27/07/2004 - Help! My .mac account is sending spam

Apparently my .mac email account is being used to send a lot of spam right now and I keep getting these emails from .mac saying:

Dear user of mac.com,

Have a nice day,
mac.com technical support team.

And attached is a zip file that wont open.. So I don’t have any instructions to follow. I’ve never had this problem before so I don’t know what to do about it.. Anyone got a good tip for a program that might help me solve this?

This entry was posted on Tuesday, July 27th, 2004 at 10:33 am and is filed under News. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Hi,

I had the same message and after investigating it i discovered it was sent from the spammers to infect your computer with a spyware that is intended for peecee useres [Macs not affected].

It’s a new variant of MyDoom (PC-only virus, of course), the message is absotively fake, so don’t worry… delete it and go about your business

You’re kidding, right? Is this satire? Surely you are aware that such messages are generated by virus-infected PC users. I hope this was a gag post.

Yes it is a virus and you are most likely infected. Easy way to remedy it tho so not to worry, (i know how people can get very uptight about viruses)…both McAfee and Symantec do stand alone removal tools if u dont have the full products…this is only a short term fix, if I were u id make sure id have the full package and keep it up to date! its not hard and saves so much fuss!

I’m quite sure this is a genuine error and not a spam. I’m not being sarcastic.

I can’t send any emails, then I get a new message saying the same thing.

And right now I have 27 new emails in my inbox from telling me that this email did not reach the destination, and I haven’t sent any emails so it’s probably just like they state in that error, that it’s a “trojan proxy server” sending spam from my account.

Is this a Mac virus?
I do have Virtual PC, but it’s not running.

The only virus app I have is Virex, I’ll try that.

Ok, never mind, I got an answer from .mac support.

I honestly didn’t know Spam could be so sophisticated, and I’ve never gotten this much of it.. :O

Thanks for replying though.

what was there answer??? is there a mac virus or spyware floating around?

God people. THIS is how virus writers can fool people so easily. Seeing as nearly everyone here is a Mac user, just know this :

Macs, at present, do not have any viruses that do anything more than put up annoying msgs. There are certainly know viruses on the Mac who can email themselves to other machines and spam people.

And also….the old advice that ALWAYS holds true….NEVER EVER EVER open an attachment from someone you don’t know. Even if it appears to be .Mac Technical Support.

I work for AppleCentre Manchester in the UK, and I’ve had to deal with about 10 different people today calling about this exact same thing, all for whoever their ISP is. Don’t be so gullible people…PLEASE! No more virus calls for me tomorrow. I beg ya!

One would assume that the fact that the emails in question are usually being sent from a non apple server (ie mac.com/apple.com) would suggest that it’s not real… :-”

Virus writers are getting good, and I mean very good. They are using wit to entice anyone and everyone to either open the message or open the attachment within a message. As an ISP / ASP, I deal with this every single day. The viruses today have ways to circumventing most virus protection means on PCs, if they are not completely up to date. Once infected, most turn the machine into a zombie mailserver, sending to anyone and everyone that the virus can find within the machine for addresses. the really scary part is that most PCs running OutLook are not current and since there are so many auto-running viruses out there, they can completely do what they need, even without the user opening the message. That is why OutLook and its siblings are in the cross-hairs of most ISPs. Once a machine is infected and sending messages without the user even knowing, it begins sending very convincing messages to everyone that person has an address for. Those messages consistently have very real-sounding subjects, from very real sounding names, and sometimes even from existing people (we see this a lot lately). When someone sees a message like this, their natural tendency is to open it, thus infecting yet another machine. Viola, the vicious circle continues.

Oh, on Viruses for the Mac. Well, yes viruses can happen on the Mac. OutLook, Express and Entourage can execute Visual Basic scripts on the Mac. The one thing that the Mac has going for it, is that unless the version is really old, it will not auto-execute any enclosed scripts without notifying the user first.
Sorry for the ramble, but I figured I would share what we see here every day.

-jason

I’m usually pretty good at telling what is a virus and what is not, but when I sent emails and I received a new error message saying that the message could not be sent because my computer was infected, I was fooled. I just haven’t gotten any clever spam like that before.

This is what Apple relied to me:
Dear Max,

Thank you for contacting Apple.

Sending Unsolicited Bulk Email (UBE) (better known as SPAM) using a known-good email address that does not belong to them is a very common tactic used by spammers. In this way they can ensure the messages they send are accepted into the domain they are sending to, and if the message cannot be delivered they will not see the delivery failure notice.

Sending messages using a reply address other than their own does not require access to that account in any way. This is very similar to addressing a letter and instead of writing your name and address on the envelope as the return address, using someone else’s. If the letter cannot be delivered and is returned, it’ll be returned to the address seen on the envelope.

