bbs.spamgourmet.com

[WhiteSpyder]

Lately (over the past 3 days) I have been getting spam sent to addresses I did not create. I realize that this is becoming a trend, as indicated by the previous post about this problem. I wanted to warn users about a specific message I received through an SG account actually posing as the SG team (I knew it wasn't them, however, because in the FAQ they state that they will never contact us using our email addys). This is the message:

>>
Dear user of Spamgourmet.com gateway e-mail server,

Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service.

Advanced details can be found in attached file.

Kind regards,
The Spamgourmet.com team
>>

There is also an attachment called "Info.pif" (sans quotes) that is 16.45 kB.

Hope no one falls for this.
WhiteSpyder

[WhiteSpyder]

Here's another one I just got:

>>
2 TextFile.pif application/octet-stream 16.45 KB

Hello user of Spamgourmet.com e-mail server,

We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.

For more information see the attached file.

Have a good day,
The Spamgourmet.com team
>>

[josh]

I got one too -- sent to info

It seems unlikely that these are specific to spamgourmet -- the virus could have just looked at the domain of the target email address and used that for most of the text, then prefixed it with www. for the link...

[SysKoll]

User Sittingduck has posted this almost simultaneously -- I have moved it here because it's the same virus.

--SysKoll

I just recieved this... I'm sure most people smart enough to use spamgourmet will see this as the hoax it is, but just in case, I don't think you will want to run the file....

Received: from gourmet.spamgourmet.com ([216.218.230.146])
by rwcrmxc15.comcast.net (rwcrmxc15) with ESMTP
id <20040303210107r1500cbs9pe>; Wed, 3 Mar 2004 21:01:07 +0000
X-Originating-IP: [216.218.230.146]
Received: from gourmet.spamgourmet.com (localhost [127.0.0.1])
by localhost (8.12.10/8.12.9) with ESMTP id i23L16BH025129
for <XXXXXX@comcast.net>; Wed, 3 Mar 2004 13:01:06 -0800
Received: (from jqh1@localhost)
by gourmet.spamgourmet.com (8.12.10/8.12.10/Submit) id i23L16cQ025128
for XXXXXX@comcast.net; Wed, 3 Mar 2004 13:01:06 -0800
Received: from daddy (213083240106.sonofon.dk [213.83.240.106])
by gourmet.spamgourmet.com (8.12.10/8.12.9) with SMTP id i23L12BI025077
for <694098sittingduckemail.the.sitting-duck@spamgourmet.com>; Wed, 3 Mar 2004 13:01:04 -0800
Date: Wed, 03 Mar 2004 21:59:22 +0100
To: 694098sittingduckemail.the.sitting-duck@spamgourmet.com
Subject: Notify about using the e-mail account. (694098sittingduckema: message 1 of 20)
From: +694098sittingduckema+sitting-duck+77dcc4b27f.administration#spamgourmet.com.boundary="--------ktsjunhgapeyukxmxrnu"@spamgourmet.com
Message-ID: <vttyipiwkccioyghorw@spamgourmet.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------ktsjunhgapeyukxmxrnu"

----------ktsjunhgapeyukxmxrnu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Dear user of Spamgourmet.com e-mail server gateway,

Our antivirus software has detected a large ammount of viruses outgoing
from your email account, you may use our free anti-virus tool to clean up
your computer software.

For details see the attached file.

Attached file is protected with the password for security reasons. Password is 66818.
--Sittingduck

[Mel]

That looks similar to one of the 5 Bagle.j emails I was sent today

A couple of my old, spamgoumet address had been harvested from usenet posts (one 2 years old) and had what looks like a counter followed by my newsgroup posting name joined on the front to create a new valid spamgourmet address.


Interestingly seems to be designed to get arround email A-V scanners too - one variant with the virus attached to an attached email still isn't picked up by mine.

I was going to use a prefix, but instead I've set up a regular expression on my ISP's email server to dump executables and zips.

[SysKoll]

Yes, but many users have legitimate reasons to get zip files and cannot afford to dump them.

The encrypted Windows worms are so far stumping the AV systems. I fail to see how an AV program can work around these. Right now, these encrypted worms are so primitive they rely on the user to enter the password. But soon they'll be encrypted with random keys and will auto-decrypt when the recipient clicks on the attachment.

Me, I am just an amused spectator, I run Linux.

[josh]

A few users have noted that the virus appears to have been sent to a new sg address. Do you all know where we can view the Bagle.j source?

[hovvit]

I've also been getting these spams, is there anyway to delete all my spamgourmet addresses to prevent this?

[josh]

add a couple of watchwords and turn on "watchword enforcement"

[lagger]

Message is not flagged. [ Flag for Follow Up ]

Date: Mon, 22 Mar 2004 04:54:04 -0500
From: <management@spamgourmet.com>
[ Add to Address Book | Block Address | Report as Spam ]
To: <SG.10.lagger@spamgourmet.com>
Subject: Warning about your e-mail account. (SG: message 5 of 10)


Hello user of Spamgourmet.com e-mail server,

We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.

For details see the attach.

Attached file protected with the password for security reasons. Password is 44288.

Cheers,
The Spamgourmet.com team http://www.spamgourmet.com

Attachment: TextFile.zip (17 KB) [ Download ]


the attached text file had this worm

[miniscus]

Got two mails w/ attachments, to an address I cannot recall giving anyone. But they don't quite seem to fit the above.

I thought this might be worth mentioning, because IIRC "jgh" is a short used by a main developer of SG in his mails? Or elsewhere?It's long ago for me and I'm not sure....

Arick, still thankful for SG when deleting my 5 spams daily only.

(spaces inserted around any @)

---------------------------
Return-Path: <jqh1 @ gourmet.spamgourmet.com>
From: lindalasoumise @ hotmail.com
To: pportnewsgroup.to.*me* @ xoxy.net
Subject: illegal... (pportnewsgroup: message 1 of 20)
Date: Wed, 17 Mar 2004 21:52:26 +0100

Text:
is that your work?

Attached:
msg2.zip (24kb) with msg2.rtf.scr in it.

---------------------------
Return-Path: <jqh1 @ gourmet.spamgourmet.com>
From: jqh1 @ gourmet.spamgourmet.com
To: pportnewsgroup.to.*me* @ xoxy.net
Subject: is that your attachment? (pportnewsgroup: message 2 of 20)
Date: Sun, 21 Mar 2004 14:17:46 +0100

Text:
Your bill.

Attached:
mail2.doc.exe (24kb)

[Guest]

A few users have noted that the virus appears to have been sent to a new sg address. Do you all know where we can view the Bagle.j source?

[miniscus]

Sorry, I cannot.

But the new-to-me-address (see post above):
pportnewsgroup.to.*me* @ xoxy.net
surely is a derivative of:
mssupportnewsgroup.to.*me* @ spamgourmet.com.

The latter address has been eating spam for a long time. The derivative has recieved 3 mails to date, all infected. I realize watchwords would do the job.
Arick