Infested Beard Options

[michael]

On the three PCs that I've owned over the last four years, I have developed an almost paranoid obsession with Internet security. My network sits behind a firewalled router and all my systems run Norton 2K4 AV and Firewall with the Liveupdate virus definitions checking for new threats every four hours. My last infection was back in 2000 from an email sent from Beard. This morning I got another one from...Beard!

FFS Stocks sort it out!

[james]

Right now, hold your horses - just cos an email says it is from someone doesn't mean it is - I also get loads of these each day. Here is the header part of the raw source of one such email for example:

QUOTE

From capnavin2003@yahoo.com.au Sat Apr 24 12:42:37 2004 Return-Path: Received: from ringerpatrol.net (213-78-33-229.uk.onetel.net.uk [213.78.33.229]) by s1.uklinux.net (8.11.6/8.11.6) with SMTP id i3O0BjD11412 for ; Sat, 24 Apr 2004 01:11:46 +0100 Envelope-To: Message-Id: <200404240011.i3O0BjD11412@s1.uklinux.net> From: capnavin2003@yahoo.com.au To: james@ringerpatrol.net Subject: something for you Date: Sat, 24 Apr 2004 01:11:48 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="46635045" X-UIDL: ?`V"!O5]!!7(R"!n-'"!

Now it looks like it comes from 'capnavin2003@yahoo.com' but if you do a whois on the ip address in the received line (213.78.33.229) you get this:

QUOTE

[Tomahawk:/var/log] james% whois 213.78.33.229 OrgName:    RIPE Network Coordination Centre OrgID:      RIPE Address:    Singel 258 Address:    1016 AB City:      Amsterdam StateProv: PostalCode: Country:    NL ReferralServer: whois://whois.ripe.net NetRange:  213.0.0.0 - 213.255.255.255 CIDR:      213.0.0.0/8 NetName:    RIPE-213 NetHandle:  NET-213-0-0-0-1 Parent: NetType:    Allocated to RIPE NCC NameServer: NS-PRI.RIPE.NET NameServer: NS3.NIC.FR NameServer: SUNIC.SUNET.SE NameServer: AUTH00.NS.UU.NET NameServer: SEC1.APNIC.NET NameServer: SEC3.APNIC.NET NameServer: TINNIE.ARIN.NET Comment:    These addresses have been further assigned to users in Comment:    the RIPE NCC region. Contact information can be found in Comment:    the RIPE database at http://www.ripe.net/whois RegDate: Updated:    2004-03-16 OrgTechHandle: RIPE-NCC-ARIN OrgTechName:  RIPE NCC Hostmaster OrgTechPhone:  +31 20 535 4444 OrgTechEmail:  search-ripe-ncc-not-arin@ripe.net # ARIN WHOIS database, last updated 2004-04-23 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database. % This is the RIPE Whois server. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/d.../copyright.html inetnum:      213.78.0.0 - 213.78.63.255 netname:      ONETELHG2 descr:        Onetel Broadband ADSL IP Pool country:      GB admin-c:      GB10488-RIPE tech-c:      GB10488-RIPE tech-c:      OI94-RIPE status:      ASSIGNED PA notify:      abuse@onetel.net.uk mnt-by:      ONETEL-MTNER mnt-lower:    ONETEL-MTNER mnt-routes:  ONETEL-MTNER source:      RIPE changed:      graham.burke@oneteldsl.com 20031022 route:        213.78.0.0/18 descr:        ONETEL.NET descr:        Please mail to abuse@onetel.net.uk origin:      AS12708 mnt-by:      ONETEL-MTNER changed:      graham.burke@oneteldsl.com 20030107 source:      RIPE person:      Graham Burke address:      Onetel Broadband phone:        +44 141 931 7000 fax-no:      +44 141 931 7001 e-mail:      Graham.Burke@oneteldsl.com nic-hdl:      GB10488-RIPE notify:      graham.burke@oneteldsl.com mnt-by:      GB10488-RIPE-MNT changed:      Graham.burke@oneteldsl.com 20021113 source:      RIPE person:      OneTel_UK ISP_Object address:      114a Cromwell Rd address:      London address:      SW7 4TP address:      United Kingdom phone:        +44 (0)207 331 9777 fax-no:      +44(0)207 331 9877 e-mail:      isp@onetel.net.uk nic-hdl:      OI94-RIPE notify:      isp@onetel.net.uk changed:      isp@onetel.net.uk 20010926 source:      RIPE

as you can see the isp is OneTel not Yahoo as it originally looked - it's a forged 'from' address. Forged addresses are normally harvested by nefarious web robots or 'spiders' which crawl web sites looking for email addresses to add to their stash - however as you know the allegeded sender (El Beardo) this one is most likely gathered from someone's infected PC who has the Beard's address in their book. Chances are that person has a OneTel account - any takers?

Steps you can take to help

DO NOT set up your email client or antispam software to bounce spam back - it used to work, it doesn't now - in this case all that would happen is Beard would get a bunch of bounces to an email he didn't send, increasing network traffic and adding to the confusion. Anyone who bounces spam email should be shot - just delete it.

Be very aware of emails you get even of they seem to be from someone you know - if it has an attachment your alarm bells should be ringing off the hook.

Make sure Winblows is set up to show the extension (the .xxx) bit of EVERY file - the setting is in a different place on every flavor of Windows and certainly pre XP it came set off as default - THIS IS A SECURITY FLAW - viruses will often use filenames with double extensions like 'harmless.doc.exe' - with extensions off you would see 'harmless.doc' but if you double clicked it it would run as an app - with whatever privileges the currently logged on user has.

DO NOT run executable files downloaded off the web or sent to you (and that includes .exe, .scp, .com and many others) unless you are absolutely sure you know what it is - if a site offers downloads and has checksums available the USE THEM.

Run a personal firewall on every machine, run a scheduled anti-virus with regular updates, regularly run anti-spyware against your machine. If you admin a local network with a gateway to the internet (like sharing several home machines on one connection using a router) then make sure you run a firewall on the router or a DMZ.

Keep windows and all it's components (particularly IE and Outlook) up to date and apply security patches as soon as they are announced.

Don't run inherently insecure software like Internet Explorer - download Firebird or the like.