Hi,

Funny thing, I just setup this domain and not many people know about it.

This morning, I received two emails, both containing a WORM-BAGLE virus (Thanks to my virus detect for finding it).

The first one:

Return-path: <biggoup@control-grid.com>
Envelope-to: info@helicam.us
Delivery-date: Mon, 14 Jun 2004 06:45:47 -0400
Received: from [12.0.39.47] (helo=Michael)
by www5.hostpc.com with smtp (Exim 4.24)
id 1BZoyJ-0000G0-6x
for info@helicam.us; Mon, 14 Jun 2004 06:45:47 -0400
Date: Mon, 14 Jun 2004 06:45:49 -0500
To: info@helicam.us
Subject: Hi! :-)
From: biggoup@control-grid.com
Message-ID: <xuwjuyfdbttaktpskqw@control-grid.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------imrovflhncufcooxjvsd"


The second email:

Return-path: <info@helicam.us>
Envelope-to: sales@helicam.us
Delivery-date: Mon, 14 Jun 2004 06:50:55 -0400
Received: from [12.0.39.47] (helo=Michael)
by www5.hostpc.com with smtp (Exim 4.24)
id 1BZp3G-0000Oo-W9
for sales@helicam.us; Mon, 14 Jun 2004 06:50:55 -0400
Date: Mon, 14 Jun 2004 06:50:57 -0500
To: sales@helicam.us
Subject: Weah, hello! :-)
From: info@helicam.us
Message-ID: <dypukjlyvuwgmmprelw@helicam.us>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------wilfbraljvjcaaqueunm"

Notice that they changed the second one to show the 'return-path' to be the target of the first email.

Obviously (to me) someone's trying to cause some problems. What's the best way to deal with this? I tried a tracert/ping to the IP address listed, but had no luck.

Any one with an idea on how to deal with this?

Bagel spoofs the addresses. Those email addresses aren't infected, but someone you know (who has your email address in their address book) is infected. The actual source of the virus is IP 12.0.39.47, which whois's to

AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
Advance Reproduction ADVANCEREPRO-390 (NET-12-0-39-0-1)
12.0.39.0 - 12.0.39.127

What I tend to do is to forward this mail to back to the abuse@ address for the providers with the complete email header info in it. They can then contact the responsible party to clean up their computer.




However, on a related note (I hope Joe and Nick read this!!!) Virus protection is best done at the server, not the client. If we had AV protection available, this would've been caught and filtered before you received this.

I think this is directed at me. Now they are trying another of my servers. As I said, I have not sent this to many people, but a forum which I use knows about it.

Here's the other newest. I don't know anyone who would have me in their address book yet as I haven't used any of these email addresses yet! They only went online a few days ago.

Return-path: <sales@helicam.us>
Envelope-to: webmaster@helicam.us
Delivery-date: Mon, 14 Jun 2004 13:14:34 -0400
Received: from [12.0.39.47] (helo=Michael)
by www5.hostpc.com with smtp (Exim 4.24)
id 1BZv2X-0004dU-77
for webmaster@helicam.us; Mon, 14 Jun 2004 13:14:33 -0400
Date: Mon, 14 Jun 2004 13:14:33 -0500
To: webmaster@helicam.us
Subject: Hi! :-)
From: sales@helicam.us
Message-ID: <ahjxvggpaugccnqivmq@helicam.us>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------iwairtuglyumyajettpc"

Hmm.. advance repro.. I Think I know someone there.

What is the best way for an end user to find a 'whois' service so I can look this up myself?

Yes.. I know the company and the person there. My guess is that he'll have no clue that he has a virus.

He must have viewed my web pages and this worm pickup up my addresses. Grrr...

Thanks for the help!

Originally posted by NHFTRich@Jun 14 2004, 12:03 PM
Hmm.. advance repro.. I Think I know someone there.

What is the best way for an end user to find a 'whois' service so I can look this up myself?
There are several places to get a whois... the one I use most is whois.sc (http://www.whois.sc).

In a situation like this, I just whois the IP address. If you need more contact info for advance repro, you can whois their url.

Hope that's your culprit! If they need help cleaning it up, let me know -- we can help there, too!