HotPOP.com infected



roberto
07-09-2005, 11:50 PM
I have a e-mail account on www.HotPOP.com. I configured my Outlook Express
to access using the POP service. Everything works perfectly!!! But this site
has been a target for the Mytob worm last week, and the other week, and
today... AGAIN!! My AVG 7.0 says that the incoming mails (yes plus than one
coimg from support@hotpop.com and webmaster@hotpop.com (you all know what
does it means) ) has been infected with a new version of the worm (EK) My AV
is always updated...i have not problem to be infected now, but this
"vulnerability" made nervous....today is the "inofensive" Mytob (i call it
in this way because it doesnt seem to make a big damage) but tomorrow could
be another MYDOOM. So i did one thing. I went to hotpop.com and active the
Forwarding mail service. So the mails on Hotpop now go to my
xxxxxx@yahoo.com.mx (acting as a filter) But im worried if "yahoo" will
consider my "hotpop" mails as spam or delete them because they contain the
virus mytob... I even dont know if the mails when "arrive" clean to
Hotpop.com will "go out" infected. And finally i dont know if I'm making a
SPAM CONTRIBUTION... with this "go here now and then go there"

Any help please??

Robert
CUBA.

What's in a Name?
07-09-2005, 11:50 PM
My best advice to you is use Thunderbird for your mail.
http://www.mozilla.org/products/thunderbird/
-max
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
You can find my e-mail address on my pages.
Registered Linux User #393236

David H. Lipman
07-09-2005, 11:50 PM
From: "What's in a Name?" <spamthis@nomail.afraid.org>

| My best advice to you is use Thunderbird for your mail.
| http://www.mozilla.org/products/thunderbird/
| -max
| --
| Virus Removal Instructions: http://home.neo.rr.com/manna4u/
| You can find my e-mail address on my pages.
| Registered Linux User #393236

How about Pegasus mail ?
It is highly recommended, has better spam and content filtering as is much lighter (size).
http://www.pmail.com/

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

What's in a Name?
07-09-2005, 11:50 PM
David H. Lipman wrote:
> From: "What's in a Name?" <spamthis@nomail.afraid.org>
>
> | My best advice to you is use Thunderbird for your mail.
> | http://www.mozilla.org/products/thunderbird/
> | -max
> | --
> | Virus Removal Instructions: http://home.neo.rr.com/manna4u/
> | You can find my e-mail address on my pages.
> | Registered Linux User #393236
>
> How about Pegasus mail ?
> It is highly recommended, has better spam and content filtering as is much lighter (size).
> http://www.pmail.com/
>
I have yet to try it-is it also free? Anything has got to be more secure
than M$ programs.
-max
--
Trying to get away from father Bill........
Registered Linux User #393236

David H. Lipman
07-09-2005, 11:50 PM
From: "What's in a Name?" <spamthis@gofuck.yourself.com>


| I have yet to try it-is it also free? Anything has got to be more secure
| than M$ programs.
| -max
| --
| Trying to get away from father Bill........
| Registered Linux User #393236

P-mail is totally free (unless you want a printed manual) and its considered a Safe Hex
e-mailer.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

What's in a Name?
07-09-2005, 11:50 PM
David H. Lipman wrote:
> From: "What's in a Name?" <spamthis@gofuck.yourself.com>
>
>
> | I have yet to try it-is it also free? Anything has got to be more secure
> | than M$ programs.
> | -max
> | --
> | Trying to get away from father Bill........
> | Registered Linux User #393236
>
> P-mail is totally free (unless you want a printed manual) and its considered a Safe Hex
> e-mailer.
>
I looked over the site-no support for NTTP? :(
-max
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
You can find my e-mail address on my pages.
Registered Linux User #393236

David H. Lipman
07-09-2005, 11:50 PM
From: "What's in a Name?" <spamthis@gofuck.yourself.com>


| I looked over the site-no support for NTTP? :(
| -max
| --
| Virus Removal Instructions: http://home.neo.rr.com/manna4u/
| You can find my e-mail address on my pages.
| Registered Linux User #393236

What is NTTP ? I ahven't heard of that protocol.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

roberto
07-09-2005, 11:50 PM
Perhaps I didn't explain myself correct...im not planning to change my
E-Mail Client....i even think, after i posted the message, i missunderstood
the purpose of this group...Basically I'm worried for 2 things....how this
could happen to the same site 3 times in less than 15 days..it has never
happened to me ...but well, it doesn't matter my main question is: Will
Yahoo consider my "hotpop" mails as spam or delete them because contain the
virus mytob...??

