search  current discussion  categories  technology - internet 

email viruses- general clayart.

updated wed 18 jun 03

 

Louis Katz on sun 15 jun 03


Clayart is experiencing a rash of email viruses. These come in various
forms and look different from each other. Our main server support
specialist says they get someone's address book and start writing
emails from one address to another. That is they use one address from
the address book as the "Reply to" address. These emails are not sent
by these people who are listed in the source code. Thus the message I
received today "from" Dannon Rudy" did not come from her. It only looks
like it. It came from some virus that hijacked a address book
containing both of our addresses.

After these messages go out there is usually a flurry of error messages
that go to the "reply to" person. Invariably some of the hijacked
addresses are no good.

The subject line of these messages are often chosen from messages in
the same person who" provided" the address book. Thus the subject of
the message I received was "Re: is it hakeme or hakami?"

Louis

Earl Brunner on sun 15 jun 03


SOMEONE on clayart though DID get a virus, who else would have all of
our e-mail addresses in their mail folder? It's just that it isn't
necessarily (and probably isn't) the person that it appears to be.

-----Original Message-----
From: Clayart [mailto:CLAYART@LSV.CERAMICS.ORG] On Behalf Of Louis Katz
Sent: Sunday, June 15, 2003 1:30 PM
To: CLAYART@LSV.CERAMICS.ORG
Subject: email viruses- general Clayart.

Clayart is experiencing a rash of email viruses. These come in various
forms and look different from each other. Our main server support
specialist says they get someone's address book and start writing
emails from one address to another. That is they use one address from
the address book as the "Reply to" address. These emails are not sent
by these people who are listed in the source code. Thus the message I
received today "from" Dannon Rudy" did not come from her. It only looks
like it. It came from some virus that hijacked a address book
containing both of our addresses.

After these messages go out there is usually a flurry of error messages
that go to the "reply to" person. Invariably some of the hijacked
addresses are no good.

The subject line of these messages are often chosen from messages in
the same person who" provided" the address book. Thus the subject of
the message I received was "Re: is it hakeme or hakami?"

Louis

Roger Korn on sun 15 jun 03


Any pattern to the source of the hijacked addresses? Microsoft or
Netscape or Eudora mailers (email applications)? I'm not sure if one
email app is more resistant to the hack than others, but it would be
good to find out.

Since this is a bit OT, you could reply to me with any leads and I'll
tabulate responses.

Just a thought,
Roger

Louis Katz wrote:

> Clayart is experiencing a rash of email viruses. These come in various
> forms and look different from each other. Our main server support
> specialist says they get someone's address book and start writing
> emails from one address to another. That is they use one address from
> the address book as the "Reply to" address. These emails are not sent
> by these people who are listed in the source code. Thus the message I
> received today "from" Dannon Rudy" did not come from her. It only looks
> like it. It came from some virus that hijacked a address book
> containing both of our addresses.
>
> After these messages go out there is usually a flurry of error messages
> that go to the "reply to" person. Invariably some of the hijacked
> addresses are no good.
>
> The subject line of these messages are often chosen from messages in
> the same person who" provided" the address book. Thus the subject of
> the message I received was "Re: is it hakeme or hakami?"
>
> Louis
>
> ______________________________________________________________________________
>
> Send postings to clayart@lsv.ceramics.org
>
> You may look at the archives for the list or change your subscription
> settings from http://www.ceramics.org/clayart/
>
> Moderator of the list is Mel Jacobson who may be reached at
> melpots@pclink.com.
>

--
Roger Korn
McKay Creek Ceramics
In AZ: PO Box 463
4215 Culpepper Ranch Rd
Rimrock, AZ 86335
928-567-5699 <-
In OR: PO Box 436
31330 NW Pacific Ave.
North Plains, OR 97133
503-647-5464

Wes Rolley on mon 16 jun 03


--=======658A4652=======
Content-Type: text/plain; x-avg-checked=avg-ok-449E5240; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

At 05:00 PM 6/15/03 -0700, you wrote:

>I'm not sure if one
>email app is more resistant to the hack than others, but it would be
>good to find out.

