Dan H., virus problem

Frank_3

Dan H.,

Do you distribute the e-mail addresses of people that post on The Wall?

I've gotten a couple more virus notifications and the sending e-mail addresses are all boiler and hvac related. That tells me that someone here has my e-mail in their address book and it's being passed around by klez.

Sorry, but I have to come to you first since you might be the person who either has my e-mail and all these others in one place, or you've given the e-mail list to someone else, or somebody is mining the Wall for a mailing list.

DanHolohan

That's the way the Worm works

I get no less than 50 each day, and each comes with the name of someone I know.

Don't open attachments. We never send them to our list.

Keep your virus protection software up to date.

It's the nature of the Internet, Frank.

hot_rod

Hey Dan

whenever I go to post a reply, that screen pops up with someone elses name and e-mail in the boxes?? Most often it is hb's but a few others also show up.

It all started with this latest virus issue. Is it on my end?

I also get daily bogus e-mails from many of the wallbangers. If they have files attached I automaticly delete them.

However when something comes from Miline with a "hello darling" header I'm pretty sure it bogus. At least I hope so!!!

Sorry to bring up a sensitive subject in public, Scott, if in fact you really consider me a darling

hot rod

To Learn More About This Contractor, Click Here to Visit Their Ad in "Find A Contractor"

DanHolohan

Invision looked into this

because it's also been happening to Mark and Dave. Vito suggests you delete all the cookies that have either heatinghelp or Invision in the titles, including the ones that read Token. Mark tried this yesterday and just told me that it seems to have worked. Please give it a go and we'll take it from there if it doesn't work. Thanks.

Evan J_2

Viruses & Internet Boards

I'm not sure how the current rash of viruses going around work, but some viruses that are on the net have the ability to harvest email addresses from internet bulletin boards (such as the Wall). The virus then uses these harvested email addresses to spread itself, and they use them as the sender name as well. Some of the Internet SPAM works the same as well

Unfortunate but true.

jack_4

Harvest control

You can help to stop that part of the game by posting your Email name in the format of jack@jackdotcom rather than jack@jack.com.

I breaks most of the harvest programs. If you go to reply to a Wallie and see the dot rather than the . you just edit the area and send your email.

Unknown

The infection

is not just specific to the wall either. I have been hit heavily this week from people that I see on The Wall, Oil Tech Talk and other sites that have forums. Fortunately, I only send and recieve e-mail through the Burnham network server which runs a good firewall. Any of the attachments are gone by the time I get the e-mail anyway even though I run Norton all the time. E-mail certainly is not fun anymore!

Glenn Stanton

Burnham Hydronics

DanHolohan

I also run

McAfee's SpamKiller. It gets rid of 90% of the junk and it also catches the virus emails because of their size. You get to preview the mail before downloading it. If the program tells you it's too big and you don't recognize the name of the sender, or if the sender's name is attached to a nonsense subject line, you just delete it and that's that.

JimGPE

Possible explanation

The way my son the computer expert explains it, the worm goes into Smith's MS Outlook address book and grabs Jones' and Calahan's addresses, then sends an email to Jones with Calahan's address as the return address. Jones then calls Calahan and says y'all got a virus and its emailing me, and Calahan swears his machine is clean. No one thinks to get in touch with Smith because his email address is nowhere to be seen.

Pretty clever, if you can stand back far enough to appreciate the subtle nuances.

hot_rod

How do these viruses pick such clever names? I get e-mail with titles that deal with hydronic stuff. I've sen them come across with buffer tank titles, plans for you, etc.

hot rod

To Learn More About This Contractor, Click Here to Visit Their Ad in "Find A Contractor"

JimGPE

Random

Assuming we are dealing with Klez here, Symantec says the reference line is randomly generated. Here's a link to a good overview:

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@mm.html

I agree w/ you, HR, many times the reference lines look relevant, like something they might have wanted to email me about. Other times they are come-ons, like, "Photos of my girlfriend!!!" Yeah, like I'm going to open that....

