LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   security breach: send mail to unknown address? (https://www.linuxquestions.org/questions/linux-security-4/security-breach-send-mail-to-unknown-address-140058/)

graffitici 01-29-2004 02:11 PM

security breach: send mail to unknown address?
 
Hi!

A recent event scared me to death. I do now know whether this is a serious issue, or a well done hoax (in that case, it certainly works). I have received a mail from my default mail server few hours ago that said a mail I sent to some address in yahoo couldn't be delivered. I didn't attach any importance to it. But I received a second one just few minutes ago. I append the mail to the end of my post ( I have replaced my e-mail with my@mail.com ).

What do you suppose this is? mailer-daemon@yahoo.com seems to be a legitimate e-mail. I am sure that I haven't sent anything to this claudia@yahoo.com. Could this be a kind of linux virus that sends some files somehow? Because apparently I sent a file called:
file.pif
I do not know what this is, nor what it is used for. It has probably been renamed anyway. Another thing that concerns me is that claudia@yahoo.com is over the limit, which may happen if this guy receives lot of files like this one from, perhaps, other infected people?
All in all, this can as well be a minor error, but I am really curious as to how such a thing can be happening, although I am using linux.
I would appreciate any help and advice
Thanks!
Bibby


failure delivery
Date: Today 04:41:25
From: MAILER-DAEMON@yahoo.com
To: my@mail.com

Message from _yahoo.com.
Unable to deliver message to the following address(es).

<claudia@yahoo.com>:
size saved = 8912
Sorry, your message to claudia@yahoo.com cannot be delivered. _This account is over quota.

--- Original message follows.

Return-Path: <me@mail.com>

The original message is over 5k. _Message truncated to 1K.

X-Rocket-Spam: 81.215.109.54
X-YahooFilteredBulk: 81.215.109.54
X-Rocket-Track: 1323744: 20 ; SERVER=66.163.174.38
Return-Path: <my@mail.com>
X-RocketNR: 1
X-RocketRT: 1075321251-mta132.mail.sc5.yahoo.com
Received: from 81.215.109.54 _(EHLO superonline.com) (81.215.109.54)
_ by mta132.mail.sc5.yahoo.com with SMTP; Wed, 28 Jan 2004 12:20:51 -0800
From: my@mail.com
To: claudia@yahoo.com
Subject: Server Report
Date: Wed, 28 Jan 2004 22:19:21 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
________boundary="----=_NextPart_000_0008_45F14F9E.CA31F981"
X-Priority: 3
X-MSMail-Priority: Normal

This is a multi-part message in MIME format.

------=_NextPart_000_0008_45F14F9E.CA31F981
Content-Type: text/plain;
________charset="Windows-1252"
Content-Transfer-Encoding: 7bit




------=_NextPart_000_0008_45F14F9E.CA31F981
Content-Type: application/octet-stream;
________name="file.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
________filename="file.pif"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA
*** MESSAGE TRUNCATED ***

jtshaw 01-29-2004 02:20 PM

That is a MyDoom virus message.

graffitici 01-29-2004 02:26 PM

I checked the security response at symantec. Apparently this doesn't affect linux. The stupid winxp should have gotten it somehow then. I have to run the removal tool as soon as possible.
I shouldn't have any concerns under linux then?

jtshaw 01-29-2004 02:30 PM

It is yet another Outlook virus. I have been getting the bounces all week on my mail server, but I can see in the IP stamp they aren't actually originating from my machine, they are double bounces. IE, my mail server tried to bounce them and the bounce bounce so I get notified.

It can't effect linux boxes. The key factor is the claudia@whatever address, the virus tries to send mail to common names at whatever domains it can find.

chort 01-29-2004 05:27 PM

Modern e-mail worms randomly choose their "from" address as an addressbook entry from their victim. They're all spoofed.


All times are GMT -5. The time now is 12:15 AM.