Help me please! Someone is sending viruses!

[EmuDimension]

Hello, my site is http://www.emudimension.com and I have full control on it except if my web host decides to shut me down but anyway, someone been e-mailing me and my staff fake information with attachments that have viruses in them. For example, [email protected] (MY REQUEST EMAIL ADDRESS FOR VISITORS WHO WANT TO REQUEST A FILE) had an e-mail from "[email protected]" which is MY e-mail address and I know for a fact that no one has logged into my email account nor have I e-mailed myself an attachment saying (QUOTING FROM EMAIL) "DOWNLOAD THIS FILE OR DIE".

I have some screenshots to show you all below...
http://www.emudimension.com/screenshot1.gif
http://www.emudimension.com/screenshot2.gif
http://www.emudimension.com/screenshot3.gif
http://www.emudimension.com/screenshot4.gif

If you notice, most of the emails are from @emudimension.com accounts and I asked my web host and he said only I can make them and there is an error and someone can do that if I do not disable my main email account which I do not know how for the past month now.

By the way, I downloaded the attachment at a private school computer and there has been a lot of porn folders created and spyware since I used ad-ware to scan and the computer was just added to the school 2 months ago. I doubt the teachers will let students who do a lot of work use a computer with porn folders and stuff.


All I am asking is how is he or she doing this? (I KNOW HE'S NOT USING EMAIL CLOAKING) Why is this person doing this? And How can I stop this person or group? I have there ip addresses. PLEASE HELP ME!

IF SOMEONE CAN HELP ME AND I CAN SOMEHOW BAN THERE IP ADDRESS FOR SENDING ME VIRUSES OR WHATEVER, I WILL DO SOMETHING FOR YOU SPECIAL LIKE WEB HOSTING!

[crusher]

Sorry EmuDimension but I can't help you.. A pretty nasty problem I tell you. :\

I'll move this thread to computer tech instead. I think you'll get better/more help there.

[Ifrit]

sounds f***ed... I dont think its a virus sending these... How do you know its not using cloaking? (By the word cloaking, i assume you mean false emails) It's not hard to use a fake email, even if you with most progs no longer can send from @hotmail and @msn cuz they have some sort of security authentication method now... But for example you can send from [email protected] . (Note the dot to the left) Try getting his IP (You should find it in the header of the mail, if u have problems finding it give me the entire header and ill get it 4 u) Also, have u tried to open the zips? Whats in them?

[EmuDimension]

Well insides the .zip files, once you open them, you get lots of porn folders created. Also, you get other kinds of folders too like Photoshop 9 Plus, Adobe Emails, Watch P0rn Daily, etc.

Here are the header information
The first two are the same ip address. Can someone please tell me what I can do now! My web host is useless.


Return-Path: <[email protected]>Delivered-To: [email protected]eceived: (qmail 94911 invoked from network); 15 Mar 2004 14:38:24 -0000Received: from unknown (HELO raciborz.rcb.vectranet.pl) (82.160.7.130) by 0 with SMTP; 15 Mar 2004 14:38:24 -0000Received: from [10.4.1.175] (helo=anonymou-oj7m2o) by raciborz.rcb.vectranet.pl with smtp (Exim 3.35 #1 (Debian)) id 1B2tEf-0006n5-00 for <[email protected]>; Mon, 15 Mar 2004 15:38:33 +0100Date: Mon, 15 Mar 2004 15:38:48 +0100To: [email protected]ubject: mew-mew (-:From: [email protected]ssage-I <[email protected]>MIME-Version: 1.0Content-Type: multipart/mixed; boundary="--------mtvrvqekckrtogwuvlss"


Return-Path: <[email protected]>Delivered-To: [email protected]eceived: (qmail 90687 invoked from network); 15 Mar 2004 14:30:41 -0000Received: from unknown (HELO raciborz.rcb.vectranet.pl) (82.160.7.130) by 0 with SMTP; 15 Mar 2004 14:30:41 -0000Received: from [10.4.1.175] (helo=anonymou-oj7m2o) by raciborz.rcb.vectranet.pl with smtp (Exim 3.35 #1 (Debian)) id 1B2t7E-0006U3-00 for <[email protected]>; Mon, 15 Mar 2004 15:30:52 +0100Date: Mon, 15 Mar 2004 15:31:05 +0100To: [email protected]ubject: Hey, ya! )From: [email protected]ssage-I <[email protected]>MIME-Version: 1.0Content-Type: multipart/mixed; boundary="--------umtjkmjedefyeyytbpfk"


Return-Path: <[email protected]>Delivered-To: [email protected]eceived: (qmail 26498 invoked from network); 17 Mar 2004 04:27:46 -0000Received: from unknown (HELO saar-3z6sqyyaqo) (80.179.47.198) by 0 with SMTP; 17 Mar 2004 04:27:46 -0000Date: Wed, 17 Mar 2004 06:28:00 +0200To: [email protected]ubject: E-mail account security warning.From: [email protected]essage-I <[email protected]>MIME-Version: 1.0Content-Type: multipart/mixed; boundary="--------rjdtyevnmgaaeidfguqm"

[Mason]

More than likely these emails are not being targetted at you. At Emuparadise we get all sorts of spam emails with virii, and I get them from addresses like [email protected], [email protected], etc., and I know MasJ and Sarcast aren't sending me virii.