Bigfoot.com is good....also despammed.com to "filter" those messages but
maybe instead of change my E/Mail Client or use Bigfoot.com or despammed.com
i should looking for another site offering an e mail account with POP and
forwarding services? HotPOP looked good since 15 days ago....

Robert



"David H. Lipman" <DLipman~nospam~@Verizon.Net> escribió en el mensaje
news:uu5xVLnfFHA.484@TK2MSFTNGP14.phx.gbl...
> From: "What's in a Name?" <spamthis@nomail.afraid.org>
>
> | My best advice to you is use Thunderbird for your mail.
> | http://www.mozilla.org/products/thunderbird/
> | -max
> | --
> | Virus Removal Instructions: http://home.neo.rr.com/manna4u/
> | You can find my e-mail address on my pages.
> | Registered Linux User #393236
>
> How about Pegasus mail ?
> It is highly recommended, has better spam and content filtering as is much
lighter (size).
> http://www.pmail.com/
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

What's in a Name?
07-09-2005, 11:50 PM
David H. Lipman wrote:

>
> What is NTTP ? I ahven't heard of that protocol.
>

Me neither-lol NNTP-(need more praktice typin und spelin)
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
You can find my e-mail address on my pages.
Registered Linux User #393236

David H. Lipman
07-09-2005, 11:50 PM
From: "roberto" <ralplavner@HotPOP.com>

| Perhaps I didn't explain myself correct...im not planning to change my
| E-Mail Client....i even think, after i posted the message, i missunderstood
| the purpose of this group...Basically I'm worried for 2 things....how this
| could happen to the same site 3 times in less than 15 days..it has never
| happened to me ...but well, it doesn't matter my main question is: Will
| Yahoo consider my "hotpop" mails as spam or delete them because contain the
| virus mytob...??
|
| Bigfoot.com is good....also despammed.com to "filter" those messages but
| maybe instead of change my E/Mail Client or use Bigfoot.com or despammed.com
| i should looking for another site offering an e mail account with POP and
| forwarding services? HotPOP looked good since 15 days ago....
|
| Robert

Who can tell what Yahoo will do. I do know that Yahoo email servers use AV software.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

What's in a Name?
07-09-2005, 11:50 PM
roberto wrote:
> Perhaps I didn't explain myself correct...im not planning to change my
> E-Mail Client....i even think, after i posted the message, i missunderstood
> the purpose of this group...Basically I'm worried for 2 things....how this
> could happen to the same site 3 times in less than 15 days..it has never
> happened to me ...but well, it doesn't matter my main question is: Will
> Yahoo consider my "hotpop" mails as spam or delete them because contain the
> virus mytob...??
>

HELLO- if you forward infected e-mails......??????
> Bigfoot.com is good....also despammed.com to "filter" those messages but
> maybe instead of change my E/Mail Client or use Bigfoot.com or despammed.com
> i should looking for another site offering an e mail account with POP and
> forwarding services? HotPOP looked good since 15 days ago....
>
> Robert
>
>

******Middle Posted for Maximum Confusion*************

Oh I understood correctly-you are concerned about getting infected.
My solution is simple-use a more secure e-mail client.
If you must use OE-
1. get a mailwashing program-benign is one that I found to work well.
2. get a spam filter-there are many out there....
3. set up AV to scan mail
4. get clamAV-it has a plug in for OE
5. set up OE to read in plain-text.
6. use restricted zone
7. don't allow any attackments to be saved.
I have more tips on my site.
http://home.neo.rr.com/manna4u/keepingclean.html
-max

