our queue appears to increasing linearly since about last tuesday, since then its increased 3000%, theres a huge dip midday saturday (it goes down to one third its size in about 4hrs) then rapidly jumps up to higher than its pre-dip value thats messages tho, queue spool size hasnt gone up all that much, maybe 200% no idea about our storage spools... very odd!! Steve On Mon, 2 Feb 2004, Mike Tancsa wrote:
Looking at my disk stats, my mail storage spool has grown by 15% in the past week not due the deluge of viruses which I can block and reject, but in large part to those idiotic "Hi, I am sorry in a happy idiotic way to inform you that the message you sent has a virus" messages.... As almost all of them forge their email address, what is the point of warning the "sender." Even better, I wake up this am to 285 (and growing) messages below telling me that someone at skynet is trying to send me a virus message and it cc's 64 other people. Nice.
---Mike
From: "Skynet Mail Protection" <support@skynet.be> To: gbs-vossem@pi.be To: timofeev@granch.ru To: chris@aims.com.au To: dcs@newsguy.com To: imp@harmony.village.org To: ted@ness.plymouth.edu To: deepak@ai.net To: bmilekic@technokratis.com To: randy@psg.com To: sthaug@nethelp.no To: shelton@sentry.granch.ru To: danny_j_mitzel@yahoo.com To: tinguely@web.cs.ndsu.nodak.edu To: charon@hell.gr To: jesper@skriver.dk To: anandfranklin@hotmail.com To: nascar24@home.nl To: c.prevotaux@hexanet.fr To: reichert@numachi.com To: andy@tecc.co.uk To: provos@citi.umich.edu To: rtek@dolfijntje.nl To: jack_xiao99@hotmail.com To: mark.blackman@netscalibur.co.uk To: gunther@aurora.regenstrief.org To: s_bschmi@ira.uka.de To: vova@express.ru To: vlad@ariel.phys.wesleyan.edu To: lord@4jon.com To: assar@freebsd.org To: peter.jeremy@alcatel.com.au To: chaegle@mediaone.net To: brad@wcubed.net To: ewiz@mail.dotcom.fr To: freedom@csie.nctu.edu.tw To: oberman@es.net To: wes@softweyr.com To: julian@elischer.org To: iedowse@maths.tcd.ie To: sroberts84@hotmail.com To: maddave@suxx.eu.org To: ambrisko@ambrisko.com To: ari@suutari.iki.fi To: bonnetf@plonk.esiee.fr To: lucky@land3.nsu.ru To: ume@freebsd.org To: crewking@buckeye-express.com To: bright@sneakerz.org To: tlambert@primenet.com To: gwford@home.com To: vlad@infonet.com.ua To: freebsd-lists-for-dayan-only-owner@egroups.co.uk To: kimch@etri.re.kr To: chris@calldei.com To: peter@guest-tek.com To: sudish@corp.earthlink.net To: peter@wemm.org To: cristjc@earthlink.net To: yar@freebsd.org To: shalunov@internet2.edu To: mike@sentex.net To: roy@its-sby.edu To: kjc@csl.sony.co.jp To: seichert@coopcomp.com Subject: Skynet Mail Protection scan results Date: Mon, 02 Feb 2004 12:09:44 +0100 Importance: high X-Mailer: ravmd/8.4.2 X-RAVMilter-Version: 8.4.3(snapshot 20030212) (september.skynet.be) X-Virus-Scanned: by amavisd-new X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on spamscanner4.sentex.ca X-Spam-Level: ***** X-Spam-Status: Yes, hits=5.7 required=5.1 tests=MAILTO_TO_SPAM_ADDR, MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,TW_JN,X_PRIORITY_HIGH, X_PRI_MISMATCH_HI autolearn=no version=2.63 X-Spam-Report: * 0.5 X_PRIORITY_HIGH Sent with 'X-Priority' set to high * 0.1 TW_JN BODY: Odd Letter Triples with JN * 1.1 MAILTO_TO_SPAM_ADDR URI: Includes a link to a likely spammer email * 1.2 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE * 2.8 X_PRI_MISMATCH_HI 'X-Priority' does not match 'X-MSMail-Priority' * 0.1 MISSING_OUTLOOK_NAME Message looks like Outlook, but isn't
