Hi all experts,

I owned a domain 6thJune.com. 3 weeks ago, I started to receive around 100 virus emails containing Mytob.ED worm everyday. To my surprise, the senders of those emails are xxx@6thjune.com (i.e. my own domain). My webhosting ISP technical support help to checkout that the virus emails was sent from an ISP in Taiwan instead of from my server located in Hong Kong. He also said some user from that Taiwan ISP pretending 6thJune.com to send out virus email to the public. I've also send email to that Taiwan ISP complaining about that. However, no response was received. It troubled me so much as everyday I need to receive and scan 100 emails. And, it also ruines my company's image. Could somebody tell me what's the problem is? How can someone pretend some company to send out virus email. And, how can I stop them from doing that? Kindly please advise. I really need your help. Thx!

The From header in each email is simply being forged. If you analyze the message source, you will discover the server that initiated the message.

On your web site, add a site-wide announcement telling your customers to ignore and permanently delete any emails with attachments from your domain. Make it clear that you do not send emails with any sort of attachments, and that this is the work of a worm.

Someone else may have a better solution,

James

Free PC Help forums

Are you sure it's not your PC/Sysytem that is infected?

http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed@mm.html

M

My ISP claimed that those emails are not from their servers and my own PC got anti-virus installed.

The mail header is like the one below. Is 211.72.169.187 the real IP of the message source?

My ISP said the emails are from an Taiwan ISP called "CHTD, Chunghwa Telecom Co.,Ltd.".

Anyway, before I got any better solution, I'll follow what being suggested by James by setting up a site-wide announcement to my customer. Thx a lot, James! & thx Mark too for helping.

Kiki

*********************************************
Return-Path: <webmaster@6thjune.com>
Received: from 6thjune.com ([211.72.169.187])
by pop6.webhosthk.com (8.11.6/8.11.6) with ESMTP id j6EE8qn18296
for <bob@6thjune.com>; Thu, 14 Jul 2005 22:08:52 +0800
Message-Id: <200507141408.j6EE8qn18296@pop6.webhosthk.com>
From: webmaster@6thjune.com
To: bob@6thjune.com
Subject: [virus Win32/Mytob.ED worm] Your Account is Suspended For Security Reasons
Date: Thu, 14 Jul 2005 22:11:40 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0004_29881B30.BB3B9FE1"
X-Priority: 3
X-MSMail-Priority: Normal
Status:
X-NOD32Result: Infected, Win32/Mytob.ED worm
*********************************************

Welcome to the Internet. Now hand over your wallet, turn around, and go home; you won't be hurt.

The FROM: line in the headers is easily forged. You have to look at the RECEIVED BY: header lines and trace backwards to see where the message actually came from. Your ISP has already done this for you so you know it comes from a Taiwan provider.

Complaining to the provider at his postmaster@ or abuse@ address will usually get the abuser's account terminated. However they typically use "throwaway" accounts, open mail relay servers, and/or previously hijacked computers to send their viruses so it's unlikely that you can get the sender really thrown off the Internet.

This virus, like many others, infects a machine through email and then turns the machine into a "zombie": It opens a port to a hidden online chatroom where the hacker issues commands to the controlled machines. It may use the Outlook address book on the infected machine to send out mass virus mailings OR a list provided by the hacker through this chatroom.

You can set up a filter to automatically detect email viruses and delete them silently, before you even see them. Or sometimes your ISP provides this service. There are commercial packages that do this or you can use the (simple) filters in Outlook to dump at least some of these. I find filtering messages with "Microsoft" and "Patch", "Security" and "Upgrade", "Critical" and "Patch" gets rid of many of them. For more sophisticated filters you have to use something with a more robust filter system than Outlook provides.

Thanks a lot, Orion! You explanation is very clear. Many thanks! ^o^