LinuxSA Mailing list archives

  From: Anthony Symons <ant@sa.pracom.com.au>
  To  : brian <brian@unilinc.edu.au>
  Date: Tue, 22 May 2001 14:30:19 +0930

Re:

Thats a pretty wide spread virus. We get several hits from that virus
per day. Blocking that host will not help you as its spoofed.

I stop the virus by using amavis with mcaffee under linux.

http://www.amavis.org
http://www.nai.com/naicommon/buy-try/try/products-evals.asp

Anyway that name & IP address are both wrong and thus blocking them wont
help you at all. The name sexyfun.net is spoofed, and I just looked at
the page. Someone has bought it since the virus and put info about the
virus on it in the hope you'll look at it and they can help you remove
it. You can look at the email header and you should get at least an IP
of the host it came from. If its a company you can inform them, and if
its a home user you can send the email to their support team with an
email along the lines of "one of your users has blah blah virus. They
were connected to IP xx.xx.xx.xx at xx:xx:xx time in time zone +9:30"

Heres an example of a real header of one of these viruses.

Return-Path: <>
Received: from oemcomputer (ip149.nashville17.tn.pub-ip.psi.net
[38.33.15.149])
    by foghorn.steadycom.com.au (8.9.3/8.9.3) with SMTP id FAA16737
    for <gabs@steadycom.com.au>; Sat, 16 Dec 2000 05:24:49 +1030
Date: Sat, 16 Dec 2000 05:24:49 +1030
Message-Id: <200012151854.FAA16737@foghorn.steadycom.com.au>
From: Hahaha <hahaha@sexyfun.net>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VE41E38PEZKDQJ0DI7K9"

You can see the ip adress and name in the received line
(ip149.nashville17.tn.pub-ip.psi.net [38.33.15.149]) and you can see its
a user of an ISP (psi.net) so they are the ones to harass about it. You
can also see the from line is bullsh_t.

Ant

brian wrote:
> 
> Hi,
> 
> I am currently having a problem configuring my postfix server. staff are
> receiving emails from a host called sexyfun.net with an ip address
> 137.118.8.61 attached with viruses. Can you please guide me on how to stop
> this host from coming us. The version of linux is slackware 2.2.16.
> 
> Brian Kadomi
> System & Network Administrator
> UNILINC Limited
> Level 9, 210 Clarence St
> SYDNEY  NSW  2000
> Tel    (61-2) 9283 1488
> Email: Brian@unilinc.edu.au
> ------------------------------------------
> 
>   ------------------------------------------------------------------------
>                   Name: winmail.dat
>    winmail.dat    Type: application/ms-tnef
>               Encoding: base64

-- 
Systems Administrator       
Pracom Ltd.             
+61 8 82029074 -=- +61 402 100 671 
anthony.symons@sa.pracom.com.au

PRIVILEGED - PRIVATE AND CONFIDENTIAL
This electronic mail is solely for the use of the addressee and may
contain information which is confidential or privileged.
If you receive this electronic mail in error, please delete it from
your system immediately and notify the sender by electronic mail or
using any of the above contact details.

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject