ATTN: jvaguy

Printable View

Show 40 post(s) from this thread on one page

June 12th, 2002, 05:47 PM
Mustang

They do have that ability and i have forwarded this issue to them using my work email id which is a company that also uses the att backbone

they told me in a reply that they are looking into the matter and will keep me informed

i have a feeling that whoever this is will have thier account suspended until the get this issue resolved.
June 13th, 2002, 04:10 PM
silencio

It looks to me like some little girl has an axe to grind with internet.com.

The same IP is still sending out this virus. It appears that they enjoy spoofing some of the guys here.

Microsoft Mail Internet Headers Version 2.0
Received: from external.server.net ([172.16.10.xxx]) by internal.server.lab with Microsoft SMTPSVC(5.0.2195.2966);
Thu, 13 Jun 2002 13:40:14 -0400
Received: from cordoba.com.ar ([200.61.160.134] RDNS failed) by external.server.net with Microsoft SMTPSVC(5.0.2195.4905);
Thu, 13 Jun 2002 13:22:43 -0400
Received: from Ylok [12.248.197.242] by cordoba.com.ar
(SMTPD32-6.06) id A43A47350138; Thu, 13 Jun 2002 14:19:54 -0300
From: jmaher ([email protected])
To: my.email.address.com
Subject: CELLSPACING
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=M5hH4sj5tBkY69088E6Z1G9r189223v9k3e
Message-Id: <200206131419718.SM00174@Ylok>
Date: Thu, 13 Jun 2002 14:20:03 -0300
Return-Path: [email protected]
X-OriginalArrivalTime: 13 Jun 2002 17:22:44.0987 (UTC) FILETIME=[EE5D24B0:01C212FE]

--M5hH4sj5tBkY69088E6Z1G9r189223v9k3e
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

--M5hH4sj5tBkY69088E6Z1G9r189223v9k3e
Content-Type: audio/x-wav;
name=CONTENT.bat
Content-Transfer-Encoding: base64
Content-ID: <L16g0D08cxH229m4>

--M5hH4sj5tBkY69088E6Z1G9r189223v9k3e
--M5hH4sj5tBkY69088E6Z1G9r189223v9k3e
Content-Type: application/octet-stream;
name=search[3].html
Content-Transfer-Encoding: base64
Content-ID: <L16g0D08cxH229m4>

--M5hH4sj5tBkY69088E6Z1G9r189223v9k3e--
June 13th, 2002, 04:12 PM
Mustang

This is very interesting
June 13th, 2002, 04:40 PM
Matridom

<blockquote>quote:<hr />Originally posted by JvaGuy:


Delivered-To: jvaguy@1
From: matridom <[email protected]>
To: [email protected]
Subject:
Date: Tue, 11 Jun 2002 14:07:49 -0300

someone has my email in thier address book .. that has AT&T .. so we need to keep tracing who has this .. again im not accusing anyone but I would like this solved as well as anyone .. so lets this solved ..<hr /></blockquote>That's odd. something funny is going on. I don't recall ever mailing you Jvaguy. For my E-mail address here, i use Netscape (OE is for my work e-mail.. attachments striped off)

I don't think i got hit, but i'll try a different scanner just to be safe. BTW, can you PM me with the originating IP address?

Edit: This is something i thought was unrelated.. but someone signed me up to "FunnyWebsite.com" list server.
It's actualy a good list server and auto unsubscribed me when i mailed back "Remove my name". The big coincidence is that this happened on the 10th......
June 13th, 2002, 05:18 PM
Matt_29

yes soemthing weird is going on .. i had to take higher measures to deal with this to .. someone is playing around .. although i fixed my problem still something is up
June 13th, 2002, 05:23 PM
Matridom

<blockquote>quote:<hr />Originally posted by JvaGuy:
yes soemthing weird is going on .. i had to take higher measures to deal with this to .. someone is playing around .. although i fixed my problem still something is up<hr /></blockquote>I think i MAY have found a possible Solution.

<a href="http://securityresponse.symantec.com/avcenter/venc/data/[email protected]" target="_blank">http://securityresponse.symantec.com/avcenter/venc/data/[email protected]</a>

Now, the question is, who has all of us in their address book?
June 13th, 2002, 05:38 PM
SubZero

<blockquote>quote:<hr />Originally posted by Matridom:
 <blockquote>quote:<hr />Originally posted by JvaGuy:
yes soemthing weird is going on .. i had to take higher measures to deal with this to .. someone is playing around .. although i fixed my problem still something is up<hr /></blockquote>I think i MAY have found a possible Solution.

<a href="http://securityresponse.symantec.com/avcenter/venc/data/[email protected]" target="_blank">http://securityresponse.symantec.com/avcenter/venc/data/[email protected]</a>

Now, the question is, who has all of us in their address book?<hr /></blockquote>I'm doing some investigating and contacting some persons. We'll see what comes from it...
June 13th, 2002, 08:35 PM
silencio

Well, the messages that I'm getting are coming from this IP 12.248.197.242. I'm sure it's a virus and I've emailed ATT.

