I just received an infected email that says it was sent from this forum by username "builder". I have already sent a private message to that user to check his computer. My computer is just about bullet proof for viruses, trojans, spyware and hack attempts so it caused no problems.

More than likely the sender's name and the forum address have been spoofed using the forum postings but you never know. It would be interesting to see if anyone else receives infected mail referencing this forum.

The infected attachment is disquised as a screen saver. Mine was called "price.scr". Never open an unsollicited email attachment.

Thanks for the warning, mj, - - but I shouldn't have any problems, - - I've got 'Plywood-Shield'! :lol:

I have a standard policy of 'no unsolicited email'

Meaning if I don't know its coming it gets deleted on sight.

good

Yeah - it's my email address. I'm not infected but any of the 1600 people on this forum or anyone else who have ever responded to an email or has me in their address book could be infected. I even got emails from myself :)
The infected computer sends the email as somebody in the address book to all the other people in the address book. I think it's called BagleA or something like this - company got infected through someone also.

If anyone out there is tired of paying for quality antivirus software I recommend you visit www.grisoft.com. They offer a free home use version of their software called AVG Ver.6.0 and are about to release the next generation of freeware as well.

I used version 6.0 freeware for two years with no infections. I have talked to several people in the IT industry who consider this the best antivirus software available - and its free!

Although you are not obligated to buy a licenced copy there are some features in the professional version not available in the free one. I recently bought a license for my home PC and my company is buying the network version for 20+ licenses.

Check them out!

Anyone suspecting that they have been infected by BagleA or any of the many other current trojans or worms here is a link to to simple removal tool

http://www.grisoft.com/us/us_remtext.php?id=bagbugnet

Thats always nice to know. Thanks mjpliv. I do'nt have any use for screen savers and I monitor my emails closely and don't fall for bull. Like the famous viagra email or penis enlargement kits, lol who are these freaks... Viagra LOL, I need the oppisite. is there anything out there to make it go away? heh

Ok, moving on... I watched my emails closely since joining yesterday. I would post here a few times b4 checking my emails then later go backwards knowing what to expect... No problems so far.

Thanks again

No, I am not a shareholder in Grisoft (somebody is bound to ask) but I did try to buy stock. unfortunatly they are not traded on the open market.

It looks like Grisoft has passed the last three tests by Virus Bulletin www.virusbtn.com, so that's a good thing. I still highly recommend Symantec (Norton AntiVirus) to anyone who asks. They have the best history of any product on Virus Bulletin, and they have more resources than anybody to catch new viruses, which is what people are the most at-risk for. Something to keep in mind.

Get 'yer credit card out! 8)

The adage is true: you get what you pay for (and, there is no free lunch.) Go ahead and take your chances with free AV, if you like. To me, paying $20 per year is worth the piece of mind. If I get nailed with a nasty virus, rebuilding my OS takes about a day. What is your time worth? :)

If I get nailed with a nasty virus, rebuilding my OS takes about a day

Sounds like you are speaking from experience. Try the AVG

No, as a matter of fact, I'm not. I've never been hit by a virus.

However, I typically reload my OS about every 9 months for good housekeeping.

Like I said, go ahead and take your chances with a free AV product. I'll stick to my product, consistently rated the best AV product for at least five years running. To me, using free AV is like buying 5-cent condoms (if they were to exist.) It may work great for awhile, but when it fails, watch out!

I can understand your reluctance and respect your convictions. Perhaps I should explain a bit further.

Grisoft uses the free home edition to market their line of professional and corporate AVG antivirus and firewall software. Each email sent (and received) has a plain text message added to the end of the email body just like the one below -

(copied and pasted from my inbox)
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.788 / Virus Database: 533 - Release Date: 11/1/2004

Since starting to use AVG two years ago I have grown to respect its performance and its ability to perform seamlessly with the various operating systems and softwares that I am involved with because I maintain upwards of 35-40 personal computers for friends and family as well as two non-profit organizations and two commercial networks. For the most part, AVG was installed on these systems as a result of being called to repair an operating system that was "protected" by Norton, MacAfee or similar softwares. With one exception, I have never been called back to repair anything due to an infection by a virus after installing AVG. The virus definitions, when required by the discovery of new bugs, are updated as often as daily.

Anyone who has been reading my posts on this forum since joining in the spring will know that I will stand behind any advice I offer, including this post. Aside from the occasional smart assed comment (directed mostly at TomR :D ) I take my role in the forum pretty seriously. The reference to the AVG software is not here because it happens to be free - its here because it works and works well. The price is just a bonus. Don't be too quick to dismiss it because, sometimes, you don't get what you pay for.

I also have one final point. If one never receives any virus-infected email, never visits a site that has been hacked with a trojan, or is never attacked from a network-based worm, they will still have been safe 100%, even without protection. My online activities are from from safe, and my email address has been the same for 9-10 years, and is littered all over the internet. Over the past five years, hundreds of viruses and thousands of network attacks have been waged at my machines. None has been successful due to Norton Internet Security / Norton AntiVirus.
It's the gold standard (that's why the boxes are yellow), and I'm sticking to it! :)

I can't argue with your logic. If it ain't broke - don't fix it. Stick to your guns. A fella can respect that.

I have been sent several more of these emails (with the attachments neutered) so everybody keep your eyes open. They still reference construction-resource and use uner name "builder"

I know it's not me I just did a check when I got back from vacation with updated virus definitions.

mjpliv, can you post the headers? That will tell us where they are coming from.

