Infested Beard Options

[michael]

On the three PCs that I've owned over the last four years, I have developed an almost paranoid obsession with Internet security. My network sits behind a firewalled router and all my systems run Norton 2K4 AV and Firewall with the Liveupdate virus definitions checking for new threats every four hours. My last infection was back in 2000 from an email sent from Beard. This morning I got another one from...Beard!

FFS Stocks sort it out!

[Bird]

I got one from Beard but deleted it as it had the same subject field as the one from Colin, Eric and Russ.
There are loads going about, the subject is usually "Is this true" or "Hello" or something along those lines. I delete anything that is addressed to me only and not to everyone at the same time!

[beard]

I have had about 200+ in the last 2 days in my millennium email account. I don't have the virus and I have been sent it by people that I know don't have it!
Crazy email stuff.

[womble]

The virus you are all getting is prob not actually coming from the sender shown as it is a spoofing virus. But you can still blame Beard though just for the fun of it. If you have kept your virus checkers up to date (set it to auto update everyday) then you should all be fine.
You might also want to moan to your isp for not scanning it for viruses before letting you download it.

This post has been edited by womble: Apr 24 2004, 10:31 AM

[james]

Right now, hold your horses - just cos an email says it is from someone doesn't mean it is - I also get loads of these each day. Here is the header part of the raw source of one such email for example:

QUOTE

From capnavin2003@yahoo.com.au Sat Apr 24 12:42:37 2004 Return-Path: Received: from ringerpatrol.net (213-78-33-229.uk.onetel.net.uk [213.78.33.229]) by s1.uklinux.net (8.11.6/8.11.6) with SMTP id i3O0BjD11412 for ; Sat, 24 Apr 2004 01:11:46 +0100 Envelope-To: Message-Id: <200404240011.i3O0BjD11412@s1.uklinux.net> From: capnavin2003@yahoo.com.au To: james@ringerpatrol.net Subject: something for you Date: Sat, 24 Apr 2004 01:11:48 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="46635045" X-UIDL: ?`V"!O5]!!7(R"!n-'"!

Now it looks like it comes from 'capnavin2003@yahoo.com' but if you do a whois on the ip address in the received line (213.78.33.229) you get this:

QUOTE

[Tomahawk:/var/log] james% whois 213.78.33.229 OrgName:    RIPE Network Coordination Centre OrgID:      RIPE Address:    Singel 258 Address:    1016 AB City:      Amsterdam StateProv: PostalCode: Country:    NL ReferralServer: whois://whois.ripe.net NetRange:  213.0.0.0 - 213.255.255.255 CIDR:      213.0.0.0/8 NetName:    RIPE-213 NetHandle:  NET-213-0-0-0-1 Parent: NetType:    Allocated to RIPE NCC NameServer: NS-PRI.RIPE.NET NameServer: NS3.NIC.FR NameServer: SUNIC.SUNET.SE NameServer: AUTH00.NS.UU.NET NameServer: SEC1.APNIC.NET NameServer: SEC3.APNIC.NET NameServer: TINNIE.ARIN.NET Comment:    These addresses have been further assigned to users in Comment:    the RIPE NCC region. Contact information can be found in Comment:    the RIPE database at http://www.ripe.net/whois RegDate: Updated:    2004-03-16 OrgTechHandle: RIPE-NCC-ARIN OrgTechName:  RIPE NCC Hostmaster OrgTechPhone:  +31 20 535 4444 OrgTechEmail:  search-ripe-ncc-not-arin@ripe.net # ARIN WHOIS database, last updated 2004-04-23 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database. % This is the RIPE Whois server. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/d.../copyright.html inetnum:      213.78.0.0 - 213.78.63.255 netname:      ONETELHG2 descr:        Onetel Broadband ADSL IP Pool country:      GB admin-c:      GB10488-RIPE tech-c:      GB10488-RIPE tech-c:      OI94-RIPE status:      ASSIGNED PA notify:      abuse@onetel.net.uk mnt-by:      ONETEL-MTNER mnt-lower:    ONETEL-MTNER mnt-routes:  ONETEL-MTNER source:      RIPE changed:      graham.burke@oneteldsl.com 20031022 route:        213.78.0.0/18 descr:        ONETEL.NET descr:        Please mail to abuse@onetel.net.uk origin:      AS12708 mnt-by:      ONETEL-MTNER changed:      graham.burke@oneteldsl.com 20030107 source:      RIPE person:      Graham Burke address:      Onetel Broadband phone:        +44 141 931 7000 fax-no:      +44 141 931 7001 e-mail:      Graham.Burke@oneteldsl.com nic-hdl:      GB10488-RIPE notify:      graham.burke@oneteldsl.com mnt-by:      GB10488-RIPE-MNT changed:      Graham.burke@oneteldsl.com 20021113 source:      RIPE person:      OneTel_UK ISP_Object address:      114a Cromwell Rd address:      London address:      SW7 4TP address:      United Kingdom phone:        +44 (0)207 331 9777 fax-no:      +44(0)207 331 9877 e-mail:      isp@onetel.net.uk nic-hdl:      OI94-RIPE notify:      isp@onetel.net.uk changed:      isp@onetel.net.uk 20010926 source:      RIPE

