ask you to jump through hoops to do it, then I'd assume they believe they don't really need your help. Some people take unsolicited help as threatening, as if they aren't already perfect and capable of handling everything. So just let them live their lives and you live yours. There's other fields to run in. -- In a time of universal deceit, telling the truth becomes an act of rebellion. --George Orwell
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2006-10-06 at 04:49 -0400, ken wrote:
Sorry to hear about those. I'd feel and do the same as you. If you're trying to help someone and they ask you to jump through hoops to do it, then I'd assume they believe they don't really need your help. Some people take unsolicited help as threatening, as if they aren't already perfect and capable of handling everything. So just let them live their lives and you live yours. There's other fields to run in.
Just my feelings. But it could also be that they themselves got little help from the banks or other organizations they were advising, so they tired of it in the end. Or that been volunteers, the person in question tired. Who knows. I'm curios about the system Graham mentioned in his email. It wouldn't serve me, the phising I get is localized for Spain, but I'm curious all the same. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFJiw8tTMYHG2NR9URAhlaAKCHOykgqWz+XN/GqdSXA5oeAUfwggCeI9Tw /Jz6fdcym+k5HRGIRQ6G4lk= =ELo4 -----END PGP SIGNATURE-----
Jim Flanagan wrote:
Hi all,
I'd like some advise on how to handle worm and phishing emails coming to one user on my postfix server. For about 3 weeks now, Clam-AV is advising that emails have been detected and not delivered due to them containing a worm. In this case it is Worm.Mydoom.M. About 8 to 10 a day are arriving, with ClamAV advising that the trace is to 2 different IP addresses. Ripe shows both to be registered thru an outfit in Paris (La Defense). I sent an email to the listed report-to email address but no reply. The worms keep crawling! I do get similar messages about phishing, but not near as many, and not from the same repeated IP addresses.
If you are accepting the mails directly via smtp (not polled via fetchmail or getmail etc.) then you have the option to reject the client. Or do you get normal mails from that ip aside of the daily ration of viruses? About one year ago I had a particular ip address in portugal that sent a bunch of viruses to my server. It used a sender address AND a recipient address from my domain. The sender address was rejected, and all was well. Then the worm was apparantly upgraded because he started to send the mail partly directly partly through his ISP (who did not check outgoing mail for viruses or spam). The mail that came via the provider was rejected, then came back again as bounce to the falsified sender address, again to my domain. Since I didn't want to blacklist the complete provider I used a header check to look for the originating ip address in the mail header. If it came from my good old chap the virus spreader, the mail was rejected again. That kept the mail out of my server and the game continued for some month. Then apparently the virus was detected and removed and the virus mails stopped. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
Sandy Drobic wrote:
Jim Flanagan wrote:
Hi all,
I'd like some advise on how to handle worm and phishing emails coming to one user on my postfix server. For about 3 weeks now, Clam-AV is advising that emails have been detected and not delivered due to them containing a worm. In this case it is Worm.Mydoom.M. About 8 to 10 a day are arriving, with ClamAV advising that the trace is to 2 different IP addresses. Ripe shows both to be registered thru an outfit in Paris (La Defense). I sent an email to the listed report-to email address but no reply. The worms keep crawling! I do get similar messages about phishing, but not near as many, and not from the same repeated IP addresses.
If you are accepting the mails directly via smtp (not polled via fetchmail or getmail etc.) then you have the option to reject the client. Or do you get normal mails from that ip aside of the daily ration of viruses?
About one year ago I had a particular ip address in portugal that sent a bunch of viruses to my server. It used a sender address AND a recipient address from my domain. The sender address was rejected, and all was well. Then the worm was apparantly upgraded because he started to send the mail partly directly partly through his ISP (who did not check outgoing mail for viruses or spam). The mail that came via the provider was rejected, then came back again as bounce to the falsified sender address, again to my domain. Since I didn't want to blacklist the complete provider I used a header check to look for the originating ip address in the mail header. If it came from my good old chap the virus spreader, the mail was rejected again. That kept the mail out of my server and the game continued for some month. Then apparently the virus was detected and removed and the virus mails stopped.
Sandy
Yes, I use direct smtp. I don't deal with that isp, so I could block the ip block, or just the two offending ones. Thanks, jim
participants (8)
-
Carlos E. R. -
Graham Smith -
Jim Flanagan -
John Andersen -
ken -
Per Jessen -
Randall R Schulz -
Sandy Drobic