Email from news@mac.com containing malware

[Mr Skills]

I just got an email from "news@mac.com" telling me that my account has been suspended due to overuse. It also asks me to open a zip file for more information.

It's clearly nonsense, and I have no doubt the file is a trojan. I'm curious though - since they have gone to the effort of sending it from a .mac address, will they also have gone to the effort of making a mac-specific trojan?

And if so, does this need more publicity so people know not to open it?

EDIT - I just scanned the Zip with Clam X AV and it didn't find anything, so maybe it's a new trojan? Either way, I'm not trusting it!

 

[sushi]

Is it an exe file? If so, then it is for the PC.

Also, it is very easy to spoof a sender's address. This means that the sender doesn't need to have a "news@mac.com" address to send from that address.

 

[kolax]

Also, it is very easy to spoof a sender's address. This means that the sender doesn't need to have a "news@mac.com" address to send from that address.

Yeah. Just a simple PHP script will send an email with you choosing what the alias will be.

I'd report it to Apple - follow these instructions:

http://support.apple.com/kb/HT2073

And send it to them.

 

[Mr Skills]

Is it an exe file? If so, then it is for the PC.

Well I didn't unzip it

I just scanned the zip (I'm assuming Clam can scan inside a zip without needing to open it?)

 

[kolax]

Well I didn't unzip it

I just scanned the zip (I'm assuming Clam can scan inside a zip without needing to open it?)

If it is just a zip file, you're safe to open it.

It will almost certainly be an exe file. If it is a pkg file, let us know but don't run it!

 

[tersono]

I'd bet good money that it didn't actually come from a .mac address - it will just be a spoofed header (which should become apparent if you look at the headers in detail).

It happens all the time - not much that Apple can do about it if it isn't passing through their servers (which is likely to be the case). Just delete it and move on...

 

[kolax]

It happens all the time - not much that Apple can do about it if it isn't passing through their servers (which is likely to be the case). Just delete it and move on...

It is passing through their servers to get to him

They could block any further emails from news@mac.com because news@mac would never be an allowed alias and Apple doesn't use that to send MobileMe news.

 

[Mr Skills]

I just got another one on my other MobileMe address - exactly the same format and attachment, but this time the subject is "your membership details".

Interesting that I've got the same thing to 2 addresses - maybe they're doing a big spam-out today!

This is, I think, the first spam I've ever had on dotmac/mobileme, after 18 months. I hope it's not the start of the deluge My old gmail account gets hundreds each day (although they are very good at sending them to the junk mail folder).

 

[sushi]

I just got another one on my other MobileMe address - exactly the same format and attachment, but this time the subject is "your membership details".

Interesting that I've got the same thing to 2 addresses - maybe they're doing a big spam-out today!

This is, I think, the first spam I've ever had on dotmac/mobileme, after 18 months. I hope it's not the start of the deluge My old gmail account gets hundreds each day (although they are very good at sending them to the junk mail folder).

Do you or any of your friends use Outlook via Windows?

If so, there is a good chance that someone is owned and thus you are being spammed.

 

[Mr Skills]

Do you or any of your friends use Outlook via Windows?

If so, there is a good chance that someone is owned and thus you are being spammed.

Aha! Good point. I don't use it personally, but I'm sure I know people who do. How can I tell who it's coming from, so I can warn them?

 

[drichards]

Aha! Good point. I don't use it personally, but I'm sure I know people who do. How can I tell who it's coming from, so I can warn them?

If their provider is responsible about itself, they'll flag the user, suspend their send email rights, and notify them.

 

[PowerFullMac]

If their provider is responsible about itself, they'll flag the user, suspend their send email rights, and notify them.

How will they know what the e-mails contain though? Arn't there privacy laws that stop providers from looking at their customer's internet traffic?

 

[drichards]

How will they know what the e-mails contain though? Arn't there privacy laws that stop providers from looking at their customer's internet traffic?

They base it on quantity of email, not content. Spambot checkers are automated, nobody is looking.

 

[sushi]

Aha! Good point. I don't use it personally, but I'm sure I know people who do. How can I tell who it's coming from, so I can warn them?

Not an easy thing to determine from the end user. You might be able to determine from the long headers.

If it is just a couple of friends, you might just send a polite message and suggest that they check their computers for Malware (Viruses, Trojans, Worms, etc.).

I had this happen before with a bunch of users. So I just mass e-mailed them and said that I had received a certain message with a virus and suggested that they check their systems. More than one had been infected with various forms of Malware.

If their provider is responsible about itself, they'll flag the user, suspend their send email rights, and notify them.

The problem, is that many times spam comes from someone other than the from address. So the provider may not catch it for a while. Meanwhile the spam continues. Although, providers are getting better at this.

How will they know what the e-mails contain though? Arn't there privacy laws that stop providers from looking at their customer's internet traffic?

Most providers these days can and do scan your incoming messages for malware attachments. Many will deliver the message with a note saying that they removed the malware attachment. Others simply delete all suspect type files such as those ending in zip, exe, and mdb.

 

[PowerFullMac]

They base it on quantity of email, not content. Spambot checkers are automated, nobody is looking.

Oh I see.

I just hope I dont get my e-mail stopped, I send a lot of those things! (E-mails, that is).

EDIT: So they just check the attachments then sushi?

 

[drichards]

Well yeah, that sort of thing does tend to take a bit. I didn't mean to imply that the account would be bot-flagged immediately.

Some providers won't accept those attachments at all anymore. Even gmail is a pain, can't send .app, .exe, .zip and others too. Its rather annoying.

 

[Mr Skills]

I've just received the third! Here are the full headers (I've put XXX@mac.com in place of my own address) any clues as to how I can trace which of my contacts has a compromised computer?

Return-path: <mail@mac.com>
Received: from smtpin125-bge351000 ([10.150.68.125])
 by ms264.mac.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26
 2008; 64bit)) with ESMTP id <0KC200LFLMHJIS00@ms264.mac.com> for
 XXX@mac.com; Thu, 18 Dec 2008 03:56:07 -0800 (PST)
Original-recipient: rfc822;XXX@mac.com
Received: from mac.com ([86.105.74.205])
 by smtpin125.mac.com (Sun Java(tm) System Messaging Server 6.3-7.03 (built Aug
 4 2008; 32bit)) with ESMTP id <0KC200JMCMHDEO60@smtpin125.mac.com> for
 XXX@mac.com (ORCPT XXX@mac.com); Thu,
 18 Dec 2008 03:56:07 -0800 (PST)
X-Brightmail-Tracker: AAAAAA==
Message-id: <0KC200JMFMHDEO60@smtpin125.mac.com>
From: mail@mac.com
To: XXX@mac.com
Subject: Your Membership Details!
Date: Thu, 18 Dec 2008 13:56:02 +0200
MIME-version: 1.0
Content-type: multipart/mixed;
 boundary="----=_NextPart_000_0003_E6567F61.968B079A"
X-Priority: 3
X-MSMail-priority: Normal

 

[Mr Skills]

It looks like someone is infected with this.

 

[PowerFullMac]

I just had something very similar to me happen on MSN... Nice try, you stupid little Windows virus!



You would have to be quite stupid to fall for that, I must admit!

 

[Mr Skills]

But what colour was it?

 

[PowerFullMac]

But what colour was it?

Pink... Errr, I mean, I dont know, I never downloaded it!