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> escribió en el mensaje
> news:uu5xVLnfFHA.484@TK2MSFTNGP14.phx.gbl...
>
>>From: "What's in a Name?" <spamthis@nomail.afraid.org>
>>
>>| My best advice to you is use Thunderbird for your mail.
>>| http://www.mozilla.org/products/thunderbird/
>>| -max
>>| --
>>| Virus Removal Instructions: http://home.neo.rr.com/manna4u/
>>| You can find my e-mail address on my pages.
>>| Registered Linux User #393236
>>
>>How about Pegasus mail ?
>>It is highly recommended, has better spam and content filtering as is much
>
> lighter (size).
>
>>http://www.pmail.com/
>>
>>--
>>Dave
>>http://www.claymania.com/removal-trojan-adware.html
>>http://www.ik-cs.com/got-a-virus.htm
>>
>>
>
>
>


--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
You can find my e-mail address on my pages.
Registered Linux User #393236

roberto
07-09-2005, 11:50 PM
LOL David.... Who can tell what Yahoo will do.....I sent 2 messages to my
HotPOP account. In one of them i put the following word on the subject and
on the body message TEST. On the other message i put in the subject and on
the body something like this #@^%&*^%*&^$ and even a BAD WORD!!

The result was amazing!! Both message "passed throught" HotPOP but only one
"passed throught" Yahoo...and it was the second one!!!! with the $#%^^&%^%
and the BAD WORD!!

I can't beleive it!!

Robert
CUBA

"David H. Lipman" <DLipman~nospam~@Verizon.Net> escribió en el mensaje
news:OzT552nfFHA.3124@TK2MSFTNGP12.phx.gbl...
> From: "roberto" <ralplavner@HotPOP.com>
>
> | Perhaps I didn't explain myself correct...im not planning to change my
> | E-Mail Client....i even think, after i posted the message, i
missunderstood
> | the purpose of this group...Basically I'm worried for 2 things....how
this
> | could happen to the same site 3 times in less than 15 days..it has never
> | happened to me ...but well, it doesn't matter my main question is: Will
> | Yahoo consider my "hotpop" mails as spam or delete them because contain
the
> | virus mytob...??
> |
> | Bigfoot.com is good....also despammed.com to "filter" those messages but
> | maybe instead of change my E/Mail Client or use Bigfoot.com or
despammed.com
> | i should looking for another site offering an e mail account with POP
and
> | forwarding services? HotPOP looked good since 15 days ago....
> |
> | Robert
>
> Who can tell what Yahoo will do. I do know that Yahoo email servers use
AV software.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

David H. Lipman
07-09-2005, 11:50 PM
From: "What's in a Name?" <spamthis@nomail.afraid.org>

| David H. Lipman wrote:
|
>> What is NTTP ? I ahven't heard of that protocol.
>>
| Me neither-lol NNTP-(need more praktice typin und spelin)
| --
| Virus Removal Instructions: http://home.neo.rr.com/manna4u/
| You can find my e-mail address on my pages.
| Registered Linux User #393236

That's correct. P-Mail does not support Network News Transport Protocol. It is purely an
email client. However, it is Netware compliant and if it is installed on a Netware Server
then you have a complete Intranet/Internet email system.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

roberto
07-09-2005, 11:50 PM
And only now....after almost 15 minutes i receive the other
message......!!!!!

Simply....no words

Robert

"David H. Lipman" <DLipman~nospam~@Verizon.Net> escribió en el mensaje
news:OzT552nfFHA.3124@TK2MSFTNGP12.phx.gbl...
> From: "roberto" <ralplavner@HotPOP.com>
>
> | Perhaps I didn't explain myself correct...im not planning to change my
> | E-Mail Client....i even think, after i posted the message, i
missunderstood
> | the purpose of this group...Basically I'm worried for 2 things....how
this
> | could happen to the same site 3 times in less than 15 days..it has never
> | happened to me ...but well, it doesn't matter my main question is: Will
> | Yahoo consider my "hotpop" mails as spam or delete them because contain
the
> | virus mytob...??
> |
> | Bigfoot.com is good....also despammed.com to "filter" those messages but
> | maybe instead of change my E/Mail Client or use Bigfoot.com or
despammed.com
> | i should looking for another site offering an e mail account with POP
and
> | forwarding services? HotPOP looked good since 15 days ago....
> |
> | Robert
>
> Who can tell what Yahoo will do. I do know that Yahoo email servers use
AV software.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

roberto
07-09-2005, 11:50 PM
Perhaps i should quit this....or maybe get a better lessons of English LOL

