insane amounts if virii

The last two days I have been getting pummelled (to my standards anyhow) with virus laden emails.

It's hard to get anything done when every 10 minutes Norton pops up warning of incoming.

I've got Norton set to destroy this stuff after it tells me it came in so I just get a proxy mail that says it deleted a mail from suchnsuch@asd.com TO soandso@mydomain.com

I realize that the TO address is probably forged since I have no catch all enabled and the addresses are nonsense, but Norton doesn't give me the full headers. I can reconfigure Norton if it comes to that but just wanted to check in here and see if anyone else has been experienceing similar problems? It driving me quite crazy.

jasonEdited by user919 on 05/05/05 12:50 PM (server time).

I've been getting a ton of copies of Sober--this started just yesterday. (I thought they ran MIMEDefang, but I must be thinking of another account.) I'll set up a procmail filter for it if it doesn't stop on its own.

yup yup, sober yesterday

!@#$%^ pullin my hair out, I'm about to say delete and don't bother me with it

jason

procmail rule for Sober:

:0 HB
* ^Content-.* (file)?name="?((error-)?(our_secret|(mail|account|Fifa|okTicket|_PassWort)[-_][Ii]nfo|autoemail|LOL)(-[Tt]ext)?).zip"?$
.junk/

I'm not sure it's perfect, that's why it's not going to /dev/null.. yet

There must be a better way, though...

ALCON

Mine also, the ONLY PLACE I have all these email addresses is in my Mysql Database....

Look familiar

<brisbanecbd@signa.com.au>: host mx.netspace.net.au[210.15.254.248] said:
550 Error: VIRUS Worm.Sober.P (in reply to end of DATA command)

http://www.sfahq.com/

PK

headers from one:

X-Symantec-TimeoutProtection: 0
X-Symantec-TimeoutProtection: 1
Return-Path: <postmaster@somedomain.com>
Delivered-To: myusername@gollum.dreamhost.com
Received: from heyos.com (COX-##-###-###-#.coxinet.net [##.###.###.#])
	by gollum.dreamhost.com (Postfix) with SMTP
	id C231F5B7AD; Fri,  6 May 2005 12:29:34 -0700 (PDT)
From: postmaster@somedomain.com
To: X-User@mydomain.com
Date: Fri, 06 May 2005 18:20:40 UTC
Subject: Your email was blocked
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <674aeb6de7.b4866@somedomain.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="======4a6e00e.e1e78c271baaa"
Content-Transfer-Encoding: 7bit

what's the explanation for these all hammering my proper DH system username @ myproperDHdomain name dot com?

the TO: is always false but the Delivered-To: is always my username at my mailserver?! What's the deal?

jason

Most likely cause TO wasn't supplied, but rather supplied by another means, so Sendmail alters the headers to deliver to your proper email address.

That's Sendmail stuff going on and not due to somebody else knowing your direct email address.

so what would be the point of disabling the catch all email address? I know it will deflect random spam but do you see what I'm saying?

*how* is this mail getting to me?!

jason

In reply to:

---

To: X-User@mydomain.com

---

That's how. I didn't look in detail, there is a To: field. Sendmail added the Devlier-To: so it knows which user account to send it to.

Sometimes you'll see 'for' within the sendmail deviler headers. Sometimes Deliver-to: is the actual email, sometimes it's not. It really all depends on how sendmail's configured. It's a very conveluted and complicated mail system.