----------------------- This e-mail is generated by Skynet Mail Protection to warn you that the e-mail sent by gbs-vossem@pi.be to timofeev@granch.ru, chris@aims.com.au, dcs@newsguy.com, imp@harmony.village.org, ted@ness.plymouth.edu, deepak@ai.net, bmilekic@technokratis.com, randy@psg.com, sthaug@nethelp.no, shelton@sentry.granch.ru, danny_j_mitzel@yahoo.com, tinguely@web.cs.ndsu.nodak.edu, charon@hell.gr, jesper@skriver.dk, anandfranklin@hotmail.com, nascar24@home.nl, c.prevotaux@hexanet.fr, reichert@numachi.com, andy@tecc.co.uk, provos@citi.umich.edu, rtek@dolfijntje.nl, jack_xiao99@hotmail.com, mark.blackman@netscalibur.co.uk, gunther@aurora.regenstrief.org, s_bschmi@ira.uka.de, vova@express.ru, vlad@ariel.phys.wesleyan.edu, lord@4jon.com, assar@freebsd.org, peter.jeremy@alcatel.com.au, chaegle@mediaone.net, brad@wcubed.net, ewiz@mail.dotcom.fr, freedom@csie.nctu.edu.tw, oberman@es.net, wes@softweyr.com, julian@elischer.org, iedowse@maths.tcd.ie, sroberts84@hotmail.com, maddave@suxx.eu.org, ambrisko@ambrisko.com, ari@suutari.iki.fi, bonnetf@news.esiee.fr, lucky@land3.nsu.! ru, ume@freebsd.org, crewking@buckeye-express.com, bright@sneakerz.org, tlambert@primenet.com, gwford@home.com, vlad@infonet.com.ua, freebsd-lists-for-dayan-only-owner@egroups.co.uk, kimch@etri.re.kr, chris@calldei.com, peter@guest-tek.com, sudish@corp.earthlink.net, peter@wemm.org, cristjc@earthlink.net, yar@freebsd.org, shalunov@internet2.edu, mike@sentex.net, roy@its-sby.edu, kjc@csl.sony.co.jp, seichert@coopcomp.com is infected with virus: Win32/Swen.A@mm. Deze e-mail is gegenereerd door Skynet Mail Protection om u te waarschuwen dat de e-mail gestuurd door gbs-vossem@pi.be naar timofeev@granch.ru, chris@aims.com.au, dcs@newsguy.com, imp@harmony.village.org, ted@ness.plymouth.edu, deepak@ai.net, bmilekic@technokratis.com, randy@psg.com, sthaug@nethelp.no, shelton@sentry.granch.ru, danny_j_mitzel@yahoo.com, tinguely@web.cs.ndsu.nodak.edu, charon@hell.gr, jesper@skriver.dk, anandfranklin@hotmail.com, nascar24@home.nl, c.prevotaux@hexanet.fr, reichert@numachi.com, andy@tecc.co.uk, provos@citi.umich.edu, rtek@dolfijntje.nl, jack_xiao99@hotmail.com, mark.blackman@netscalibur.co.uk, gunther@aurora.regenstrief.org, s_bschmi@ira.uka.de, vova@express.ru, vlad@ariel.phys.wesleyan.edu, lord@4jon.com, assar@freebsd.org, peter.jeremy@alcatel.com.au, chaegle@mediaone.net, brad@wcubed.net, ewiz@mail.dotcom.fr, freedom@csie.nctu.edu.tw, oberman@es.net, wes@softweyr.com, julian@elischer.org, iedowse@maths.tcd.ie, sroberts84@hotmail.com, maddave@suxx.eu.org, ambrisko@ambrisko.com, ari@suutari.iki.fi, bonnetf@news.esiee.fr! , lucky@land3.nsu.ru, ume@freebsd.org, crewking@buckeye-express.com, bright@sneakerz.org, tlambert@primenet.com, gwford@home.com, vlad@infonet.com.ua, freebsd-lists-for-dayan-only-owner@egroups.co.uk, kimch@etri.re.kr, chris@calldei.com, peter@guest-tek.com, sudish@corp.earthlink.net, peter@wemm.org, cristjc@earthlink.net, yar@freebsd.org, shalunov@internet2.edu, mike@sentex.net, roy@its-sby.edu, kjc@csl.sony.co.jp, seichert@coopcomp.com geinfecteerd is met Win32/Swen.A@mm. Ce mail est généré par Skynet Mail Protection afin de vous prévenir que l'e-mail envoyé par gbs-vossem@pi.be à timofeev@granch.ru, chris@aims.com.au, dcs@newsguy.com, imp@harmony.village.org, ted@ness.plymouth.edu, deepak@ai.net, bmilekic@technokratis.com, randy@psg.com, sthaug@nethelp.no, shelton@sentry.granch.ru, danny_j_mitzel@yahoo.com, tinguely@web.cs.ndsu.nodak.edu, charon@hell.gr, jesper@skriver.dk, anandfranklin@hotmail.com, nascar24@home.nl, c.prevotaux@hexanet.fr, reichert@numachi.com, andy@tecc.co.uk, provos@citi.umich.edu, rtek@dolfijntje.nl, jack_xiao99@hotmail.com, mark.blackman@netscalibur.co.uk, gunther@aurora.regenstrief.org, s_bschmi@ira.uka.de, vova@express.ru, vlad@ariel.phys.wesleyan.edu, lord@4jon.com, assar@freebsd.org, peter.jeremy@alcatel.com.au, chaegle@mediaone.net, brad@wcubed.net, ewiz@mail.dotcom.fr, freedom@csie.nctu.edu.tw, oberman@es.net, wes@softweyr.com, julian@elischer.org, iedowse@maths.tcd.ie, sroberts84@hotmail.com, maddave@suxx.eu.org,! ambrisko@ambrisko.com, ari@suutari.iki.fi, bonnetf@news.esiee.fr, lucky@land3.nsu.ru, ume@freebsd.org, crewking@buckeye-express.com, bright@sneakerz.org, tlambert@primenet.com, gwford@home.com, vlad@infonet.com.ua, freebsd-lists-for-dayan-only-owner@egroups.co.uk, kimch@etri.re.kr, chris@calldei.com, peter@guest-tek.com, sudish@corp.earthlink.net, peter@wemm.org, cristjc@earthlink.net, yar@freebsd.org, shalunov@internet2.edu, mike@sentex.net, roy@its-sby.edu, kjc@csl.sony.co.jp, seichert@coopcomp.com est infecté par le virus : Win32/Swen.A@mm.