Im not worried about getting infected....i have not problem with this....im
concerning about this: HotPOP.com is afected by Mytob worm . Im receiving
some messages from support@hotpop.com webmaster@hotpop.com with the known
subjects YOUR PASSWORD HAS SUCESFULLY CHANGED...among others. I configured
my OE to acccess to this account on HotPOP using the POP services this site
offers...but now that i know the site is afected by mytob i "tried" to save
my messages and save me in some way ...in a future....changing the feature
of POP service for a FORWARDING Service. So, i used a yahoo account with POP
option i have on www.yahoo.com.mx as a filter. If Hotpop site is afected
then all the messages i receive THERE will be automatically infected??? So,
then Yahoo will delete my messages....

I think i will lost part of my e -mails.....trying to made the good
thing...

"What's in a Name?" <spamthis@nomail.afraid.org> escribió en el mensaje
news:Mcixe.29337$IL3.11653@tornado.ohiordc.rr.com...
> roberto wrote:
> > Perhaps I didn't explain myself correct...im not planning to change my
> > E-Mail Client....i even think, after i posted the message, i
missunderstood
> > the purpose of this group...Basically I'm worried for 2 things....how
this
> > could happen to the same site 3 times in less than 15 days..it has never
> > happened to me ...but well, it doesn't matter my main question is: Will
> > Yahoo consider my "hotpop" mails as spam or delete them because contain
the
> > virus mytob...??
> >
>
> HELLO- if you forward infected e-mails......??????
> > Bigfoot.com is good....also despammed.com to "filter" those messages but
> > maybe instead of change my E/Mail Client or use Bigfoot.com or
despammed.com
> > i should looking for another site offering an e mail account with POP
and
> > forwarding services? HotPOP looked good since 15 days ago....
> >
> > Robert
> >
> >
>
> ******Middle Posted for Maximum Confusion*************
>
> Oh I understood correctly-you are concerned about getting infected.
> My solution is simple-use a more secure e-mail client.
> If you must use OE-
> 1. get a mailwashing program-benign is one that I found to work well.
> 2. get a spam filter-there are many out there....
> 3. set up AV to scan mail
> 4. get clamAV-it has a plug in for OE
> 5. set up OE to read in plain-text.
> 6. use restricted zone
> 7. don't allow any attackments to be saved.
> I have more tips on my site.
> http://home.neo.rr.com/manna4u/keepingclean.html
> -max
>
> > "David H. Lipman" <DLipman~nospam~@Verizon.Net> escribió en el mensaje
> > news:uu5xVLnfFHA.484@TK2MSFTNGP14.phx.gbl...
> >
> >>From: "What's in a Name?" <spamthis@nomail.afraid.org>
> >>
> >>| My best advice to you is use Thunderbird for your mail.
> >>| http://www.mozilla.org/products/thunderbird/
> >>| -max
> >>| --
> >>| Virus Removal Instructions: http://home.neo.rr.com/manna4u/
> >>| You can find my e-mail address on my pages.
> >>| Registered Linux User #393236
> >>
> >>How about Pegasus mail ?
> >>It is highly recommended, has better spam and content filtering as is
much
> >
> > lighter (size).
> >
> >>http://www.pmail.com/
> >>
> >>--
> >>Dave
> >>http://www.claymania.com/removal-trojan-adware.html
> >>http://www.ik-cs.com/got-a-virus.htm
> >>
> >>
> >
> >
> >
>
>
> --
> Virus Removal Instructions: http://home.neo.rr.com/manna4u/
> You can find my e-mail address on my pages.
> Registered Linux User #393236

David H. Lipman
07-09-2005, 11:50 PM
From: "roberto" <ralplavner@HotPOP.com>

| Perhaps i should quit this....or maybe get a better lessons of English LOL
|
| Im not worried about getting infected....i have not problem with this....im
| concerning about this: HotPOP.com is afected by Mytob worm . Im receiving
| some messages from support@hotpop.com webmaster@hotpop.com with the known
| subjects YOUR PASSWORD HAS SUCESFULLY CHANGED...among others. I configured
| my OE to acccess to this account on HotPOP using the POP services this site
| offers...but now that i know the site is afected by mytob i "tried" to save
| my messages and save me in some way ...in a future....changing the feature
| of POP service for a FORWARDING Service. So, i used a yahoo account with POP
| option i have on www.yahoo.com.mx as a filter. If Hotpop site is afected
| then all the messages i receive THERE will be automatically infected??? So,
| then Yahoo will delete my messages....
|
| I think i will lost part of my e -mails.....trying to made the good
| thing...