Who knows.

Frank_3

Believe me, I know how they work.

This particular virus, Klez, looks at your address book and sends e-mail to those people, using your name or someone else that's also in your address book.

Here's the big point ...

In order for Klez to have gotten my e-mail address and use the reply-to address of someone else from The Wall, it implies that it started with someone who has my e-mail address in their address book, as well as the e-mail addresses of other people that post here.

That, I think, should narrow it down. I've only gotten one or two direct e-mails from people here, and my name isn't necessarily in their address book.

I'm thinking, sorry Dan, that it's starting out on either your server or perhaps your office system. Having bought books from you I wonder if you have my e-mail address in an address book somewhere, along with the addresses of other folks from the Wall.

That's also why I asked if maybe you distributed the addresses of folks that have posted here. Somewhere there's a collection of Wall users e-mail addresses, in an Outlook address book, and that place -- or those places -- are the candidates for the source of this virus.

DanHolohan

I haven't shared

any of that with anyone, Frank. The orders come to us through the Invision system, get printed here, and then entered into computers that are in our office and not connected to the Internet.

Alan R. Mercurio

My 2 Cents

I don't know much about this stuff but I really don't think it's a direct result of heatinghelp.com. I think it's indirectly being done. I say this because I have the same unfortunate experience happen at my site (Oil Tech Talk) from time to time. I know there are many trolls out there that have the abilities you are referring to. But in this case sadly I truly think it's an individual with way to much time on their hands. I believe they gather as many e-mail addresses as they can from here and from my site then distribute their trash.

One of the reasons I believe this is because at one time when I added some e-mail links to my site so technicians could e-mail technical services of manufactures from my site. The day after folks from my site including myself started to get the bogus e-mails that looked as though they were coming from the tech service folks and I don't care how smart the other trolls are it was to much of a coincidence that the subject line would say New Boiler Design.

Any how I'm sorry for rambling but it ticks me off that these goofs make it look like it's Dans fault here or my fault at my site. Oh well thanks for listening.

Your friend in the industry,

Alan R. Mercurio

Oil Tech Talk

Tom M.

Topics

My feeling is that some viruses use the topic of a post of yours and the address of someone else that appears on the same forum. I also recieved one today with the subject "IE 6.0 patch". Didn't think a heat guy would send me that.

Duncan

Address book.

It could have gotten addresses from any old Microsoft address book (I think) of anyone who visits here and corresponds with others.. That explains the familiar addresses; it's also a good trick to get you to open it, it gets your trust to see a familiar name.

In the last couple days, I've gotten emails with file sizes from 128K to 178K, with bogus partial addresses from hot rod, besinc, kraftcheese, webmaster... whatever's in front of the "@" in the email addy - which tells me it's prolly a virus.

These things don't care, they just execute. It's no-ones fault.

If you use the 'net, you better have an UP-TO-DATE virus protection program.

eleft(retired)

2 cents

> I don't know much about this stuff but I really

> don't think it's a direct result of

> heatinghelp.com. I think it's indirectly being

> done. I say this because I have the same

> unfortunate experience happen at my site (Oil

> Tech Talk) from time to time. I know there are

> many trolls out there that have the abilities you

> are referring to. But in this case sadly I truly

> think it's an individual with way to much time on

> their hands. I believe they gather as many e-mail

> addresses as they can from here and from my site

> then distribute their trash.

>

> One of the

> reasons I believe this is because at one time

> when I added some e-mail links to my site so

> technicians could e-mail technical services of

> manufactures from my site. The day after folks

> from my site including myself started to get the

> bogus e-mails that looked as though they were

> coming from the tech service folks and I don't

> care how smart the other trolls are it was to

> much of a coincidence that the subject line would

> say New Boiler Design.

>

> Any how I'm sorry for

> rambling but it ticks me off that these goofs

> make it look like it's Dans fault here or my

> fault at my site. Oh well thanks for

> listening.

>

> Your friend in the

> industry,_br__SP__br_Alan R.