What you do is get yourself an anti-virus program and an email client that filters spam. That's all you can do. You can't stop the influx of emails other than by shutting down your email account.

[torpedo009]

Well, the IP for the first two is originating from poland.

EDIT -
http://samspade.org/t/ipwhois?a=82.160.7.130
http://ws.arin.net/cgi-bin/whois.pl?...t=82.160.7.130

[EmuDimension]

I can request there isp to ban them or anything? Also, where can I get email filters? Thanks for the help everyone so far.

[Mason]

You can't ban them, the email addresses are all spoofed so you'd end up banning everyone you ever wanted to get mail from. I use Mozilla Thunderbird as my email client, it catches most of the spam emails but not all of it. I haven't yet gone looking for a tool to get rid of all of the spam. I hear a good program is SpamAssassin, but I haven't tried using it yet myself. Another one you might want to look into is Norton AntiSpam.

[Ifrit]

wait, so what you're saying is, that you only have to start the .zip-files? That sounds like pretty advanced hacking... Unless ofcourse there is a hidden extension (Like .pif .scr or a windows scrap file .shs) The last one i mentioned doesent even show its extensions when you turn it on in explorer, and its executable... However the icon is a piece of paper (maybe they hacked that too so it looks like a picture, they were doing something like that when i left the scene)

[Ifrit]

Sorry for the double post, but recently, i've started getting mails with viruses on my private email. Its an pretty unknown site called laxhjalpen.com (Swedish)

Heres the header:

Return-Path: <[email protected]>
Received: from ensim.webhotellet.org (root@localhost)
by laxhjalpen.com (8.11.6/8.11.6) with ESMTP id i2GLC6B20173
for <[email protected]>; Tue, 16 Mar 2004 22:12:06 +0100
X-ClientAddr: 217.215.38.21
Received: from laxhjalpen.com (as3-1-5.far.s.bonet.se [217.215.38.21])
by ensim.webhotellet.org (8.11.6/8.11.6) with ESMTP id i2GLC5f20168
for <[email protected]>; Tue, 16 Mar 2004 22:12:05 +0100
Message-Id: <[email protected] >
From: [email protected]
To: [email protected]
Subject: Re: Approved
Date: Tue, 16 Mar 2004 22:11:42 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0005_000017DF.000077B3"
X-Priority: 3
X-MSMail-Priority: Normal

If you take a look at this line:

Received: from laxhjalpen.com (as3-1-5.far.s.bonet.se [217.215.38.21])

www.laxhjalpen.com is NOT on that IP/ISP

217.215 is the prefix for Bostream ISP (I know because i used to have it)

So basically someone with that ISP is sending me this stuff... ( I get about 2-3 of these a day, and they have different topics,emails and filenames, but always the same file, a pif that is 23 kb in size...


EDIT:
The WHOIS someone here posted sucks. It tells me that 217.215.38.21 is originating from amsterdam... while NeoTrace tells me it originates from Stockholm (The correct city)

[Mason]

Guys, it's likely not even intentional on their part. Once you get infected with the virus it starts sending the virus off to other people. The people you think are out to get you are likely just people who have gotten infected themselves.

[Ifrit]

Originally posted by Maison
Guys, it's likely not even intentional on their part. Once you get infected with the virus it starts sending the virus off to other people. The people you think are out to get you are likely just people who have gotten infected themselves.

no i dont think that the admin at a big swedish site is infected, cuz i got a mail from the staff at such a site... But they are all real emails, so probably the virus spreads bu reading others adress book...

[Megahertzz]

Originally posted by torpedo009
Well, the IP for the first two is originating from poland.

EDIT -
http://samspade.org/t/ipwhois?a=82.160.7.130
http://ws.arin.net/cgi-bin/whois.pl?...t=82.160.7.130

how does that samspade.org work anyway do you type there ip in
and it tells you the location?

[alphasynaptic]

i would try emailing the people back to see if they are actually the ones sending viruses because if they r they will curse u out or sumthing if so u could create a bot to spam their email adress to hell and the server would eventually delete their account

[EmuDimension]

Cerber0s, that's the same file there sending me now. And all the emails are the same like hi remember me? it's me di, read this. (di is my friend from school and he doesn't send me attachments to read)

Ok just tell me how there doing this and were can I get a spam bot? Thank you.