[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

RE: Attempts to compromiseTOR servers running windows?

My ISP's mail server is getting bombarded with the same garbage.  All the
messages I am getting are from "defang@localhost", and try to appear (very
poorly) from official email addresses like fbi@xxxxxxx or
webmaster@xxxxxxxxxxx and so on.  They all contain a .zip with an executable
and yes, you guessed it, the sober worm.  I am wondering if some idiot is
doing this intentionally or if a machine has become compromised.  The
messages I receive are not even addressed to me.  I am getting around 3 a
minute, and had thousands yesterday.  Outlook's junk filters are handling it
quite well I must say. 

-----Original Message-----
From: owner-or-talk@xxxxxxxxxxxxx [mailto:owner-or-talk@xxxxxxxxxxxxx] On
Behalf Of jed c
Sent: Tuesday, November 29, 2005 4:06 PM
To: or-talk@xxxxxxxxxxxxx
Subject: Attempts to compromiseTOR servers running windows?

 When I set up tor I gave this yahoo address as a contact address. Just
before the thanksgiving holiday I noticed a lot of spam with a zipped file
containing the sober worm as an attachment. I have since received about
three thousand messages and Ive begun to notice a pattern. It seems that
these are addresses that come from tor contact addresses. I have also
received error messages (from Yahoo?) that indicate that mail that I never
sent from my yahoo account could not be sent. Any ideas?


Date:	27 Nov 2005 01:45:20 -0000	
From:	MAILER-DAEMON@xxxxxxxxx   <javascript:document.frmAddAddrs.submit()>

To:	n_o_t_here@xxxxxxxxx	
Subject:	failure delivery	
    
Message from  yahoo.com.
Unable to deliver message to the following address(es).

<root@xxxxxxxxx>:
This address no longer accepts mail.

--- Original message follows.

Return-Path: <n_o_t_here@xxxxxxxxx>

The original message is over 5k.  Message truncated to 1K.

X-Rocket-Spam: 12.220.68.209
X-YahooFilteredBulk: 12.220.68.209
X-Rocket-Track: cat=BK;
info=ip:BK<ip=12.220.68.209,policy=g-w0,n0,g100>;sv:UK<ip=66.218.86.247>
X-Originating-IP: [12.220.68.209]
Return-Path: <n_o_t_here@xxxxxxxxx>
Authentication-Results: mta274.mail.scd.yahoo.com
  from=yahoo.com; domainkeys=neutral (no sig)
Received: from 12.220.68.209  (HELO bitty.com) (12.220.68.209)
  by mta274.mail.scd.yahoo.com with SMTP; Sat, 26 Nov 2005 17:45:15 -0800
From: n_o_t_here@xxxxxxxxx
Date: Sun, 27 Nov 2005 01:43:46 UTC
Subject: hi,_ive_a_new_mail_address
Importance: Normal
X-Mailer: SpeedMail_V8.87
X-Priority: 3 (Normal)
Message-ID: <bb097cf2d5056d34759c@xxxxxxxxx>
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="====206ac3.b394c9d3bcab5"
Content-Transfer-Encoding: 7bit
This is a multi-part message in MIME format.

--====206ac3.b394c9d3bcab5

hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not
sure!

plz read and check ...
cyaaaaaaa
--====206ac3.b394c9d3bcab5
Content-Type: application/octet-stream; name=mailtext.zip
Content-Transfer-Encodi
*** MESSAGE TRUNCATED ***


     

________________________________

Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
<http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=36035/*http://music.yahoo.c
om/unlimited/> 

________________________________

Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
<http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=36035/*http://music.yahoo.c
om/unlimited/>