Return-path: <builder@construction-resource.com>
Received: from mx4.eastlink.ca ([10.10.10.26])
by ms1.eastlink.ca (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8
2003)) with ESMTP id <0I6L00LA9XYN2H@ms1.eastlink.ca> for mjpliv@eastlink.ca;
Wed, 03 Nov 2004 10:37:35 -0400 (AST)
Received: from ac32266.net ([192.120.249.240])
by mx4.eastlink.ca (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3
2004)) with SMTP id <0I6L00A95XYC3O@mx4.eastlink.ca> for mjpliv@eastlink.ca
(ORCPT mjpliv@eastlink.ca); Wed, 03 Nov 2004 10:37:35 -0400 (AST)
Date: Wed, 03 Nov 2004 08:37:23 -0600
From: Builder <builder@construction-resource.com>
Subject: Re: Hello
To: Mjpliv <mjpliv@eastlink.ca>
Message-id: <zltmvzwwmryjvkbmhvx@eastlink.ca>
MIME-version: 1.0
Content-type: multipart/mixed; boundary=--------ocsjashdkocpklqrzhcq
X-eShield-AntiSpam-Message: Scanned by http://www.bluecoat.com/eShield
X-eShield-AntiSpam: Passed (7.59%)
X-eShield-AntiVirus: Passed
X-eShield-AntiVirus-Message: Scanned by http://www.bluecoat.com/eShield
Original-recipient: rfc822;mjpliv@eastlink.ca

Here is one I rec'd a few days ago. This arrived neutered so the attachment was plan text. I have long since deleted and purged the one with the .scr attachment.

Did you receive any between Oct 22nd to Nov 2nd?
If so it would be impossible for me to have sent them... my computer was never started during that time nor was I anywhere near an internet connection.

I received the first infected file (didn't even need my antivirus - Outlook stripped the attachment off) on or about Oct 30, 2004 9:53 am (AT)

That would have been pretty tough for it to have come from me. Trying to clear my name is all. :)

Uh-oh, - - we thought it was you for sure. Umm, - - don't answer a 'knock' on your door, - - could be that 'internet' hit man we sent out. Geez, - - now what the heck did I do with his phone number?

I am hazarding a guess that the email addresses are spoofed and not necessarily from your computer. However, spoofing requires the harvesting of domain and user names, like this forum content. There is no email address builder@construction-resource.com. The virus builds its own email addresses from tidbits of information it finds on the web. My actual email address, the username and domain were probably all harvested from this site. There is not much you can do about it other than be carefull. Be suspect of any email from this, or any other domain.

Only those people publishing their email address on this forum are at risk. The bots that collect the information search for the html string

<a href="mailto:mjpliv@eastlink.ca">

The harvested information is sent to the 100's or 1000's of copies of the trojan infecting the host computers to be made into new infected emails.

The email adresses in the data bases should be safe because most of the bots "shouldn't" have access to them as well as any info in your CGI folders.

It's coming from someone at Amarillo College. mjpliv, you could complain to your ISP and ask them to implement slightly more paranoid SMTP rules. They should not be accepting mail from domains that do not exist, IMHO.

BTW, I left the information security business about a year ago. I have a lot of knowledge in this area... :)

Thanks for the info. I used to have a copy of Netscan on my PC to backtrack IP's but I haven't installed it on this one yet. I used it when I was running an Apache server local host. It was interesting going through the logged unauthorized access attempts and seeing who was sticking there nose where it didn't belong.

They should not be accepting mail from domains that do not exist,

The spoofed domain was real in this case unfortunately. Not much you can do unless your "mung" the email addresses in the forum or mask them by using unicode. The same text string on all of my personal site appears in the HTML as (see attached file)

The browsers can read it but, for the most part, the bots ignor it.

http://network-tools.com/default.asp?prog=trace&Netnic=whois.arin.net&host=192.120.249.240

That one isn't bad for tracing IP's. It's one that phpbb uses in the admin area.

You can download a free copy of NetLab tools from this address which will allow you to trace, ping, finger, whois, scan ports, etc.

http://www.answersthatwork.cOM/

They also have a link to Netscan tools but that one costs.

You can download a free copy of NetLab tools from this address which will allow you to trace, ping, finger, whois, scan ports, etc.

http://www.answersthatwork.cOM/

They also have a link to Netscan tools but that one costs.

I love that site.

Task List is the schiznit.

www.answersthatwork.com is about the only 3rd party tech support site worth joining that I have come across. I also recommend their new software - Theultimatetroubleshooter. Thirty bucks well spent if you want to keep your PC's running at their peak performance.

The spoofed domain was real in this case unfortunately.

Mjpliv, unfortunately you misunderstood my post. Only certain parts of what you see as the headers are actually part of the 'conversation' between the mail servers. In this case, the spoofed email came from IP 192.120.249.240, claiming to be ac32266.net. ac32266.net does not exist, and the mail server should have refused service because of that.

Hopefully that clears things up.

WHOIS search results -

Hewlett-Packard Company HP120A (NET-192-120-194-0-1)
192.120.194.0 - 192.120.255.255
Amarillo College AMARILLOJC-4 (NET-192-120-249-0-1)
192.120.249.0 - 192.120.249.255

# ARIN WHOIS database, last updated 2004-11-08 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Ping results

# IP address Host name Round trip time
1 192.120.249.240 112 ms
2 192.120.249.240 99 ms
3 192.120.249.240 101 ms
4 192.120.249.240 101 ms
5 192.120.249.240 105 ms

Unless I am doing something wrong! Let me know, this stuff facinates me!

Here is the DNS info for that IP

Host name: ac-249-240.actx.edu
IP address: 192.120.249.240
Alias(es): None

Since contacting the web administrator for that IP I have not received any more emails. Hopefully that will be the end of it.