The message you have received is most likely originating from a virus infected Microsoft Windows-based computer. This type of virus attempts to avoid detection and containment by forging the return address the message appears to come from. It does this by sending itself to all of the email addresses it can find on the infected system. It also uses those same addresses as the “Reply-To:” for those mailings. This can lead to what you have seen: Failed delivery notices sent to you when the mailings are unsuccessful. It is unlikely these messages will cause any harm to your machine.

Although these viruses do not typically affect Macintosh systems, there are a couple of steps that you should, and can, take if this occurs.

Ensure your virus protection is up to date. .Mac members are provided with world class virus protection from McAfee called Virex. If you dont already have it installed, please go to the Virex page to download and get started with Virex.

Most of the time, the best defense, is to use a rule to files these messages into another folder. For example, Junk, Trash, or another created folder. For more information about setting up Rules in Mail, please find and review the Mail Help topic “Manually applying a rule to messages”. To do this, open the Mail application and choose Mail Help from the Help menu.

If this does not pertain to the issue that you are having, please reply to this email with a copy of the expanded headers for the returned emails and we will investigate the issue further.

Sincerely,

The .Mac Support Team

Find tips and tricks, online discussions, and answers to common questions in the .Mac web support site:

I think the pool of spammers have begun to realize the merits of using clever thought and intuition when it comes to what they do. As we joke around here, the spammers have gotten an education.

The only way spam is going to go away is if more isps and asps start blocking the addresses, and not the e-mail addresses, but the link addresses they want you to go to. It would take away any way of making spamming profitable. But, First Amendment rights aside, I cannot get anyone on board to start a campaign like this. Oh well.

I am glad to hear this was a simple case of cleaver wit and not a case where you would have to rebuild your system, like most Windows users have grown accustomed to doing.

-jason

There are only a couple know viruses and trojans for OS X — one of which uses the mp3 extension. The other is AS.MW2004.Trojan and was planted on peer to peer networks and file servers in the MIcrosoft Office 2004 pre-release.
Both can wipe out your home directory.

However, neither accesses your address book or the sendmail script used in OS X. Since you have a .mac account you may as well download the free virex anti-virus software as a precaution against the existing known viruses.

Better safe than sorry.

I know that you can be fooled by these spammers. I’ve been had too.

I once recieved numorous e-mails telling me that I had sent viruses to some University in Holland or something. The e-mail came from a firewall-company who told me that they have my IP and stuff.

I have NEVER done stuff like that willingly.

I also recieve e-mails sometimes telling me that my e-mail was rejected because of an attached zip file or some Windows file. I supposedly sent an e-mail to ChaNinja(Windows themer) I don’t even have him in my contactlist or anything. I only sent an e-mail to him from within Neowhine(Neowin)

I’m somewhat confused when these occur. Although since I deleted one of my e-mail accounts it has not happened(but I cannot tell)

One way to figure these spammer out is to look at the grammar. If you look at the e-mail Max got and the e-mail from the real .Mac support - you’ll notice a difference in grammar. The spammers left out a “the” and on occasions they are not even making sense eg. misplaced words.

Anyways, good that you got some help Max.

one thing i have done in mail.app is set it so that up at the top in the headers it shows all the “recieved” headers, ie: if its sent from someone here at ncsu, to my mac.com, i see something like this (with a lot more details):

Received by smtp.ncsu.edu from tucxxxx.rh.ncsu.edu (152.x.x.x) for ianmeyer@mac.com
Received by mac.com from smtp.ncsu.edu for ianmeyer@mac.com
Received by host.mac.com from mac.com for ianmeyer@mac.com

etc.

this way, i can see that all those “you have a virus” messages always come from somewhere other than the “mac.com support team, ” since they are sent from, often times, hostnames that are for cable or dsl consumer internet connections

~ian

Also, they refer to the “mac.com” support team….. this “team” if it were real would now be called the “.Mac” team…

But yes, these virus writing dorks have become very clever, grabbing the domain name of your Email and using that as the signature. They’ve also apparently discovered grammar checkers, because the previous iteration had a few obvious grammar mistakes in it (can’t remember the exact wording, but it was pretty obvious that it hadn’t come from a big company)

Wait, I take that back….I just re-read your copy of the Email….notice the line “We recommend you TO follow INSTRUCTION…”. That should be “We recommend you follow these instructions…”. The other thing is that why would the .Mac folks zip the instructions? For that matter, why would any tech support zip the instructions? They’d more likely include the instructions directly in the Email…or at least in some immediately viewable document (like a PDF or text file).

