Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Reporting infected spam

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


cpollock at embarqmail

Jul 23, 2011, 5:07 PM

Post #1 of 4 (764 views)
Permalink
Reporting infected spam

Looking for the correct way to handle this. I've been receiving a lot of
infected email lately supposedly bounced messages infected with the
MyDoom worm or Suspect.DoubleExtension-zippwd-9. What is the correct way
to report these to the offending ISP? I can find who the admin and tech
contacts are by telneting to whois.ra.net and inputting the ASN which
will give me those then I can telnet to whois.ripe.net or apnic or radb
or whoever to give me the name(s) of these contacts and email address.
Then send them an email with the message headers to show the sender IP.
Is that the correct way? I also have a script that will report these in
conjunction with SA Learn which reports these but it sends the whole
message including the infected attachment, I don't believe this is the
correct way.

Thanks
Chris

--
Chris
KeyID 0xE372A7DA98E6705C
31.11°N 97.89°W (Elev. 1092 ft)
19:00:22 up 171 days, 40 min, 2 users, load average: 0.60, 0.56, 0.40
Attachments: signature.asc (0.19 KB)


alvarnell at mac

Jul 23, 2011, 7:43 PM

Post #2 of 4 (752 views)
Permalink
Re: Reporting infected spam [In reply to]

On 7/23/11 5:07 PM, "Chris" <cpollock [at] embarqmail> wrote:

> Looking for the correct way to handle this. I've been receiving a lot of
> infected email lately supposedly bounced messages infected with the
> MyDoom worm or Suspect.DoubleExtension-zippwd-9. What is the correct way
> to report these to the offending ISP? I can find who the admin and tech
> contacts are by telneting to whois.ra.net and inputting the ASN which
> will give me those then I can telnet to whois.ripe.net or apnic or radb
> or whoever to give me the name(s) of these contacts and email address.
> Then send them an email with the message headers to show the sender IP.
> Is that the correct way? I also have a script that will report these in
> conjunction with SA Learn which reports these but it sends the whole
> message including the infected attachment, I don't believe this is the
> correct way.
>
You might want to check out SpamCop <http://www.spamcop.net/> to help you
locate the offending ISP. Their database is often able to cut through
attempts to disguise the true sender using your techniques, but somewhat
faster.

Another tip for sending infected emails is to compress them with a password
before sending as intermediary mail handlers often scan and remove
attachments that are recognized malware.


-Al-

--
Al Varnell
Mountain View, CA



_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


cpollock at embarqmail

Jul 23, 2011, 7:58 PM

Post #3 of 4 (756 views)
Permalink
Re: Reporting infected spam [In reply to]

On Sat, 2011-07-23 at 19:43 -0700, Al Varnell wrote:
> On 7/23/11 5:07 PM, "Chris" <cpollock [at] embarqmail> wrote:
>
> > Looking for the correct way to handle this. I've been receiving a lot of
> > infected email lately supposedly bounced messages infected with the
> > MyDoom worm or Suspect.DoubleExtension-zippwd-9. What is the correct way
> > to report these to the offending ISP? I can find who the admin and tech
> > contacts are by telneting to whois.ra.net and inputting the ASN which
> > will give me those then I can telnet to whois.ripe.net or apnic or radb
> > or whoever to give me the name(s) of these contacts and email address.
> > Then send them an email with the message headers to show the sender IP.
> > Is that the correct way? I also have a script that will report these in
> > conjunction with SA Learn which reports these but it sends the whole
> > message including the infected attachment, I don't believe this is the
> > correct way.
> >
> You might want to check out SpamCop <http://www.spamcop.net/> to help you
> locate the offending ISP. Their database is often able to cut through
> attempts to disguise the true sender using your techniques, but somewhat
> faster.
>
> Another tip for sending infected emails is to compress them with a password
> before sending as intermediary mail handlers often scan and remove
> attachments that are recognized malware.
>
>
> -Al-
>

Thanks Al, I do use spamcop, that does sound like an easy way to find
the real offender, never really thought of that, guess I've been doing
it the hard way. Never thought of your second solution either, I assume
that I should put the password for the attachment in the message with
that I send with the infected email, which would make sense.

Thanks
Chris

--
Chris
KeyID 0xE372A7DA98E6705C
31.11°N 97.89°W (Elev. 1092 ft)
21:55:19 up 171 days, 3:35, 1 user, load average: 0.26, 0.19, 0.19
Attachments: signature.asc (0.19 KB)


ged at jubileegroup

Jul 24, 2011, 4:12 PM

Post #4 of 4 (737 views)
Permalink
Re: Reporting infected spam [In reply to]

Hi there,

On Sun, 24 Jul 2011 Chris wrote:

> ... I've been receiving a lot of infected email lately supposedly
> bounced messages infected with the MyDoom worm or
> Suspect.DoubleExtension-zippwd-9. What is the correct way to report
> these to the offending ISP?

They should have an 'abuse@' address. That's where to send the reports.

If they don't have an 'abuse@' address they should be listed here:

http://www.rfc-ignorant.org/policy-abuse.php

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.