> Mercurio_BR__SP__BR__a

> href="http://disc.server.com/Indices/24736.html"_

> Oil Tech Talk_/a_



Well, not that I want my Email to remain anonymous.

I was getting a virus shortly after every time I posted on the wall.

No hits when I posted this (!) in the Email spot. Alan may have it right.

al

eleft(retired)

2 cents

Well, not that I want my Email to remain anonymous.

I was getting a virus shortly after every time I posted on the wall.

No hits when I posted this (!) in the Email spot. Alan may have it right.

al

Terry_4

JimGPE seems to have it right..

It isn't grabbing addresses from our address books (I have none in mine, and I'm sure that I'm not in anyone else's on the wall either) or our contact lists. It seems to just grab them from wall postings. If I don't post anything for 3 or 4 days (i.e. my address has dropped off the wall) I get no virus laden e-mails. But when I post a message again then I get several from other people that have posted messages. Hopefully this thing will run it's course soon. By the way, thanks for a great site Dan, it's a real learning experience! Terry

ScottMP

No one's at fault

Except for the jerk who wrote this stuff.

I am getting the same problem that when I post it sometimes comes back to my e-mail and tells me it could'nt send the e-mail. When I check it, since I did'nt try to e-mail anyone, it turns out to be my post on the wall.

Many of these have names concerning heating issues.

By the way HR, those e-mails were meant for Ellen, sorry Dude. Not saying your not cute ( wink,wink )

Scott

To Learn More About This Contractor, Click Here to Visit Their Ad in "Find A Contractor"

Jeff Lawrence_2

My Girlfriend?

Gotta chime in here.

I got one with the title "Photos of my New Girlfriend" from HeatBoy. First off, I don't think his bride would like that and second, he'd send boiler pictures!

J

DanHolohan

Thanks, Terry

For me too!

Eric Taylor_3

same thing

I told Norton antivirus to accept cookies from HeatingHelp so I could use bookmarks and not have to keep typing my email. I surfed for days rejecting cookies before doing this. As soon as I let invision put a cookie on my hard drive BANG. I'm getting tens of emails per day with the klez virus from names on The Wall. Norton gets all of them. I stopped posting for a while and they went away. I bet I get more right now....

Eric

Eric Taylor_3

Yup

Just got three in five min. So, I deleted all cookies and tried to tell Norton to prompt each time for HeatingHelp, but I am still figuring Norton out. Lets see if I get one right now....

Eric Taylor_3

OK

Cookies are still on for HeatingHelp, but I haven't gotten a bad email yet. I think that just deleting the old cookies and accepting the new and improved model might have helped. Or I just haven't got hit yet. We'll seee....

John Abbott

The virus

> Except for the jerk who wrote this stuff.

>

> I am

> getting the same problem that when I post it

> sometimes comes back to my e-mail and tells me it

> could'nt send the e-mail. When I check it, since

> I did'nt try to e-mail anyone, it turns out to be

> my post on the wall.

>

> Many of these have names

> concerning heating issues.

>

> By the way HR,

> those e-mails were meant for Ellen, sorry Dude.

> Not saying your not cute ( wink,wink

> )

>

> Scott

>

> _A

> HREF="http://www.heatinghelp.com/getListed.cfm?id=

> 237&Step=30"_To Learn More About This Contractor,

> Click Here to Visit Their Ad in "Find A

> Contractor"_/A_

John Abbott

The virus

is definetely coming from the wall.When I post I receive 2 virus laden e-mails with names associated with the wall the following day.My anti virus picks them up so far, but it sure is a nuisance and I would hate to be deleting legitimate e-mails.
John

Frank_3

Dan H., please take another look

First of all, I'm not blaming anybody. Someone with too much intelligence and not enough common sense wrote this virus and somehow gets his/her jollies from knowing all the headaches it's causing.

However, since the problem is pretty clearly coming from the Wall, or the Invision server that runs the Wall, it's certainly the administrator's responsibility to clean it up.