I used Outlook, but it had too many vulnerabilites. Then, I switched to=20
Sun's Star Office, but when that became "OpenOffice" they dropped the email=
=20
function. So, now I use Eudora Pro., and I have never had a problem. Teh=
=20
problem with Outlook is that it open too many hooks into the rest of your=20
system that are not available (or used) by Eudora...

Note, I use Grisoft's AVG anti-virus product. A recent virus which used=20
Ivor Lewis's id (iandol) with a UK system name...not his actual one... came=
=20
and had an attachment that was NOT flagged as a virus. I was suspicious=20
due to the obvious (to me) address error. I updated my AV product and=20
scanned it again. This time, it flagged the attachment. My AV updates had=
=20
been on a 2 week automatic update cycle. I guess that I will have to=20
increase the frequency.




"I find I have a great lot to learn =96 or unlearn. I seem to know far too=
=20
much and this knowledge obscures the really significant facts, but I am=20
getting on." -- Charles Rennie Mackintosh

Wesley C. Rolley
17211 Quail Court
Morgan Hill, CA 95037
wrolley@charter.net
(408)778-3024

--=======658A4652=======--

Jennifer F Boyer on mon 16 jun 03


My understanding is that the new viruses graze the internet in
general looking for FROM addresses. They don't necessarily get
them from our own computers any more. So if we have addresses
stored on the clayart server in the form of posts, we are
vulnerable to getting our addresses used. SO it doesn't matter
what emailer we're using. except that IE gives us the highest
chance of the virus (on an email we get )damaging our computer.
Most viruses use IE to do their dirty work.

Jennifer


Roger Korn wrote:
> Any pattern to the source of the hijacked addresses? Microsoft or
> Netscape or Eudora mailers (email applications)? I'm not sure if one
> email app is more resistant to the hack than others, but it would be
> good to find out.
>
> Since this is a bit OT, you could reply to me with any leads and I'll
> tabulate responses.
>
> Just a thought,
> Roger
>
> Louis Katz wrote:
>
>

~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
Jennifer Boyer
Thistle Hill Pottery Montpelier VT USA
http://www.thistlehillpottery.com/

Never pass on an email warning without checking out these sites
for web hoaxes and junk:
http://urbanlegends.about.com/
http://snopes.com
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*

Logan Oplinger on mon 16 jun 03


Yes, I have also was sent bogus e-mails. One supposedly from Ivor, and one
supposedly from Frank Gaydos, but marked by my provider as undeliverable
because it contained a virus. I do not recognize the address for "Ivor" as
being a true address.

The "Ivor's" post from "iandol iandol@THEELEVENTHHOUR.CO.UK" to undisclosed
recipients contained the following .pif attachment (No Link Made Here!!):

"=CF=F0=E5=E9=F1=EA=F3=F0=E0=ED=F2.mdb.___"

Logan Oplinger
Another Pacific Island
Lat. 13.3N, Long. 144.5E

Snail Scott on mon 16 jun 03


At 04:27 PM 6/15/03 -0700, you wrote:
>SOMEONE on clayart though DID get a virus, who else would have all of
>our e-mail addresses in their mail folder? It's just that it isn't
>necessarily (and probably isn't) the person that it appears to be.


Of course Clayart members aren't immune to viruses;
it's just that viruses that are commonly propagated
in attachment form cannot come THROUGH Clayart.
(That's why Clayart won't accept any attachments.)
But if a member gets a virus from another source,
that virus can still raid their address book for any
Clayart names saved there.

Outlook Express is especially a problem, since it
may automatically save all incoming addresses to the
address book unless instructed not to, potentially
making any Outlook Express user an unwitting 'vector
of infection'.

Users of other software are just as vulnerable to
getting these viruses; they just don't spread it as
far, since their address books typically contain only
the addresses placed there deliberately, resulting in
far fewer total addresses to be hijacked.

This latest virus attack may be a new method, but
it's doubtful that it was spread through the Clayart
server.

-Snail

Louis Katz on mon 16 jun 03


Email applications that do not open attachments or read html or setting
them so they won't is enough to protect you.
You will still get the mail however as it comes from other computers.
My contact is concerned most with Outlook products.

