I originally got the first virus a few days ago, of course my scanners caught it, and it didn't infect anything. So, I saved the messsage source and figured i'd look around to see if it was a random thing, and if other people are getting them. I found nothing to help me. Now, today I've recived a second virus. Both messages are basically the same. However the attacker is using free email servers to send them out.
He seems to be using some type of midi file, "height.pif" which is 130kb (on both messages). And since he's using muti-free-servers to send them out; I can't ban the id from my servers, (I could, but i'd be banning a massive amount of free-email servers.). Deleting the mail user that he's sending it to, would just forward the message to catch-all into my main box. He/she hasn't done any harm.. "yet".
Anyone have any idea what I could do to sway this attacker else where? I could sit back and just delete them all as they come in, but I don't really want to give them a chance. Is there any way I can snatch his 'real' ip, I'm assuming they are using a proxy while they are sending them out. But I have no idea really.
I'll post the message sources below this, Any help would be greatly appreciated.
-- Derrick
-= FIRST ATTACK =-
Return-Path: <melcone@verizon.net>
Received: from svr00.ehostpros.com (root@localhost)
by liquidclock.net (8.11.6/8.11.6) with ESMTP id h3QFL4R08969
for <00@liquidclock.net>; Sat, 26 Apr 2003 08:21:04 -0700
X-ClientAddr: 206.46.170.188
Received: from sc009pub.verizon.net (sc009pub.verizon.net [206.46.170.188])
by svr00.ehostpros.com (8.11.6/8.11.6) with ESMTP id h3QFL3D08964
for <00@liquidclock.net>; Sat, 26 Apr 2003 08:21:03 -0700
Received: from [208.25.49.227] (port=23094 helo=Mcdv)
by sc009pub.verizon.net with smtp (Exim 4.14)
id 199RYa-0000Sf-S5
for 00@liquidclock.net; Sat, 26 Apr 2003 10:25:41 -0500
From: melcone <melcone@melcone.com>
To: 00@liquidclock.net
Subject: Eager to see you
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=N2qf36p0aEC98t4f8qcu
Message-Id: <E199RYa-0000Sf-S5@sc009pub.verizon.net>
Date: Sat, 26 Apr 2003 10:25:41 -0500
Status:
--Boundary_(ID_H4kPvvt8/Q5hpfDoJL5gJg)
Content-type: text/html
Content-transfer-encoding: 7BIT
<HTML><HEAD></HEAD><BODY>
<iframe src=cid:Jp1itAJFJ7aA2v height=0 width=0>
</iframe>
<FONT></FONT></BODY></HTML>
--Boundary_(ID_H4kPvvt8/Q5hpfDoJL5gJg)
Content-id: <Jp1itAJFJ7aA2v>
Content-type: audio/x-midi; name=height.pif
Content-transfer-encoding: base64
Content-disposition: attachment; filename=height.pif
-= SECOND ATTACK =-
Return-Path: <scyoung@comcast.net>
Received: from svr00.ehostpros.com (root@localhost)
by liquidclock.net (8.11.6/8.11.6) with ESMTP id h3U23lk15032
for <00@liquidclock.net>; Tue, 29 Apr 2003 19:03:47 -0700
X-ClientAddr: 24.153.64.116
Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.116])
by svr00.ehostpros.com (8.11.6/8.11.6) with ESMTP id h3U23kN15025
for <00@liquidclock.net>; Tue, 29 Apr 2003 19:03:46 -0700
Received: from Kazwefc (pcp02510492pcs.longhl01.md.comcast.net [68.84.137.173])
by mtaout01.icomcast.net
(iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003))
with SMTP id <0HE4008MOWJVJS@mtaout01.icomcast.net> for
00@liquidclock.net; Tue, 29 Apr 2003 22:07:16 -0400 (EDT)
Date: Tue, 29 Apr 2003 22:07:07 -0400 (EDT)
Date-warning: Date header was inserted by mtaout01.icomcast.net
From: rattlesnake89 <rattlesnake89@msn.com>
Subject: Fw:japanese lass' sexy pictures
To: 00@liquidclock.net
Message-id: <0HE4008MPWJVJS@mtaout01.icomcast.net>
MIME-version: 1.0
Content-type: multipart/alternative;
boundary="Boundary_(ID_H4kPvvt8/Q5hpfDoJL5gJg)"
Status:
--Boundary_(ID_H4kPvvt8/Q5hpfDoJL5gJg)
Content-type: text/html
Content-transfer-encoding: 7BIT
<HTML><HEAD></HEAD><BODY>
<iframe src=cid:Jp1itAJFJ7aA2v height=0 width=0>
</iframe>
<FONT></FONT></BODY></HTML>
--Boundary_(ID_H4kPvvt8/Q5hpfDoJL5gJg)
Content-id: <Jp1itAJFJ7aA2v>
Content-type: audio/x-midi; name=height.pif
Content-transfer-encoding: base64
Content-disposition: attachment; filename=height.pif
