I delete all attachments. Like I said, maybe, maybe not related. I dont fool with them. When they hit my mailbox they're out of there unless I'm expecting one. I've never heard of microsoft sending e-mails for critical updates. If they did that the internet would shut down from the overload. LOL!!! Who ever it was sent four.
I'm now being bombarded with attachments from the following address. Would the regulars here please help me fight this? This happened when I responded to Rich. Here is the IP, 68.47.119.218 as explained through this trace.
BTW, this has never happened before.
I try to use my real address out of respect to others. I think I may change this now. It's a shame. These attachments are eating up my bandwith:
(InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with ESMTP id <20030918230118.CMSG27490.mtiwgwc19.worldnet.att.net@mtiwgwc19> for snipped-for-privacy@worldnet.att.net>; Thu, 18 Sep 2003 23:01:18 +0000
127.0.0.1 discarded
Received: from mtiwgwc19.worldnet.att.net ([127.0.0.1]) by mtiwgwc19.worldnet.att.net (InterMail vM.5.01.05.12 201-253-122-126-112-2002
0820) with ESMTP id snipped-for-privacy@mtiwgwc19.worldnet.att. net> for snipped-for-privacy@worldnet.att.net>; Thu, 18 Sep 2003 22:53:01 +0000
127.0.0.1 discarded
Received: from rwcrmhc13.comcast.net ([204.127.198.39]) by mtiwgwc19.worldnet.att.net (mtiwgwc19) with ESMTP id <2003091822530001900smkmre>; Thu, 18 Sep 2003 22:53:00 +0000 Possible spammer: 204.127.198.39 Received line accepted
Received: from rnkpk (pcp05175274pcs.martnz01.ga.comcast.net[68.47.119.218]) by comcast.net (rwcrmhc13) with SMTP id <2003091822520701500h5thje>; Thu, 18 Sep 2003
22:52:10 +0000 host 204.127.198.39 (getting name) = rwcrmhc13.comcast.net. host rwcrmhc13.comcast.net (checking ip) = 204.127.198.39
204.127.198.39 not listed in dnsbl.njabl.org
204.127.198.39 not listed in proxies.blackholes.easynet.nl
204.127.198.39 not listed in dnsbl.sorbs.net ips are close enough
204.127.198.39 is close to an MX (204.127.198.26) for comcast.net Possible spammer: 68.47.119.218
68.47.119.218 is not an MX for pcp05175274pcs.martnz01.ga.comcast.net host pcp05175274pcs.martnz01.ga.comcast.net (checking ip) = 68.47.119.218 Possible relay: 204.127.198.39
204.127.198.39 not listed in relays.ordb.org.
204.127.198.39 has already been sent to relay testers Received line accepted
Tracking message source: 68.47.119.218: Routing details for 68.47.119.218 [refresh/show] Cached whois for 68.47.119.218 : snipped-for-privacy@comcast.net Using abuse net on snipped-for-privacy@comcast.net abuse net comcast.net = snipped-for-privacy@comcast.net Using best contacts snipped-for-privacy@comcast.net Yum, this spam is fresh!
68.47.119.218 not listed in dnsbl.njabl.org
68.47.119.218 not listed in dnsbl.njabl.org
68.47.119.218 not listed in proxies.blackholes.easynet.nl
68.47.119.218 not listed in dnsbl.sorbs.net
68.47.119.218 not listed in relays.ordb.org.
68.47.119.218 not listed in query.bondedsender.org
Please make sure this email IS spam: From: "message system" snipped-for-privacy@bigfoot.com (Mime-Version: 1.0) Content-Type: text/html Content-Transfer-Encoding: quoted-printable View full message
Report Spam to:
Re:68.47.119.218 (Administrator of network where virus originates) To: snipped-for-privacy@comcast.net (Notes)
Re:68.47.119.218 (Third party interested in email source) To: Cyveillance spam collection (Notes)>>
There's another nasty network worm in circulation, claiming to be a Microsoft software update or a returned message or several other things. It's dumped about 20MB of data into my mailbox so far, and the spamfilters are just starting to recognize and block it.
Basic advice: No matter who it claims to be from, do not install ANYTHING that arrives unsolicited. Do not trust links that appear in e-mail either. If you want to check for Microsoft updates, hit their official update webserver DIRECTLY.
(I've installed an industrial-stength firewall. Paranoia is not enough.)
I also have been sent about 20 of these e-mails. It seems to be that the list to send these to must have something to do with this newsgroup. But I could be incorrect in this. I checked with macfee and it is a virus. I did not open the attachment and have scanned my computer and I am not infected.
got another hundred this afternoon... my ISP says its NOT just me, but everyone on their server, seems to be coming from LA and Chicago. and also seems to be pretty well across the board.
yep, its a virus. run this Fix Tool for W32.Swen.A@mm
formatting link
got this below from road runner. Warning - New Email Virus Claiming to Contain a Microsoft Security Patch
Please note we have received an increased number of incidents relating to a mass-mailing worm that poses as a legitimate email from Microsoft Windows Update. Please note that this is indeed a worm and NOT a security patch from Microsoft.
Information on this worm including removal instructions can be found at
formatting link
snipped-for-privacy@mm.html
formatting link
Please note - the major anti-virus product manufactures have updated their definitions to include this worm so please ensure you do a live update and scan your machine regularly. Alternatively you may choose to run a free web-based virus scanner such as
formatting link
Additionally, Windows Updates should of course be downloaded ONLY from the official site
No, It's not a reader of the group per se, though one of our fellow readers could be infected. The virus connects to NNTP sites and harvests mail addresses from usenet posts. See the Mcafee ADVERT site and search for the W32/Swen@MM virus.
I've gotten them from all over the world. I am now getting helpful messages in spanish or portugese from spam scanners at ISPs saying that they have cleaned a message for me.
I manage mail servers for a large company, and they have only recieved a few messages, so you are more likely to get more hits from this virus if you post frequently. I post a lot :-) My wife never posts and has received none.
Please, patch your systems if you use microsoft products but don't EVER click on an attachment from someone claiming you be your ISP or microsoft. Download the patches yourself and then click on it.
Within the past day or so I remember reading that e-mails such as you describe are utilized by the latest worm. I believe it was in a Symantec (who I subscribe to) security bulletin.
PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.