Worm delivery service
John R. Strohm
worm delivery business.
In the last 24 hours, I have received 28 copies of this particular worm, at
about 157 kilobytes APIECE. This does NOT count a few copies that I deleted
while checking mail from school via your Webmail interface.
This does NOT include myriad failed copies of the worm, where some other
ISP's antivirus precautions cleaned it going out, and it does NOT count
bogus bounce messages. It also does not count some other worms that are
smaller.
It is my considered opinion that you can do better than this.
Larry__Weiss
> In the last 24 hours, I have received 28 copies of this particular worm, at
> about 157 kilobytes APIECE. This does NOT count a few copies that I deleted
> while checking mail from school via your Webmail interface.
>
Is the login to the Webmail interface secure (encrypted) ?
L. Maurer
<str...@airmail.net> wrote:
>I deleted 70 of those pigs this morning. They had arrived over about an
>8-hour period, and filled my mailbox COMPLETELY.
>
You shouldn't have any email with the worm attachment after late
yesterday afternoon. Believe me, if I could wiggle my nose, make you
happy, and stop this within minutes of it beginning, I would have done
it instantly. You have no idea what impact worms like this have on an
ISP mail server farm. Flitering email at the server level isn't easy
if you want to make sure folks get their legitimate email. This worm
mutated in mid-stream. Long before your first post, people who do
abuse and systems work for ISPs all over the world were communicating
about how to stop this thing. Continuing to gripe about something
we've been working on for over 36 hours does nothing to help the
problem get resolved. If you have a copy of this worm (and I mean with
the attachment) sent this morning, I need it sent to the abuse mailbox
please. I see nothing in that mailbox from you so far.
L. Maurer
Director / Policy Enforcement
Internet America
JazzMan
>
> "Larry__Weiss" <l...@airmail.net> wrote in message
> news:3F6BB840...@airmail.net...
>
> That isn't the problem. The problem is that Internet America is apparently
> 100% unable to filter virus email, and would rather watch their email
> servers fill up with "Microsoft Internet Security Update" patches, at about
> 150 Kbytes apiece.
>
> I deleted 70 of those pigs this morning. They had arrived over about an
> 8-hour period, and filled my mailbox COMPLETELY.
I have yet to receive a single one of these. I wonder why?
I never got any blaster or sobigs either. :(
JazzMan
--
**********************************************************
Please reply to jsavage"at"airmail.net.
Curse those darned bulk e-mailers!
**********************************************************
"Rats and roaches live by competition under the laws of
supply and demand. It is the privilege of human beings to
live under the laws of justice and mercy." - Wendell Berry
**********************************************************
John R. Strohm
What does that have to do with anything?
John R. Strohm
payload, in their inbox.
The oldest one was received at 10:16 AM Austin time.
I originally intended to send you one sample. In order to do that, I had to
disable my Outlook Express rule that kills them on the server (IF I check my
mail often enough to keep them from filling my mailbox). While I was
preparing the first sample for transmission, two more samples arrived, with
payload, so I forwarded them as well.
I included the original headers with each sample.
SUGGESTION. As the ISP, you do have the right to look inside customer email
inboxes. If you make the following TEMPORARY modification, and you should
shortly thereafter have all the worm samples your heart could ever desire.
Edit your "Your mailbox is filling up" notification process to BCC: your
technician for this problem. Then wait. If my experience at about 8:30 AM
is anything to go by, 90+% by byte count of every new full mailbox will be
worm samples.
"L. Maurer" <bou...@news.iadfw.net> wrote in message
news:copomvc7252e4n42a...@4ax.com...
John R. Strohm
copies of that piece of trash.
I now have a fresh specimen, that I will forward to ab...@airmail.net in a
few seconds. Here are the headers. It CLEARLY is younger than "late
yesterday afternoon".
Return-path: <stephen...@adelphia.net>
Envelope-to: str...@209.196.123.6
Delivery-date: Sat, 20 Sep 2003 10:16:29 -0500
Received: from mail.black-ring.iadfw.net ([209.196.123.141]
helo=mail.airmail.net)
by mail5.iadfw.net with esmtp (Exim 4.10)
id 1A0jTI-0002wB-00
for str...@209.196.123.6; Sat, 20 Sep 2003 10:16:28 -0500
Received: from mx9.airmail.net ([209.196.77.106])
by mail.airmail.net with esmtp (Exim 4.10)
id 1A0jTI-0005ga-00
for str...@airmail.net; Sat, 20 Sep 2003 10:16:28 -0500
Received: from mta3.adelphia.net ([68.168.78.181])
by mx9.airmail.net with esmtp (Exim 4.20)
id 1A0jTJ-000C42-N0
for str...@airmail.net; Sat, 20 Sep 2003 10:16:29 -0500
Received: from dmgalstg ([67.23.79.63]) by mta3.adelphia.net
(InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with SMTP
id <20030920151621.DAAJ13937.mta3.adelphia.net@dmgalstg>;
Sat, 20 Sep 2003 11:16:21 -0400
FROM: "Microsoft Internet Security Department" <xnme...@advisor.ms.com>
TO: "Microsoft User" <ppfloiaq....@advisor.ms.com>
SUBJECT: Network Pack
X-ID: 13387814296493584429343
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="mimnpdqi"
Message-Id: <20030920151621.DAAJ13937.mta3.adelphia.net@dmgalstg>
Date: Sat, 20 Sep 2003 11:16:27 -0400
X-Airmail-Delivered: Sat, 20 Sep 2003 10:16:29 -0500
X-Airmail-Spooled: Sat, 20 Sep 2003 10:16:28 -0500
"L. Maurer" <bou...@news.iadfw.net> wrote in message
news:copomvc7252e4n42a...@4ax.com...
L. Maurer
wrote:
>I have yet to receive a single one of these. I wonder why?
Possibly because you don't use your real email address to post to
UseNet?
>I never got any blaster or sobigs either. :(
>
Do you want a copy of any of these thingies? I have plenty :) We did
work very hard with the last round of "caca" a few weeks ago, were
able to contain it, and we're doing the same now. What people don't
realize is that if their in box is flooded, our servers are working
very hard to deliver all the email, legit or not, and WE are working
to weed out the mail we KNOW people don't want.
mama
L. Maurer
<str...@airmail.net> wrote:
>I originally intended to send you one sample. In order to do that, I had to
>disable my Outlook Express rule that kills them on the server (IF I check my
>mail often enough to keep them from filling my mailbox). While I was
>preparing the first sample for transmission, two more samples arrived, with
>payload, so I forwarded them as well.
Thanks I've replied to your email and forwarded this to the people who
can check our mail server farm. I think one of the servers didn't get
the instructions to block this.
>
>SUGGESTION. As the ISP, you do have the right to look inside customer email
>inboxes.
No we don't have that "right". Customer email belongs to the
customers. Before I go in and look at someone's email I'm going to
want a subpoena from a badge carrying delivery person.
Larry__Weiss
> ... I think one of the servers didn't get
> the instructions to block this.
>
Today, at least in my inbox, the flood has stopped. Thanks!
- Larry Weiss