Must be a new virus in the wild again. I've received more than 8600 Virus mails during the past twelve hours. The number that really disturbs me is that more than 8000 of them are bounces created by less than 10 different mail servers - bounces that contain the virus itself as payload.
I vaguely recall Chuqui posting the worst offenders in his blog in the past, but I doubt it would help too much.
Hmm, just realized that some of the bouncers listed here previously didn't identify the virus but complained about non-existant users, so bouncing the full mail was acceptable - if still dumb. I've removed the list for now.
path: /en/malware/viruses | #
I've been quite surprised when I received the first spam mail that got my name correct in the subject line sometime last months, but now I've started to get virus mails with an attachment named data_stefan.bodewig.zip. Imagine how many people will be convinced the document is for/about them. Scary.
path: /en/malware/viruses | #
I've noticed some effects of the virus attacks of the past months on the way I usually deal with email:
- My procmail recipes have become much more aggressive. Since I receive more than 150 virus mails a day I don't want to wade through them looking for false positives. All mails containing .exe/.scr/.bat/.pif attachments are going to /dev/null automatically. If you send me an executable attachment, I'll never read your mail, so don't wait for a response.
- White-lists have become even more useless than they've been before.
- The Bayesian spam filter I use sees so many virus mails in .zip attachments or bounces that it is starting to classify spam mails as non-spam if they don't contain a virus. By now I'm receiving more virus mails and bounces than spam. I haven't found a way around that, yet.
- I don't read any mailer-daemon responses anymore. This is really bad. Most if not all mailer-daemon mails are because of servers that have received a virus that forges the From header to look like one of my addresses, that's why I've stopped to pay attention to them. But this also means I may fail notice that a legitimate email I really wanted to send has not been delivered.
path: /en/malware/viruses | #
I wouldn't be surprised if it is going to spread extremely fast in Germany
From: Info@rtl.de Subject: RTL: DSDS Deutschland Sucht Den Superstar (DSDS) auf RTL. Hallo, Du wurdest zufällig von ca. 85.000 E-Mail Adressen ausgewählt, um bei RTL DSDS in der Zuschauer Jury mit zu Voten. ...
RTL is one of Germany's largest television companies (leading in market share during the last months). DSDS is "Deutschland sucht den Superstar", the German version of "Star Search", which has been the most successful TV show in the last year (don't ask why). And the email tells me I could become part of an online jury. Oh, and it contains a Windows executable with the extension .bat
.
path: /en/malware/viruses | #
Similar to Brian I'm writing this so I have a place I can link to when people assume I'd be sending virus mails to them. Go and read Brian's article for the longer version of
Almost all recent worms and viruses fake the from address. If you receive a worm sent from any of my addresses, you can be absolutely sure that I haven't sent it.
Due to server-side filtering (big kudos to the people responsible for the apache.org mail infrastructure) I'm getting far less Mydoom worms now. I still keep getting bounces, which certainly is annoying. Being the moderator for a couple of mailing lists doesn't help either.
I've noticed that those viruses are causing problems to statistical spam detectors, mails without a virus get a higher probability of being ham now. So far I've been filtering out all mails with "bad" attachments (I don't have any use for .exe
or .scr
files) before ifile sees them, but I cannot remove all "zip" attachments.
path: /en/malware/viruses | #