as you can see the isp is OneTel not Yahoo as it originally looked - it's a forged 'from' address. Forged addresses are normally harvested by nefarious web robots or 'spiders' which crawl web sites looking for email addresses to add to their stash - however as you know the allegeded sender (El Beardo) this one is most likely gathered from someone's infected PC who has the Beard's address in their book. Chances are that person has a OneTel account - any takers?

Steps you can take to help

DO NOT set up your email client or antispam software to bounce spam back - it used to work, it doesn't now - in this case all that would happen is Beard would get a bunch of bounces to an email he didn't send, increasing network traffic and adding to the confusion. Anyone who bounces spam email should be shot - just delete it.

Be very aware of emails you get even of they seem to be from someone you know - if it has an attachment your alarm bells should be ringing off the hook.

Make sure Winblows is set up to show the extension (the .xxx) bit of EVERY file - the setting is in a different place on every flavor of Windows and certainly pre XP it came set off as default - THIS IS A SECURITY FLAW - viruses will often use filenames with double extensions like 'harmless.doc.exe' - with extensions off you would see 'harmless.doc' but if you double clicked it it would run as an app - with whatever privileges the currently logged on user has.

DO NOT run executable files downloaded off the web or sent to you (and that includes .exe, .scp, .com and many others) unless you are absolutely sure you know what it is - if a site offers downloads and has checksums available the USE THEM.

Run a personal firewall on every machine, run a scheduled anti-virus with regular updates, regularly run anti-spyware against your machine. If you admin a local network with a gateway to the internet (like sharing several home machines on one connection using a router) then make sure you run a firewall on the router or a DMZ.

Keep windows and all it's components (particularly IE and Outlook) up to date and apply security patches as soon as they are announced.

Don't run inherently insecure software like Internet Explorer - download Firebird or the like.

[michael]

I know it was probably spoofed, but that doesn't mean I can't blame Beard anyway.

[Bird]

I just got an email plus attachment from Joey which had the same title as Beard's.

Trust no-one.....

[michael]

My point exactly. Beard is behind all of this. He is the root of all Internet malice.

QUOTE

I have had about 200+ in the last 2 days in my millennium email account.

See, he's even gloating about it! He uses special 'Beardware' to target the infrastructure of the Millenium seires just so he can get out of doing the draw. I'm onto you Beard.

[james]

Ok as long as we are blaming Beard and not actually blaming Beard

I thought of a couple more security things everyone should be aware of while I was at it:

If you have a wireless network make sure WEP encryption is on and at it's highest security (128bit if possible). Also make sure that the SSID is not set to broadcast.

When downloading shite on Winblows pay attention to the security certificates - if they are expired or invalid DO NOT go with it anyway - it's not uncommon now for people to have registered very similar domain names to legit ones, direct you to them to download something via a cleaver spam email and then use the download to install some dodgy shit.

[Gypsy]

Beard peeps at Crib Milton is not impressed wot.

[Egg Designer]

Right, I get about 5 of these worm netsky things a day, got so used to them u can tell what they are, therefore, dont open, just delete.

And thanks James for all the info above about how to prevent them, but.........


To those of us with the IT skills of a newborn giraffe, I can only understand the words of one syllable, so I am still suffering in a cradle of naivety.

Any offers of help before i install my broadband aswell , greatly appreciated, and promise no tol laugh at my PC when you come round ( or I will get violent, I'm sensetive FFS!) ta!!

And Greg, once again, in English French or German please, I stand more chance of understanding.

out.

PS - I blame Beard too, again

This post has been edited by Egg Designer: Apr 26 2004, 08:08 AM