[68100] in North American Network Operators' Group
Warning - new trend of attempts to infect ISP users (possibly virus)
daemon@ATHENA.MIT.EDU (william(at)elan.net)
Tue Mar 2 22:03:58 2004
Date: Tue, 2 Mar 2004 20:07:17 -0800 (PST)
From: "william(at)elan.net" <william@elan.net>
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
I have just seen emails (several different kinds) pretending to be sent
from 3 of my isp domains to users of those domains warning users that
their email account would be disabled and asking to open a .pif attachment.
I know largest ISPs probably have expierenced this but I believe what I
have seen today means they are after ISPs (or possibly just after any
domains with number of email addresses under them) of all sizes right at
the moment. All emails we received from the same source ip - 129.59.206.187
Please check your email base for what looks like the following
(in the examples I changed everything to elan.net, actually every isp
domain received different example of this, only first one is exact).
Example 1:
---
From: management@elan.net
To: xxxxx@elan.net
Subject: Email account utilization warning.
Hello user of Elan.net e-mail server,
Your e-mail account has been temporary disabled because of unauthorized
access.
For further details see the attach.
Best wishes,
The Elan.net team http://www.elan.net
---
Example 2:
---
From: administration@elan.net
To: xxxx@elan.net
Subject: Warning about your e-mail account.
Dear user of "Elan.net" mailing system,
Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our
free auto-forwarding service.
Further details can be obtained from attached file.
Cheers,
The Elan.net team http://www.elan.net
---
Example3:
---
To: xxxxx@elan.net
Subject: Warning about your e-mail account.
From: administration@elan.net
Dear user, the management of Elan.net mailing system wants to let you
know that,
Some of our clients complained about the spam (negative e-mail content)
outgoing from your e-mail account. Probably, you have been infected by
a proxy-relay trojan server. In order to keep your computer safe,
follow the instructions.
Please, read the attach for further details.
The Management,
The Elan.net team http://www.elan.net
