Email Abuse (Klez)

Hardware, Software, Internet, etc.

Moderators: Big-O Ryan, Big-O Mark, Matt, jester22c

User avatar
Plasma2002b
Extreme Groupie
Extreme Groupie
Posts: 976
Joined: Thu Jul 18, 2002 11:36 pm
Location: Riverside, Ca
Contact:

Email Abuse (Klez)

Post by Plasma2002b »

Ok.... ive been havin a big problem latley on my server.

I have SMTP service on my server and somebody has been abusing this bigtime i just found out.

Basically, heres whats goin on... i had my email on these boards say <email removed> as the default email.... and ive been getting email from somewhere unknown that had the... uhh.... well, i forget wat one, but it had a virus in it. Ive been gettin it sent to me for a couple months... and the sending address was always spoofed... (i looked at the headers, but i honestly didnt know what part was the source cause it was redirected a lot or sumthin).

So ive been living with that for a while.


But now i just changed my email on this board to read
<email removed>

and now ive been getting that spoofed email with the virus sent to THAT email..... i can see it on my server.... and since this is the only place ive ever put THAT SPECIFIC email in, i now know that whoever is sending me the virus is getting my addy from these boards.

Im pretty sure ive already plugged the forwarding of my server (which was pretty stupid of me to find out i had it on, cause i was getting complaints from domain owners of me sending virii to them and i had no clue what they were talking about), but yea. I shut it off and now im getting returned emails from my server that says it cant forward the virus to soandso@blah.com

So its trying to send this same virus to thousands of people from my server.


I just read that members here can use the mass email feature of the board... i thought it was jus for admins, but i dunno......


IS ANYBODY ELSE RECIEVING THESE EMAILS???

if a lot of you are, then we have a problem here......


if not.... well, i dunno what to do... all i know is that im getting virii sent to me from someone who's getting my addy from this board.
Last edited by Plasma2002b on Tue Dec 24, 2002 5:59 pm, edited 1 time in total.
Image

its teh infamous life of brian gaut to teh max0r!
User avatar
tone
Fanatic
Fanatic
Posts: 236
Joined: Thu Sep 12, 2002 10:51 am
Location: New Jersey
Contact:

Post by tone »

i have not been getting these emails thank god....doesnt your anti-virus (assuming you have one) scan your emails?
tone
User avatar
Big-O Ryan
Developer
Developer
Posts: 612
Joined: Fri Oct 19, 2001 11:00 pm
Location: Big-O Software
Contact:

Post by Big-O Ryan »

Well, here's the scoop.

One of our users has been infected with "Klez" virus. There's no big-o e-mail address listed here, but it's in a couple posts, and I've been receiving 2-10 infected e-mails a day since about 09/13/2002 (they're actually intercepted by my mail server's antiviral agent, so i don't really see them, but i get notices).

Nobody can mass mail the users of this board. E-mail addresses do show up on pages and the memberlist, though (depending on your profile settings), so it is possible for spammers/viruses to harvest many addresses using this forum (like most websites, forums, etc).

However, if you uncheck "Always show my email address", this shouldn't be possible (other users cannot see your email address). I'm not sure if this allows only registered users to see your email address, or if it allows no one to see your address. Either way, no SPAM - but if other users can see your address, so viruses can find it (though you still have a better chance). Somebody who's logged in, solve this mystery and tell me if you can see my email address. :)

Plasma's test, however, would indicate that it is a user who actively browses the forums; or at least, visited recently, and has been around for at least a month. Which means, if you're reading this, you're highly suspect. You can get a detection/removal tool here: http://securityresponse.symantec.com/av ... en@mm.html (run in safe mode, or don't bother). I am not infected. 8)

For those who aren't familiar with Klez, it scours your computer for e-mail addresses, and regularly e-mails itself to everyone it can find (spoofing all relavant information; the mail appears to come from another random e-mail address that it can find, etc). It has some clever tricks.. infecting some antivirus software (rendering it useless), spreading to all the network shares it can find, and all the 'old' virus tricks that were worth recycling. Even when the virus's spread slows down, rest assured that your e-mail address will probably have been delivered to some SPAMmers, who were happy to receive it.

However, there's no particular need to worry that the big-o forums are soiling your e-mail addresses.. It's a safe bet that someone you know has Klez, and you're already hosed. We all are. :wink:

phpBB has an option which causes the user's email addresses to no longer be visible to any other user. With this change, a logged in user can send an e-mail to another user using a form built into phpBB. I don't really like that configuration, however. I think sending e-mails through the board is useless (we already have Private Messaging, with e-mail notification options), and the user already has an option to hide their e-mail address). Either way, only logged-in users can contact you, and either way, they should be able to get a hold of you just fine.
-Ryan
Big-O Software
fuuucckkers
Moderator
Moderator
Posts: 815
Joined: Sun Sep 22, 2002 3:33 pm
Contact:

Post by fuuucckkers »

Nope Ryan... I'm logged in and can NOT see your email address 8)
Catbus007
Just Registered
Just Registered
Posts: 0
Joined: Sun Oct 13, 2002 3:44 am
Location: New York
Contact:

Post by Catbus007 »