Louis
On Sunday, June 15, 2003, at 07:00 PM, Roger Korn wrote:

> Any pattern to the source of the hijacked addresses? Microsoft or
> Netscape or Eudora mailers (email applications)? I'm not sure if one
> email app is more resistant to the hack than others, but it would be
> good to find out.
>
> Since this is a bit OT, you could reply to me with any leads and I'll
> tabulate responses.
>
> Just a thought,
> Roger
>
> Louis Katz wrote:
>
>> Clayart is experiencing a rash of email viruses. These come in various
>> forms and look different from each other. Our main server support
>> specialist says they get someone's address book and start writing
>> emails from one address to another. That is they use one address from
>> the address book as the "Reply to" address. These emails are not sent
>> by these people who are listed in the source code. Thus the message I
>> received today "from" Dannon Rudy" did not come from her. It only
>> looks
>> like it. It came from some virus that hijacked a address book
>> containing both of our addresses.
>>
>> After these messages go out there is usually a flurry of error
>> messages
>> that go to the "reply to" person. Invariably some of the hijacked
>> addresses are no good.
>>
>> The subject line of these messages are often chosen from messages in
>> the same person who" provided" the address book. Thus the subject of
>> the message I received was "Re: is it hakeme or hakami?"
>>
>> Louis
>>
>> ______________________________________________________________________
>> ________
>>
>> Send postings to clayart@lsv.ceramics.org
>>
>> You may look at the archives for the list or change your subscription
>> settings from http://www.ceramics.org/clayart/
>>
>> Moderator of the list is Mel Jacobson who may be reached at
>> melpots@pclink.com.
>>
>
> --
> Roger Korn
> McKay Creek Ceramics
> In AZ: PO Box 463
> 4215 Culpepper Ranch Rd
> Rimrock, AZ 86335
> 928-567-5699 <-
> In OR: PO Box 436
> 31330 NW Pacific Ave.
> North Plains, OR 97133
> 503-647-5464
>
> _______________________________________________________________________
> _______
> Send postings to clayart@lsv.ceramics.org
>
> You may look at the archives for the list or change your subscription
> settings from http://www.ceramics.org/clayart/
>
> Moderator of the list is Mel Jacobson who may be reached at
> melpots@pclink.com.
>

Maurice Weitman on mon 16 jun 03


From what's been said here, it does seem to me that this is a virus
sent by a PC-based program that got its addresses and files to be
sent from someone's PC. Maybe Ivor's, maybe not.

Ivor's mail client (at least in some of his messages) is Outlook
Express, which has been shown to be vulnerable to many of these
virus/worm exploits.

For what it's worth, I've not (yet) received any such messages,
probably because I have not had private correspondence with the
person whose computer is infected. (And since I'm using Eudora on a
Macintosh, I don't get no steenkin' viruses anyhow.)

The fact that someone's old address was used is also explained by the above.

Regards,
Maurice who just got back from a delightful hike around our favorite
of our water district's lakes in which the largest male Western Pond
Turtle in the wild in California was found in one of the census traps
this weekend. That rivals our sightings of the family of Piliated
Woodpeckers and the hundreds of bullfrog tadpoles.

And almost as exciting as finding that the casserole lid I was
obsessing over fits just fine, now that it and the bowl have dried
well.

I'm very appreciative of and benefited greatly from all the helpful
advice and knowledge I received from so many of you.

Earl Brunner on mon 16 jun 03


My auto update, is currently updating whenever there
is an update to update (boy that was a mouthful). It
is updating almost daily right now, I've even had it
update twice in one day, so there must be a lot of
virus activity going on. So far, the software has
caught everything coming in........