I think you may find that the email from addresses are forged.

This is a well known Social Enginerring trick to to get yuou infected by making it seem like
it came from a legitimate source.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

roberto
07-09-2005, 11:50 PM
This is the Source Code of one of the e mails...

X-EMS: wait 10s
X-EMS: wait 20s
X-EMS: wait 30s
X-EMS: wait 40s
X-EMS: wait 50s
Return-Path: <mail@hotpop.com>
Received: from hotpop.com (unknown [203.90.83.237])
by mx2.hotpop.com (Postfix) with ESMTP id E4005136E37C
for <ralplavner@hotpop.com>; Fri, 1 Jul 2005 17:43:21 +0000 (UTC)
From: mail@hotpop.com
To: ralplavner@hotpop.com
Subject: IMPORTANT NOTIFICATION
Date: Fri, 1 Jul 2005 23:13:24 +0530
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20050701174321.E4005136E37C@mx2.hotpop.com>
X-HotPOP-Delivered-To: ralplavner@hotpop.com
X-Antivirus: AVG for E-mail 7.0.323 [267.8.8]
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0001_F3B9E1FB.FB56ADFE"

------=_NextPart_000_0001_F3B9E1FB.FB56ADFE
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit


<html>
<body>
<BR><STRONG>Dear Hotpop Member, </STRONG><BR>
<BR>Your e-mail account was used to send a huge amount of unsolicited spam
messages during the recent week. If you could please take 5-10 minutes out
of your online experience and confirm the attached document so you will not
run into any future problems with the online service.<BR>
<BR>If you choose to ignore our request, you leave us no choice but to
cancel your membership.<BR>
<BR>Virtually yours,
<BR>The Hotpop Support Team <BR>
<BR><BR><BR><BR><BR>
<BR>+++ Attachment: No Virus found
<BR>+++ Hotpop Antivirus - www.hotpop.com
</body>
</html>



------=_NextPart_000_0001_F3B9E1FB.FB56ADFE
Content-Type: text/plain; x-avg=cert; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Content-Description: "AVG certification"

Viruses found in the attached files.
The file important-details.zip: Virus identified I-Worm/Mytob.KS. The
attac=
hment was moved to the virus vault.

Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.8.8/37 - Release Date: 01/07/2005

------=_NextPart_000_0001_F3B9E1FB.FB56ADFE--

The IP number is not valid with the HotPOP IP number I checked this (u can
see an example below) I think it's appropiate to say that MY SERVER is
generating these messages...is the only possibility who else will know about
HotPOP? But now i dont understand something?? Why It only generates this
fake messages from hotpop?? Because it could generate another fake
messages....and even HIS OWN fake message something as support@mydomain.com
or teamisla@mydomain.com

Am I correct?

Robert
CUBA




X-Apparently-To: xxx@yahoo.com.mx via 68.142.198.109; Fri, 01 Jul 2005
14:50:23 -0700
X-YahooFilteredBulk: 38.113.3.61
X-Originating-IP: [38.113.3.61]
Return-Path: <notification-return-1823-xxx=hotpop.com@lists.sophos.com>
Authentication-Results: mta175.mail.mud.yahoo.com
from=lists.sophos.com; domainkeys=neutral (no sig)
Received: from 38.113.3.61 (EHLO smtp-out.hotpop.com) (38.113.3.61)
by mta175.mail.mud.yahoo.com with SMTP; Fri, 01 Jul 2005 14:50:23 -0700
Received: from hotpop.com (kubrick.hotpop.com [38.113.3.103])
by smtp-out.hotpop.com (Postfix) with SMTP id 552C2136FC37


> I think you may find that the email from addresses are forged.
>
> This is a well known Social Enginerring trick to to get yuou infected by
making it seem like
> it came from a legitimate source.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

Tom Pepper Willett
07-09-2005, 11:50 PM
No, Roberto, you're not listening to what people are saying. Your address
is most likely being forged. Read the previous replies again.