I get a ****load of virus/security attacks on the outside of the PIX every day and I don't have time to run them down. This one has my email though, as well as other people here.

The box just needs a virus cleaning. If somebody had the time they could scan it and prolly shut it down.

I don't think it's klez though... I think klez has a web server component. If you hit an IIS server with klez on it you'll know. :D It could be a variant though...
June 13th, 2002, 08:41 PM
Matt_29

<blockquote>quote:<hr />Originally posted by Matridom:
 <blockquote>quote:<hr />Originally posted by JvaGuy:
yes soemthing weird is going on .. i had to take higher measures to deal with this to .. someone is playing around .. although i fixed my problem still something is up<hr /></blockquote>I think i MAY have found a possible Solution.

<a href="http://securityresponse.symantec.com/avcenter/venc/data/[email protected]" target="_blank">http://securityresponse.symantec.com/avcenter/venc/data/[email protected]</a>

Now, the question is, who has all of us in their address book?<hr /></blockquote>now after all this time i know why i dont keep a address book and things .. heres a screen shot of my eudora 5.1 address book

<img src="http://jvaguy.thegeeksinc.com/shirt/addybook.gif" alt=" - " />

which goes to the point make a text file and put all your addys there .. not only is it easy to save and thigns for backup but its simple to copy and paste when you need it
June 14th, 2002, 06:26 AM
silencio

<blockquote>quote:<hr />Originally posted by JvaGuy:
[QB
which goes to the point make a text file and put all your addys there .. not only is it easy to save and thigns for backup but its simple to copy and paste when you need it[/QB]<hr /></blockquote>And that's why my mail is viewed as straight text first. I got a couple more virus today at that email address so it's hosed. No problem though, it's already changed. ...one of the perks of being the admin <img border="0" title="" alt="[Wink]" src="wink.gif" />

Microsoft Mail Internet Headers Version 2.0
Received: from external.server.net ([172.16.10.xxx]) by internal.server.lab with Microsoft SMTPSVC(5.0.2195.2966);
Fri, 14 Jun 2002 00:32:58 -0400
Received: from super_exchange.supermicro.com ([66.120.31.2] unverified) external.server.net with Microsoft SMTPSVC(5.0.2195.4905);
Fri, 14 Jun 2002 00:25:38 -0400
Received: by SUPER_EXCHANGE with Internet Mail Service (5.5.2653.19)
id <MJT24R9X>; Thu, 13 Jun 2002 21:18:40 -0700
Message-ID: <2DA7F1611EE8D511B945003048310C620BAA2F@66-120-31-3.supermicro.com>
From:
"DSAVSUPER_EXCHANGE2001(Network Associates Anti-Virus - Mailbox Agent)"
<[email protected]>
To: 'cltaylor' ([email protected])
Subject: ALERT - Virus W32/Klez.h@MM found; an attachment/message has been
quarantined
Date: Thu, 13 Jun 2002 21:19:58 -0700
X-MS-TNEF-Correlator: <2DA7F1611EE8D511B945003048310C620BAA2F@66-120-31-3.supermicro.com>
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: multipart/mixed;
boundary="----_=_NextPart_000_01C2135A.BE560CD0"
Return-Path: [email protected]
X-OriginalArrivalTime: 14 Jun 2002 04:25:38.0407 (UTC) FILETIME=[892B6770:01C2135B]

------_=_NextPart_000_01C2135A.BE560CD0
Content-Type: text/plain

------_=_NextPart_000_01C2135A.BE560CD0
Content-Type: application/ms-tnef
Content-Transfer-Encoding: base64

------_=_NextPart_000_01C2135A.BE560CD0--
June 14th, 2002, 10:50 AM
Matridom

I got mine today..

[email protected]>
Received: from cordoba.com.ar ([200.61.160.134]) by tomts20-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with ESMTP id <20020614005949.ZCIJ25296.tomts20-srv.bellnexxia.net@cordoba.com.ar> for <[email protected]>; Thu, 13 Jun 2002 20:59:49 -0400
Received: from Roxedm [12.248.197.242] by cordoba.com.ar (SMTPD32-6.06) id A79120C021E; Thu, 13 Jun 2002 14:34:09 -0300
From: PrincessBabzy <[email protected]>
To: [email protected]
Subject: A IE 6.0 patch
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=VM4t9J8MTz4t0n1P996k935S0
Message-Id: <200206131434375.SM00174@Roxedm>

an .SCR attachment contains the KLEZ virus...

e-mail has been sent to ATT
June 14th, 2002, 05:21 PM
silencio

Is ATT asleep at the wheel or what? How many complaints to they need?
July 1st, 2002, 04:59 PM
geoscomp

BTW..i know this is a late response, but just read the thread..klez does have a web server component..it does spoof the "from" address, it doesnt have to be opened as an attachment to activate, and it can get email addresses from temp files as easily as from address books
July 1st, 2002, 10:34 PM
Matt_29

i changed my email and things and stuff and no longer have my stuff public to avoid this from happening again ..

Show 40 post(s) from this thread on one page