--- Wes Rolley wrote:
> At 05:00 PM 6/15/03 -0700, you wrote:
>
>
I updated
> my AV product and
> scanned it again. This time, it flagged the
> attachment. My AV updates had
> been on a 2 week automatic update cycle. I guess
> that I will have to
> increase the frequency.
>
>
>
>
> "I find I have a great lot to learn – or unlearn. I
> seem to know far too
> much and this knowledge obscures the really
> significant facts, but I am
> getting on." -- Charles Rennie Mackintosh
>
> Wesley C. Rolley
> 17211 Quail Court
> Morgan Hill, CA 95037
> wrolley@charter.net
> (408)778-3024
>


=====
Earl Brunner
e-mail: brunv53@yahoo.com

Earl Brunner on mon 16 jun 03


So in general terms we can say that:
1. a virus may not come from and in fact PROBABLY
isn't coming from the ovious source it appears to be
coming from.
2. Since most of these viruses seem to be clay
related someone in the clay community is probably
compromised.
3. as a member of clayart we need to be smart, AND
cautious in our internet practices. Including having
current virus protection and updating it frequently.
4. we should probably NOT send or accept email with
attachments from ANYONE unless we are expecting it.
And we should look carefully at the attachment before
opening it in any case. (this only will help with some
types of viruses)
5. We should give some serious thought to using emai
programs that are less vulnerable to viruses.
Remember, it;s NOT just your personal computer you are
putting at risk if you are not doing the above.


--- Jennifer F Boyer wrote:
> My understanding is that the new viruses graze the
> internet in
> general looking for FROM addresses. They don't
> necessarily get
> them from our own computers any more. So if we have
> addresses
> stored on the clayart server in the form of posts,
> we are
> vulnerable to getting our addresses used. SO it
> doesn't matter
> what emailer we're using. except that IE gives us
> the highest
> chance of the virus (on an email we get )damaging
> our computer.
> Most viruses use IE to do their dirty work.
>
> Jennifer
>

=====
Earl Brunner
e-mail: brunv53@yahoo.com

Russel Fouts on tue 17 jun 03


>> My understanding is that the new viruses graze the internet in general looking for FROM addresses. They don't necessarily get them from our own computers any more. So if we have addresses stored on the clayart server in the form of posts, we are vulnerable to getting our addresses used. SO it doesn't matter what emailer we're using. except that IE gives us the highest chance of the virus (on an email we get )damaging our computer. Most viruses use IE to do their dirty work. <<

The current biggie out there right now and probably the one that
stimulated this thread is a new variation of the BugBear worm, referred
to as a "blended threat". It's level 4 on Symantec's site, 5 being the
highest threat level.

It arrives as an attachment to a note, probably from someone you
recognise and containing a fragment of text you might recognise (for me
it was two emails from a year ago).

Once you run the attachment the virus installs itself and starts looking
for anything that looks like an email address in any file on your HD. It
adds this to text from other files.

I doesn't matter what email program you use because it installs it's own
and starts mailing.

It will also disable your antivirus program if it can, it killed
PC-Cillin on Enzo's PC.

It's a good idea to find out how often your antivirus software provides
updates. Mcafee updates once a week, more often if there are major
threats. The mail servers at work run Norton and I can get an update
every day.

Tom's comments about "Spy ware / Add ware" is good. Most virus programs
won't spot these because they're not technically viri. Even though they
display some of the behavior, their main tasks are to collect data about
you and your computer use and send it to the author and to draw
advertising to your computer.

This stuff gets installed when you visit certain web pages (actually a
LOT) and when you install certain software. They even come as parts of
established programs like Windows Media Player (actually only a
"tracking cookie", I think. Still, if you don't want your media use to
be tracked by M$.....).

Spybot is a great program, free and simple to use. Everyone should have
it. And send the guy a couple of bucks! He's done a great job!

Russel

--

Russel Fouts
Mes Potes & Mes Pots
Brussels, Belgium
Tel: +32 2 223 02 75
Mobile: +32 476 55 38 75

Http://www.mypots.com
Home of "The Potters Portal"
Over 2300 Pottery Related Links!
Updated frequently

My work can also be seen on:
The World Crafts Council International Site: http://www.wccwis.gr
The World Crafts Council Belgium Site: http://wcc-bf.org (English
Pages)
EasyCraft: http://www.easycraft.org

"To announce that there must be no criticism of the president, or that
we are to stand by the president, right or wrong, is not only
unpatriotic and servile, but is morally treasonable to the American
public." --U.S. President (and Nobel Peace Prize winner) Theodore
Roosevelt.