[Bldg-sim] Virus Attacks on BLDG-SIM

Wookey wookey at wookware.org
Wed Nov 17 04:03:30 PST 2010


+++ JRR [2010-11-17 02:00 -0500]:
> Hi;
>
> I have received several Viruses and Trojans on this eMAIL ACCOUNT which  
> is solely for
> the Energy Plus lists.
>
> The most recent receipt of any technical merit was   
>
> Virus name: "Trojan-Spy.HTML.Fraud.gen"
>
>
> It was generated by a fake website called "Clicksafe" .  

To clarify a little 'clicksafe' is a legitimate service run by lloyds
TSB bank:
https://www.clicksafe.lloydstsb.com/lloyds/registration/welcome.jsp

This virus email was not sent from that site, it merely purported to
be in order to look legitimate.

> Here is the full header so list members can block the entire websites associated with these attacks.

It would be unwise to block everything from 'clicksafe', especially if
you are an actual LLoyds customer. viruses and spam can and do claim
to come from anywhere, usually valid addresses. Just blocking them all
will also block real email. You need to go on content, not addresses.
>From (and to) addresses are essentially completely fake. Blocking all
mail containing Trojan-Spy.HTML.Fraud.gen _would_ be sensible.

If you know a bit about email headers or use an online service like
http://www.iptrackeronline.com/header.php you will find that it comes
from Texas, but that's not right either:

It is diguised to appear to simple-minded tools to come from
117.254.213.216 which is vstream.esc11.net. Esc11.net are the
Education Service Center, Region 11, in Ft. Worth, Texas, who the
scammers are trying to inciminate to people slightly more savvy than
the ones that think kit came from lloydsTSB clicksafe. 

But in fact the email (so far as I can tell - there may be more layers
of indirection which I'm not seeing, or net changes since it was
routed and delivered) came from 190.41.82.181, which is
server.iltucanoperu.com, which appears to be a small business in peru
with little clue about IT (judging from their 'default MS SBS server
install website' website: http://www.iltucanoperu.com/). Their ISP is
telefonica de Peru, which I presume is a big phone company/ISP. This
site is useful for looking these things up:
http://www.senderbase.org/senderbase_queries/detailip?search_string=190.41.82.181

So is appears that one of the computers there is virus infected or
part of a botnet, and is sending out fraud-assisting viruses to try
and get others into the same boat. 

The solution to this is virus- and spam-scanning your email, not
sending out the (misleading) headers to everyone on the list, few of
whom will be able to do anything useful with them. The hackers are
much more sophisticated when it comes to email filtering than most
building energy analysts at this point :-)

There are plenty of both free and paid-for solutions to the spam/virus
scanning problem. I use spamassassin + clamav which gets most of them
and doesn't cost anything. Online concentrator services tend to work
better (because they can see the whole email stream, not just yours),
but usually cost money. 


> *********************************************************************************************
>
> Return-Path: <lloyds at securesuite.net>
> Received: from fed1rmimpi04.cox.net ([70.169.32.73])
>          by fed1rmmtai111.cox.net
>          (InterMail vM.8.01.03.00 201-2260-125-20100507) with ESMTP
>          id <20101110181012.HMUI21208.fed1rmmtai111.cox.net at fed1rmimpi04.cox.net>
>          for <energy.wwind at cox.net>; Wed, 10 Nov 2010 13:10:12 -0500
> Received: from server.iltucanoperu.com ([190.41.82.181])
> 	by fed1rmimpi04.cox.net with IMP
> 	id VW8j1f0023ujcsE05W8ofK; Wed, 10 Nov 2010 13:10:11 -0500
> Received: from User ([216.213.254.117] RDNS failed) by server.iltucanoperu.com with Microsoft SMTPSVC(6.0.3790.4675);
> 	 Wed, 10 Nov 2010 13:04:52 -0500
> Date: Wed, 10 Nov 2010 12:04:40 -0600
> From: "Lloyds TSB"<Lloyds at securesuite.net>
> Subject: -- SPAM --Lloyds TSB - ClickSafe Activation Confirmation

Wookey
-- 
Principal hats:  Linaro, Emdebian, Wookware, Balloonboard, ARM
http://wookware.org/



More information about the Bldg-sim mailing list