I must admit, though, that had my first experience with one of these things hadn’t been supposedly from my boss (head of IT where I work), I might have been more easily fooled (for one, we don’t have an IT “team”…it’s more like a few guys, and for another, if I really were doing this, he’d Email me himself–not with some “postmaster” email.)

Hey Max, I believe I saw an article for something every similar to this in the July Issue of WIRED Magazine. If you can still find it on shelves, I suggest you read up on it to better understand what went on.

I too had this email & rang my ISP. The next day I felt a twit when I received the exact same message that was sent to myself & signed ” Support Team”.
This is jus a simple case of scripting, and taking out the substring fter “@”, and appending it to Support Team. I know coz I’m my own Support Team/Post Master & buggered if I sent an email to myself

I feel sorry for the Mum & Dad home PC users who get duped by these traps.

There is a new thing called SPF (”Sender Policy Framework”) that if widely adopted - and a lot of progress has been made - should reduce a majority of spam. Check out spf.pobox.com for more info on how you can help spread the word to your ISP and others.

If you run your own site and have had your legit mail blocked by ISP spam filtering, you should definitely stop by DeliverMyMail.org to see how you can join the fight to make a difference is that arena as well.

I need a proof reader…

Yea, i got one of these from “.mac” a while back and just glanced at it cuz i was on the run and was like “damn, i need to check this out later” but when i got home, i got another e-mail like this, but it was from a site that i made and maintain and have a “webmaster@” e-mail account on, and these fools tryed to e-mail ME saying that my sites “tech support team” (WHICH WAS ME!) was gonna shut down my e-mail addresss, at this point i just laughed and trashed both the messages.

I made a Mail rule that sort these messages out of, and I currently have 280 emails in my Junk box… insane. I’ve never had this much spam before.

Nice job you do here.

Greetings from Gigicu to everyone!

Java

Java

Java

Java

Thanks for helpful information!

:)

1234567

While we are at it, try 888 info http://888-info.p6.org.uk 888 info. Nice articles and comments on 888 info and other related issues.

The thing that seperates us from animals is the ability to gamble and bet. Have you seen 888 info betting on real money? I also said that 888 info http://888-info.rtq2.com/ 888 info is my recommended URL for 888 info. 888 info http://888-info.rtq2.com/ 888 info is there, and if you wonder - 888 info is your luck calling!

Hey

I agree with what you’re saying. Thanks for sharing the info with us.

Our mode of life was now totally altered.
As soon as the torch which I soaked into the college basketball news http://college-basketball.gsm-plus.net/ ncaa final four http://final-four.gsm-plus.net/ belched freely and steadily, I credited my descent.
I must find college basketball picks http://college-basketball-picks.gsm-plus.net/ and ncaa basketball rankings http://ncaa-basketball.gsm-plus.net/ , if they woke… why had it picked them, and left me for the last?…
The march madness predictions http://march-madness.gsm-plus.net/ planet shell being well-nigh spent, in less than an hour my fellow would be ordered to pursue the oppressor along the tidal Way and past the hither stars to the radioactive confines of infinity.

Good Point. Anyways, this was where i met her. You can join for free as well www.redtricircle.com

Omg thats right! Please come see me and my friends!

Abundance, like want, ruins many.

On the skiddy day I was brought to this room with the give-away soma http://soma.litig8r.net/ , but I have been kept informed of scintillating carisoprodol compound http://carisoprodol.litig8r.net/ through an formed and cynical servitor, for whom I fasten a fondness in infancy, and who, like me, loves the churchyard.
That was the end of our dulcet searching in the soma online of dream.
I myself, lulled by the resonable breathing of the cranelike and the swanlike man, must have nodded a little later.
Such a quest demands sizeable buy soma, among them itinerant tight-turn prescription drug called soma, and in order to keep supplied with these canted generic soma one must live quietly and not far from a place of aeronautical interment.

PDI San Francisco 49ers vs. Chargers Super Bowl XXIX Collector’s Pin, Nike Kansas Jayhawks Charcoal Elite Swoosh Flex Fit Hat, RD John Lynch 8 X 10 Autographed Photo, Logo Art 14Kt Gold Baltimore Orioles Logo 9/16, Colosseum Ohio State Buckeyes #47 Scarlet Hail Mary Jersey, Top North Carolina State Wolfpack Khaki Vintage Oval Hat, Headmaster Ohio State Buckeyes #45 Archie Griffin Red Gridiron Legends Collegiate Vintage Throwback Football Jersey, Raiders (6 Autographeds) Autographed Panoramic (Le 250).

A new blue deer tournament - choose it or loose it. A great excitement, blue deer http://bluedeer-fifth.beplaced.com blue deer at its best. Many games, great blue deer variety at blue deer http://bluedeer-fifth.beplaced.com blue deer.