Tom

"roberto" <ralplavner@HotPOP.com> wrote in message
news:ucx6QEpfFHA.3940@tk2msftngp13.phx.gbl...
| This is the Source Code of one of the e mails...
|
| X-EMS: wait 10s
| X-EMS: wait 20s
| X-EMS: wait 30s
| X-EMS: wait 40s
| X-EMS: wait 50s
| Return-Path: <mail@hotpop.com>
| Received: from hotpop.com (unknown [203.90.83.237])
| by mx2.hotpop.com (Postfix) with ESMTP id E4005136E37C
| for <ralplavner@hotpop.com>; Fri, 1 Jul 2005 17:43:21 +0000 (UTC)
| From: mail@hotpop.com
| To: ralplavner@hotpop.com
| Subject: IMPORTANT NOTIFICATION
| Date: Fri, 1 Jul 2005 23:13:24 +0530
| X-Priority: 3
| X-MSMail-Priority: Normal
| Message-Id: <20050701174321.E4005136E37C@mx2.hotpop.com>
| X-HotPOP-Delivered-To: ralplavner@hotpop.com
| X-Antivirus: AVG for E-mail 7.0.323 [267.8.8]
| Mime-Version: 1.0
| Content-Type: multipart/mixed;
| boundary="----=_NextPart_000_0001_F3B9E1FB.FB56ADFE"
|
| ------=_NextPart_000_0001_F3B9E1FB.FB56ADFE
| Content-Type: text/html; charset=ISO-8859-1
| Content-Transfer-Encoding: 7bit
|
|
| <html>
| <body>
| <BR><STRONG>Dear Hotpop Member, </STRONG><BR>
| <BR>Your e-mail account was used to send a huge amount of unsolicited spam
| messages during the recent week. If you could please take 5-10 minutes out
| of your online experience and confirm the attached document so you will
not
| run into any future problems with the online service.<BR>
| <BR>If you choose to ignore our request, you leave us no choice but to
| cancel your membership.<BR>
| <BR>Virtually yours,
| <BR>The Hotpop Support Team <BR>
| <BR><BR><BR><BR><BR>
| <BR>+++ Attachment: No Virus found
| <BR>+++ Hotpop Antivirus - www.hotpop.com
| </body>
| </html>
|
|
|
| ------=_NextPart_000_0001_F3B9E1FB.FB56ADFE
| Content-Type: text/plain; x-avg=cert; charset=us-ascii
| Content-Transfer-Encoding: quoted-printable
| Content-Disposition: inline
| Content-Description: "AVG certification"
|
| Viruses found in the attached files.
| The file important-details.zip: Virus identified I-Worm/Mytob.KS. The
| attac=
| hment was moved to the virus vault.
|
| Checked by AVG Anti-Virus.
| Version: 7.0.323 / Virus Database: 267.8.8/37 - Release Date: 01/07/2005
|
| ------=_NextPart_000_0001_F3B9E1FB.FB56ADFE--
|
| The IP number is not valid with the HotPOP IP number I checked this (u
can
| see an example below) I think it's appropiate to say that MY SERVER is
| generating these messages...is the only possibility who else will know
about
| HotPOP? But now i dont understand something?? Why It only generates this
| fake messages from hotpop?? Because it could generate another fake
| messages....and even HIS OWN fake message something as
support@mydomain.com
| or teamisla@mydomain.com
|
| Am I correct?
|
| Robert
| CUBA
|
|
|
|
| X-Apparently-To: xxx@yahoo.com.mx via 68.142.198.109; Fri, 01 Jul 2005
| 14:50:23 -0700
| X-YahooFilteredBulk: 38.113.3.61
| X-Originating-IP: [38.113.3.61]
| Return-Path: <notification-return-1823-xxx=hotpop.com@lists.sophos.com>
| Authentication-Results: mta175.mail.mud.yahoo.com
| from=lists.sophos.com; domainkeys=neutral (no sig)
| Received: from 38.113.3.61 (EHLO smtp-out.hotpop.com) (38.113.3.61)
| by mta175.mail.mud.yahoo.com with SMTP; Fri, 01 Jul 2005 14:50:23 -0700
| Received: from hotpop.com (kubrick.hotpop.com [38.113.3.103])
| by smtp-out.hotpop.com (Postfix) with SMTP id 552C2136FC37
|
|
| > I think you may find that the email from addresses are forged.
| >
| > This is a well known Social Enginerring trick to to get yuou infected by
| making it seem like
| > it came from a legitimate source.
| >
| > --
| > Dave
| > http://www.claymania.com/removal-trojan-adware.html
| > http://www.ik-cs.com/got-a-virus.htm
| >
| >
|
|

N. Miller
07-09-2005, 11:50 PM
On Fri, 1 Jul 2005 19:39:51 -0400, roberto wrote:

> Im not worried about getting infected....i have not problem with this....im
> concerning about this: HotPOP.com is afected by Mytob worm . Im receiving
> some messages from support@hotpop.com webmaster@hotpop.com with the known
> subjects YOUR PASSWORD HAS SUCESFULLY CHANGED...among others. I configured
> my OE to acccess to this account on HotPOP using the POP services this site
> offers...but now that i know the site is afected by mytob i "tried" to save
> my messages and save me in some way ...in a future....changing the feature
> of POP service for a FORWARDING Service. So, i used a yahoo account with POP
> option i have on www.yahoo.com.mx as a filter. If Hotpop site is afected
> then all the messages i receive THERE will be automatically infected??? So,
> then Yahoo will delete my messages....

So you will have your HotPOP email forwarded to Yahoo! Mail, Mexico. I
don't know if yahoo.co.mx works exactly like yahoo.com. What I have with a
yahoo.com account is SpamGuard, and the Yahoo! AV program. Yahoo! AV is
strictly hit or miss. When it hits, it only catches viral email, and you
get a notice akin to this:

--------------------------------------
|From: "SBC Yahoo! Mail Virus Protection <***-***@yahoo-inc.com>"
|To: ***@pacbell.net
|Date: Mon, 06 Dec 2004 10:48:55 -0800
|Subject: "Alert: Virus Detected but not Cleaned - Attachment Removed" [E-mail technical support warning.]
|MIME-Version: 1.0
|Content-Type: multipart/mixed;
| boundary="0-1127678671-1102359134-52518"
|
|--0-1127678671-1102359134-52518
|Content-Type: text/plain; charset=us-ascii
|Content-Id:
|Content-Disposition: inline
|
|"Your SBC Yahoo! Mail Virus Protection detected the virus '"W32.Beagle.M@mm"' in
|the file '"Information.pif"', attached to the enclosed email message. We scanned
|the file using Norton AntiVirus but were unable to clean it. Therefore, we
|removed the content of the attachment from the message. Please contact the
|message sender if you want to receive the attachment. They must clean the file
|and resend it before we can deliver it to you safely.
|
|"
|
|"SBC Yahoo! Mail successfully cleans most infected attachments, which protects
|you from viruses.
|"
|
|--0-1127678671-1102359134-52518
|Content-Type: message/rfc822
|
|{Original message here; viral attachment was stripped. I removed the entire
| message because it isn't interesting.}
--------------------------------------

When it doesn't work, the viral message is delivered unaltered. I know
because my MTA POPs the pacbell.net accounts on pop.pacbell.yahoo.com. My
MTA runs its own virus check, and catches what Yahoo! Mail misses.

The other feature of yahoo.com is "SpamGuard". It is a trainable filter
which routes email either to "Inbox", or "Bulk" folders. If you aren't
downloading the "Bulk" folder contents, you need to check the web interface
from time to time to see if any goodmail landed in the "Bulk" folder. Any
goodmail in the "Bulk" folder should be opened; this reveals a "This is not
spam" button. Click on the button and the message will automatically be
moved to your "Inbox", and the SpamGuard filters updated.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint


HotPOP.com infected