So, Dan, please have your server, Invision's server, whoever's server rescanned. I believe Klez also disables some antivirus engines so it may be necessary to shut down the server and move the disk to another system to be checked. I'm sure you don't want to continue receiving those e-mails and if it's coming from your own server that must certainly be even more annoying. It'd definitely get me pissed off -- in fact I'm already pissed and it's not my server.

Vito

-----Virus Info-----

As you can see, I posted my email aboove.

The website is not causing the worm to spread. If someone has the Virus (it's been around for a while) it will spread to all that users address books and infecting all those users that are not protected, the rest of us just get annoying messages that state that a virus was attempted to be delivered.

The server "The Wall" is on as well as HeatingHelp.com is protected with Virus software, therefor is not the cause of this issue.

Thank You

Frank_3

Can you explain ...

... why so many people report that they receive virus notifications or virus-laden e-mails only after they've posted a message to the Wall? Or why the virus e-mails only appear to have names of those people that participate on the Wall?

Does the software which runs the Wall rely on Microsoft Outlook or Outlook Express to either a) maintain the list of e-mail addresses of people posting, or b) perform the e-mail functions related to the "Notify me by e-mail about all messages posted in this topic" option?

Frank_3

Can you explain ...

... why so many people report that they receive virus notifications or virus-laden e-mails only after they've posted a message to the Wall? Or why the virus e-mails only appear to have names of those people that participate on the Wall?

Does the software which runs the Wall rely on Microsoft Outlook or Outlook Express to either a) maintain the list of e-mail addresses of people posting, or b) perform the e-mail functions related to the "Notify me by e-mail about all messages posted in this topic" option?

Vito

Why...

Why after visiting "The Wall".... there's no reason it could be coincidence. It takes one email from one person, that person could have had many names in his address book from the Wall.

The site does not rely on Outlook for email address. Messages are database stored.

If you still don't believe me feel free to use Netscape for a mailer.

ScottMP

Vito

This may be unrelated but, many times when I post a response to a question on the wall and then go to my e-mail there is a message that says my e-mail was underliverable. Since I have sent nothing , I check it, and it turns out to be my post response.

Anyway to figure out why this is happening ?

Scott

To Learn More About This Contractor, Click Here to Visit Their Ad in "Find A Contractor"

Mike T., Swampeast MO

.klez worm

It's been around for quite a while now. One reason that the damned thing is so frustrating is that unless caught by your anti-virus software or server it can run itself without opening the attachment. This was complicated further by the fact that the first Microsoft "fix" for the "auto-load" problem DID NOT WORK. The later fix did plug the hole properly.

One reason that it spreads so well is that it sends itself to UNREPLIED messages in your "Inbox." While the SUBJECT will usually be something strange (often "Naked Photos of Me"), it will seem to come from an "expected" source.

Jackchips

Ditto,

to Scotts question.

Vito

Did is due to the option of "Notify me by e-mail about all messages posted in this topic", bounced messages will be sent to sender.

It's just like if you type in an email to joeblow@nowhere.com it will bounce back to you since the email can not be delivered for whatever reason. Or simply put it's like "Return to Sender" of snail mail.

Jackchips

Then why

doesn't it happen every time?

Unknown

I don't use

the notify by e-mail button and every time I post I start getting these too. Ninety-nine percent of these are all from the wall. I find it very hard to believe that anyone would copy and save my e-mail address from the posts that I put here on the wall unless of course they are going to e-mail me and most do not because I usually answer their responses directly in the threads. But hours or day later I start getting these from people that I have never e-mailed or spoken to before except here on the wall. Go figure!

Glenn Stanton

Burnham Hydronics

Online Sheriff \"Murph\"

maybe back in the sixties............

uhh.......nevermind, hey glenn !!


I have been lurking the last couple weeks to see if the klez slows down and it did/does the more i post these come more frequently, thinking about a refund......uhhhh nevermind !!


Murph' (SOS)

DanHolohan

DanHolohan