Please contact your system administrator for further information. Gelieve uw systeembeheerder te contacteren voor meer informatie. Veuillez contacter votre administrateur système pour de plus amples informations.
If you are the sender: Indien u de zender bent: Si vous êtes l'expéditeur: ------------------- The scanned e-mail has your address in the <From> header field. Either your computer is infected or someone's computer having your e-mail address in the address book has been infected. De gescande e-mail heeft uw adres in het <From> veld. Dat betekent dat ofwel jouw computer geinfecteerd is, ofwel dat iemand is geinfecteerd, die jouw e-mail adres in zijn/haar adresboek heeft. Le mail scanné contient votre adresse e-mail dans son en-tête <De>. Soit votre ordinateur est infecté soit votre adresse e-mail est reprise dans le carnet d'adresse d'un ordinateur infecté.
If you are the receiver: Indien u de bestemmeling bent: Si vous êtes le destinataire: --------------------- Please contact the sender: most likely he/she doesn't know he/she has a computer virus. Gelieve de zender te contacteren: hoogst waarschijnlijk weet hij/zij niet dat hij/zij geinfecteerd is met een computer virus. Veuillez contacter l'expéditeur: le plus souvent, il/elle ne sait pas que son ordinateur est infecté.
Actions taken for the infected files: Ondernomen actie voor de geinfecteerde bestanden: Actions prises pour les fichiers infectés: -------------------------------------
The infected file was saved to quarantine with name: 1075720184-RAVi12B9bAP025868. The file (part0004:Update.exe) attached to mail (with subject:net critical upgrade) sent by gbs-vossem@pi.be to timofeev@granch.ru, chris@aims.com.au, dcs@newsguy.com, imp@harmony.village.org, ted@ness.plymouth.edu, deepak@ai.net, bmilekic@technokratis.com, randy@psg.com, sthaug@nethelp.no, shelton@sentry.granch.ru, danny_j_mitzel@yahoo.com, tinguely@web.cs.ndsu.nodak.edu, charon@hell.gr, jesper@skriver.dk, anandfranklin@hotmail.com, nascar24@home.nl, c.prevotaux@hexanet.fr, reichert@numachi.com, andy@tecc.co.uk, provos@citi.umich.edu, rtek@dolfijntje.nl, jack_xiao99@hotmail.com, mark.blackman@netscalibur.co.uk, gunther@aurora.regenstrief.org, s_bschmi@ira.uka.de, vova@express.ru, vlad@ariel.phys.wesleyan.edu, lord@4jon.com, assar@freebsd.org, peter.jeremy@alcatel.com.au, chaegle@mediaone.net, brad@wcubed.net, ewiz@mail.dotcom.fr, freedom@csie.nctu.edu.tw, oberman@es.net, wes@softweyr.com, julian@elischer.org, iedowse@maths.tcd.ie, sroberts84@hotmail.com, maddave@suxx.eu.org! , ambrisko@ambrisko.com, ari@suutari.iki.fi, bonnetf@news.esiee.fr, lucky@land3.nsu.ru, ume@freebsd.org, crewking@buckeye-express.com, bright@sneakerz.org, tlambert@primenet.com, gwford@home.com, vlad@infonet.com.ua, freebsd-lists-for-dayan-only-owner@egroups.co.uk, kimch@etri.re.kr, chris@calldei.com, peter@guest-tek.com, sudish@corp.earthlink.net, peter@wemm.org, cristjc@earthlink.net, yar@freebsd.org, shalunov@internet2.edu, mike@sentex.net, roy@its-sby.edu, kjc@csl.sony.co.jp, seichert@coopcomp.com is infected with virus: Win32/Swen.A@mm. The mail was not delivered because it contained dangerous code.
------------------------ this is a copy of the e-mail header:
RAV AntiVirus for Linux i386 version: 8.4.2 (snapshot-20030212)
Scan engine 8.11 for i386. Last update: Mon, 02 Feb 2004 04:36:04 +01 Scanning for 89407 malwares (viruses, trojans and worms).
-------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike