Help! Email Hijacked?

[cleonard]

Came in today to about 50 returned email notices of email I never sent and reportedly from mailboxes that aren't setup.

Domain Pack846.org is one of my sites, however there is no mailbox called serg@pack846.org. Here is the return message.

Any idea what's going on and how to stop it. Various messages and attachments are being returned via the catchall mailbox.

I appreciate any help.

Hi. This is the qmail-send program at client2.qpmanagement.biz.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<brent@quickpros.biz>:
User unknown (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <serg@pack846.org>
Received: (qmail 13903 invoked from network); 27 Jan 2004 01:05:17 -0000
Received: from unknown (HELO pack846.org) (12.150.159.195)
by client3.qpmanagement.biz with SMTP; 27 Jan 2004 01:05:17 -0000
From: serg@pack846.org
To: brent@quickpros.biz
Subject: Test
Date: Mon, 26 Jan 2004 20:05:44 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0001_22EF2ED8.1B7C5D9F"
X-Priority: 3
X-MSMail-Priority: Normal

This is a multi-part message in MIME format.

------=_NextPart_000_0001_22EF2ED8.1B7C5D9F
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.


------=_NextPart_000_0001_22EF2ED8.1B7C5D9F
Content-Type: application/octet-stream;
name="oyjxpa.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="oyjxpa.zip"

[generic]

VIRUS!!

http://securityresponse.symantec.com...varg.a@mm.html

It is spreading like crazy, hitting government email servers too.

W32.Novarg.A@mm is a mass-mailing worm. The worm will arrive as an attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip. The worm also contains functionality to perform as a proxy server. It listens on all TCP ports in the range 3127-3198.

[Carly]

Well, I don't know if it's any consolation, but it doesn't look like you're actually sending the worm. The last received line in the email header typically contains the originating IP Address of the message. In this case, that's:
Received: from unknown (HELO pack846.org) (12.150.159.195)
by client3.qpmanagement.biz with SMTP; 27 Jan 2004 01:05:17 -0000

Doing a whois lookup on that IP Address shows it belongs to AT&T Worldnet (http://www.dnsstuff.com/tools/whois....12.150.159.195), so it appears that your "From" is just being spoofed by the worm.

Unfortunately, there's not a lot you can do to stop the messages since a lot of mail servers still bounce to the "From" address rather than do an SMTP reject. If you're using a mail client like Outlook, you can setup a filter to either delete these messages or move them to a specified folder so that you can review them before deleting them. If all of the bounces are coming from the same IP, you can use Outlook to filter by IP as well. The bounces will eventually trickle away as the worm epidemic slows. If the bounces are *really* bad, you could temporarily turn the mailbox off until the bounces subside.

Info on reading email headers:
http://www.stopspam.org/email/headers.html

[cleonard]

Thank you all.

I got the news about the new worm an hour or so after I posted. Just kinda scared me. I updated virus definitions and ran a scan and I am clean. Turned off the catchall on the account and that got rid of the messages coming back to me.

Just kinda makes me mad that our domain is being used. I mean heck, it's a Boy Scout web site. Doesn't look good getting a virus from the Boy Scouts, know what I mean? Oh well.

Thanks again.

Chris

[generic]

Thats one of the features of this worm, spoffing the return, from address etc. Its a bit confuising, but from what I read, you are probably receiving original copies of the worm, not returned bounces..

[Brangwyn]

Actually it is a bounce, if it was a direct copy of the worm there wouldn't be the bounce transcript at the start of the headers shown there.

In the above example the email containing the worm was sent to brent@quickpros.biz with cleonards email address as the spoofed from addr. The email bounced so cleonard got the bounce message back.