Re: [cobalt-users] Getting Mail Bombed!

[David Lucas <david@xxxxxxxxxxxxxxxx>]

At 01:08 PM 7/22/2001, you wrote:
> Here's the fix !  You have a Virus probably !!
>
> http://www.mcafee.com/anti-virus/viruses/sircam/
>
> About 30 or so steps to fix it !!!
>
> Happened to me, and was all fixed up in about 10 mins.
>
> Cheers, Lennie Core
>
>
> > ANY help on getting rid of this would rock!
> >
> > Below is a sample header from one of them. They are coming from many 
> differenent sources, so it is more than simply adding their names to deny 
> from...
> >
> >
> >
> > Return-Path: <marcelapujol@xxxxxxxxxxxxxxx>
> > Received: from mail.fibertel.com.ar (mta1.fibertel.com.ar [24.232.0.161])
> >       by www.astrology-online.com (8.10.2/8.10.2) with ESMTP id 
> f6MGBgc05310
> >       for <webmaster@xxxxxxxxxxxxxxxxxxxx>; Sun, 22 Jul 2001 11:11:43 -0500
> > Received: from computer.fibertel.com.ar (24.232.133.74) by 
> mail.fibertel.com.ar (5.1.056)
> >         id 3B599C5C0002E84D for webmaster@xxxxxxxxxxxxxxxxxxxx; Sun, 22 
> Jul 2001 13:02:14 -0300
> > Message-ID: <3B599C5C0002E84D@xxxxxxxxxxxxxxxxxxxx> (added by 
> postmaster@xxxxxxxxxxxxxxx)
> > From: "Marcela Pujol"<marcelapujol@xxxxxxxxxxxxxxx>
> > To: webmaster@xxxxxxxxxxxxxxxxxxxx
> > Subject: QueDiostebendigasiempre
> > date: Sun, 22 Jul 2001 12:56:59 -0300
> > MIME-Version: 1.0
> > X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
> > X-Mailer: Microsoft Outlook Express 5.50.4133.2400
> > Content-Type: multipart/mixed; 
> boundary="----1A73EB0F_Outlook_Express_message_boundary"
> > Content-Disposition: Multipart message
> > X-UIDL: *d*"!Gj!"!6cR"!p=E"!
> >
> > Content-Type: text/plain; charset=ISO-8859-1
> > Content-Transfer-Encoding: quoted-printable
> > Content-Disposition: message text
> >
> > Hola como estas =3F
> >
> > Te mando este archivo para que me des tu punto de vista
> >
> >


I am finding that the virus is seeming to find email addresses embedded in 
web pages and email to them.  I have not had one personal email with the 
virus.  I have a couple of embedded email addresses on web pages (I'd 
remove them if I could find them) and there are not links to them.  They 
are in headers I think.  Only addresses available on web pages are getting 
email so far.  This is the case with everyone I have dealt with also.  I 
have been blocking the email addresses in my email server as soon as I seen 
them.  I do NOT think that anyone I have received email from has one of the 
email addresses that they are sending to in their address book.  If they 
do, then it is their tough luck as the only email that ever comes to the 
addresses I am getting it at is spam and thus they must be spammers.  I 
have probably received about 100 so far in about 2 days.  I have only seen 
about five email addresses so far.

I have gotten email from:
aacuna@xxxxxxxxxxxxxxxxxx  relayed as 
16480320300484@xxxxxxxxxxxxx  65.165.212.134
clemen@xxxxxxxxxxxx  216.169.33.8
glrowles@xxxxxxxxxxxxx  207.217.121.49
rudranath@xxxxxxxxxxxxxxxx  202.164.96.4
srew@xxxxxxxxxx
robillovich@xxxxxxxx  24.2.9.90
afenton@xxxxxxxx  24.64.2.49
ELN/jdemolet@xxxxxxxxxxxxx relayed as 
200107201629.JAA09016@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx  207.217.120.74

The last one I can't seem to get the email to block as it says it is a bad 
address.  It is what is in the logs as well.