So if you have the Klez worm virus, how do you get rid of it? I had it awhile back, and I ended up getting to frustrated that I just reformatted.
(`'·.¸(`'·.¸ ¸.·'´)¸.·'´)
«´¨`·.¸, Ash .¸¸.·¨`»
(¸.·'´(¸.·'´ `'·.¸)`'·.¸)
User avatar
Big-O Ryan
Developer
Developer
Posts: 612
Joined: Fri Oct 19, 2001 11:00 pm
Location: Big-O Software
Contact:

Post by Big-O Ryan »

ryan wrote:You can get a detection/removal tool here: http://securityresponse.symantec.com/av ... en@mm.html (run in safe mode, or don't bother).
-Ryan
Big-O Software
a big sombrero
Addict
Addict
Posts: 121
Joined: Sun Jun 09, 2002 2:54 pm
Location: Texas
Contact:

Post by a big sombrero »

a few months ago i started getting 2 or 3 daily emails from address i didnt know with attachments with file types i had never seen. my virus protection never said a thing but when i checked my email on our new comp, the virus popped right ups aying theyre all klez viruses and i dunno how they keep coming to me
User avatar
Plasma2002b
Extreme Groupie
Extreme Groupie
Posts: 976
Joined: Thu Jul 18, 2002 11:36 pm
Location: Riverside, Ca
Contact:

Post by Plasma2002b »

anyone else still have a problem with this?? Sorry to keep it going, but this is getting WAY out of hand for me. On my server, im being sent a message that gets sent to hundreds of other recipeints through my server itself (this is normal cause i have it set to do so, that way my programs can utilize it) but im being bombarded with hundreds of copies of this Klez email and im stuck with megabyts of emails that i have to sort through DAILY and delete (i finally got it as to where they at least dont get sent to those people).

Frankly its just a pain in the azz. :x

WHOEVER HAS THE VIRUS, GET RID OF IT!!! :evil: :evil:
Image

its teh infamous life of brian gaut to teh max0r!
a big sombrero
Addict
Addict
Posts: 121
Joined: Sun Jun 09, 2002 2:54 pm
Location: Texas
Contact:

Post by a big sombrero »

i still get 2-3 emails a day with attachments, i know its a virus so i dont notice it. some even try to fool me into openning it, saying its from postmaster or something. all i can say is delete
User avatar
Matt
Moderator
Moderator
Posts: 411
Joined: Sat Aug 10, 2002 11:23 am
Location: USA
Contact:

Post by Matt »

isnt there a way phpBB is configured that you can send e-mail messages to members w/o seeing their email address...like opens up a new window or something and you send it locally through the site, not specifically through your own email.

FYI: I AM NOT TALKING ABOUT PM'S
-Matt
Timelessblur wrote:I only know 4 langueges. Engish, Band Engish, Really bad Engish and Timelessblurain
User avatar
Plasma2002b
Extreme Groupie
Extreme Groupie
Posts: 976
Joined: Thu Jul 18, 2002 11:36 pm
Location: Riverside, Ca
Contact:

Post by Plasma2002b »

in phpbb yes there is... but the moderators dont want you to be doing that in these forums.... thank god. that would be chaos
Image

its teh infamous life of brian gaut to teh max0r!
User avatar
Plasma2002b
Extreme Groupie
Extreme Groupie
Posts: 976
Joined: Thu Jul 18, 2002 11:36 pm
Location: Riverside, Ca
Contact:

Post by Plasma2002b »

hey mark or ryan..... i dont know about other people, but whoever it is that has the virus, my mail address is like on theyre list big time. Im getting about 30 emails a day from one person. I have no clue who it is, all i know is that they were on this site cause thats what the address is on the email. Ive since made my email hidden and even changed it. But they keep coming to the addy i had before.

Do you thin there would be ANY way possible to do a mass email and let the people know about klez and give em that link to get rid of it? :D

cause whoever has it, they are really flooding my smtp server bad and i dont know if they even know they have klez....

that would be awesome if you guys could do that :wink:

so far its me and sombrero..... is anyone else getting these emails still?
Image

its teh infamous life of brian gaut to teh max0r!
fuuucckkers
Moderator
Moderator
Posts: 815
Joined: Sun Sep 22, 2002 3:33 pm
Contact:

Post by fuuucckkers »

I'm not getting any emails. What you could do is Mass Email everyone, and provide links to http://www.antivirus.com (Trend Micro), and have them get a free online scan to see if thier infected.

Here is a link to some info on Klez.
http://www.trendmicro.com/vinfo/virusen ... ORM_KLEZ.H

And the link to HouseCall, Trend Micro's free online virus scan.
http://housecall.trendmicro.com/
Last edited by fuuucckkers on Wed Dec 04, 2002 9:15 pm, edited 1 time in total.
User avatar
Plasma2002b
Extreme Groupie
Extreme Groupie
Posts: 976
Joined: Thu Jul 18, 2002 11:36 pm
Location: Riverside, Ca
Contact:

Post by Plasma2002b »

*sigh..........*

i guess im gonna have to take care of this problem myself... :-?


ok.... just dont get pissed at me... not like im gonna do anything bad or nuthin,
Image

its teh infamous life of brian gaut to teh max0r!
perrytheprez
Addict
Addict
Posts: 27
Joined: Wed Dec 04, 2002 10:57 pm
Location: North Carolina
Contact:

Klez

Post by perrytheprez »

We kept getting emails from unknown addresses, so I downloaded a FixKlex program, and it works everytime we get it now.
Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests