Apache OpenOffice (AOO) Bugzilla – Issue 71045
announce@de possible dnos
Last modified: 2006-11-17 12:04:32 UTC
announce@de gets spammed with viruses at the moment, about one to-be-moderated message per three minutes, which is quite uncommon; normally we have three to five per day Filtering the pattern or updating the virus scanner might help, not sure what is causing this
support, can you see if this is a dnos? thanks louis
changing summary to highligh dnos possibility. louis
Looking into the case - Kavitha Support Operations
Hi, Can you please get us the headers from one of these messages for investigation? Thanks, Kavitha Support Operations
Of course: Return-Path: <gilda27@de.openoffice.org> Delivered-To: moderator for announce@de.openoffice.org Received: (qmail 28007 invoked from network); 31 Oct 2006 19:36:28 -0000 Received: from cylon1.sjc.collab.net (204.16.104.10) by s002.sjc.collab.net with SMTP; 31 Oct 2006 19:36:28 -0000 Received: from u2-168.dsl.vianetworks.de (HELO <localhost>) ([194.231.192.168]) by cylon1.sjc.collab.net with SMTP; 31 Oct 2006 11:36:27 -0800 Message-Id: <56vbav$17sf3e@cylon1.sjc.collab.net> X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ao8CmTg0R0XC58CoWWdsb2JhbACLT1wBFA4rgQE X-IronPort-AV: i="4.09,375,1157353200"; d="exe'?scan'208"; a="41827438:sNHT22034054" X-IRONPORT: SCANNED From: <Gilda27@de.openoffice.org> Subject: NEWS! MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="TkthuxOVixSFuSwtcaX" This is a multi-part message in MIME format. --TkthuxOVixSFuSwtcaX Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Nuclear WAR in USA! Read attached file! --TkthuxOVixSFuSwtcaX Content-Type: application/octet-stream; name= "about me.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename= "about me.exe"
Thanks floeff! Will investigate the case further now.. - Kavitha Support Operations
Thanks for the fast reaction, Kavitha!
It's the same for announce@ooo.
We can track this down to a machine, as shown in the header: 194.231.192.168 in the case of the e-mail pasted above. However ISPs don't typically release users' contact info unless subpoenaed. There's nothing we can do about receiving unsolicited e-mail, however we could try performing an analysis of consecutive messages to indicate if there's something in common that we can filter on without false-positives, if the moderator's of these list also find similar commonality then please let us know and we'll add that to our Spam Filter .
Have you tried contacting the ISPs abuse address? I can do it as well if you want, but I guess an "official" complaint would have more success. You can filter by a pattern, because the messages have nearly common message bodies. Apart from that, I guess the attachments contain viruses, so they should be blocked nontheless.
The messages are produced by the worm W32/Dref-K. see http://www.sophos.com/security/analyses/w32drefk.html#table4
Thanks Stefan, sounds logical! Then a simple updated of the virus scanning engine should help to block that "spam"...
Thanks Stefan and gloeff have forwarded this information provided to the engineers.
Engineering had got back to us stating that it's possible to filter using the envelope addresses (recipient/sender). We ran the 1st message into our filter trace tool and looks like our spam filter already detected the problem. The ip is on the black list and we will be rejecting any messages from that isp (vianetworks.de) from now on until they get themself off of the black list. It might be that it took SpamFilter to update their Sender Based list to block messages from that ISP. Resolving this issue since we think that the problem would be solved by now .
Looks good so far, thanks!
verified and closing...