« Solemn Solomon Prediction | Main | Not the Best Day In The World »


In the last two hours, I've started receiving dozens of bounce emails from various sites, all of them claiming that variations on the threeyearofhell.com email address have mailed them. Most of these files had attachments on them, and those attachments seemed particularly dodgy: they seem to be a payload for the SOBER.O virus or some variant. Most of them, however, had this standard SOBER.O text in them:

Account and Password Information are attached!

Visit: http://www.threeyearsofhell.com

Now, here's the disasterous part. Somehow, this seems to have spammed a large number of addresses at USCourts.gov. Yes, that's right, a copy of this virus, seeming to come from my address, appears now to have landed in the inboxes of a completely unknowable number of judges. Or maybe I'm lucky: most of the bounce messages seem to be variations of proper email addresses.

I've now taken a couple of hours away from studying for exams to scan this--and all my other--hard drives to a fare-the-well. I've found nothing. I'm skeptical that these are being sent from my machine anyway: the email address most commonly used (blog--at--threeyearsofhell.com, replace --at-- with @) is one that I don't use to send outgoing mail. Furthermore, none of the addresses that are bouncing back come from my machine--it looks like they came from someone who either (a) had a list of judges on their site for clerkship purposes, and (b) had mailed the "contact me" address at my site. [1] Given that much of my readership is law students, though, that doesn't narrow it down much.

(Another reason that I'm skeptical that the mail is coming from my computer: to the best of my knowledge there's not a list of federal judges on my PC. I'm that far behind in considering clerkships.)

Does anyone know how I might track down the source of this problem? Some of the emails have source IP addresses, but TraceRT can only get so far as some locations in Atlanta that aren't particularly helpful.

In the meantime, if you're one of my readers, and especially if you've sent me an email recently, I'd ask you to please update your virus software and scan your hard drive. It can't hurt.

Just my luck, eh?

[1]: There's also the possibility that rather than poor fortune, someone's doing this intentionally. The last thing on earth I need just before clerk season is every Article III judge in the country getting an email from "me" with a nifty viral payload. But that's more paranoid than I care to be. UPDATE: To make it clear: it would be easy for this to be a coincidence. I really don't think it's intentional.

UPDATE II: One of the bounce messages has now included a copy of the virus. Does anyone know how to take one of these apart? There might be some clues on exactly where it came from.


TrackBack URL for this entry:


The messages aren't coming from your computer. The programme which is sending them however has harvested your address and is substituting it in the from field. So when a mailserver bounces the message it bounces it back to you and not the original sender. This kind of second order spam (you get spam that's not even trying to sell you stuff, it's just bouncing from someone elses mailserver) has grown a lot in the last few years.
1. Don't panic! 2. Sober is nailing a lot of sites. I would hope that uscourts.gov is protected by a virus scanner at the domain level. If there is, and if it is competently managed (which is more than likely) then chances are no one but the admins will see the virus infected messages. 4. I would venture to say that nearly all 5-9's (99.999%) of administrators know that viruses seldom (.001%) come from where it says they come from on their "from" line. 5. This is an example of competent management and a virus scanner installed at the domain level: the team that manages our statewide K-12 network has encountered, at last count, 23,000 messages. I haven't seen one myself, but I'm not an admin. 6. Do not play with virii. In order to do so, you usually have to disable your anti-virus software, and you could accidentally trigger its payload. There are newer virii out there that will target your anti-virus software. If it's not engaged, you'll end up facing a drive wipe, followed by complete windows/program reinstall, and restoring your backups. 7. Don't panic!
Thanks, guys. Martin: I figured that's what's going on, but checking my own machine made sense. I just want to know how I got the poor luck to have my address being spoofed (if the bounce messages are to be believed) mostly to addresses in uscourts.gov. Jonathan: After a good night's sleep, the panic is mostly gone. As you said, most of the bounce messages are now being followed by autosent messages from certain districts' autosenders saying that messages have been blocked. At least Georgia and Louisiana seem not to have gotten the spoof. Oddly, at least one judge in Alabama may have been hit: I got a copy of the virus delivered to me not in a bounce message, but a further spoof. (Unclear, of course: this could be the original infected fellow just spoofing a different from/to. But the header shows a different source than every other one I've received.)

Post a comment

NOTICE TO SPAMMERS, COMMENT ROBOTS, TRACKBACK SPAMMERS AND OTHER NON-HUMAN VISITORS: No comment or trackback left via a robot is ever welcome at Three Years of Hell. Your interference imposes significant costs upon me and my legitimate users. The owner, user or affiliate who advertises using non-human visitors and leaves a comment or trackback on this site therefore agrees to the following: (a) they will pay fifty cents (US$0.50) to Anthony Rickey (hereinafter, the "Host") for every spam trackback or comment processed through any blogs hosted on threeyearsofhell.com, morgrave.com or housevirgo.com, irrespective of whether that comment or trackback is actually posted on the publicly-accessible site, such fees to cover Host's costs of hosting and bandwidth, time in tending to your comment or trackback and costs of enforcement; (b) if such comment or trackback is published on the publicly-accessible site, an additional fee of one dollar (US$1.00) per day per URL included in the comment or trackback for every day the comment or trackback remains publicly available, such fee to represent the value of publicity and search-engine placement advantages.

Giving The Devil His Due

Choose Stylesheet

What I'm Reading

D.C. Noir

My city. But darker.
A Clockwork Orange

About time I read this...


Projects I've Been Involved With

A Round-the-World Travel Blog: Devil May Care (A new round-the-world travel blog, co-written with my wife)
Parents for Inclusive Education (From my Clinic)

Syndicated from other sites

The Columbia Continuum
Other Blogs by CLS students

De Novo
Theory and Practice
Liberal Federalism?
Good News, No Foolin'

Nancy Pelosi covers her head and visits the head of John the Baptist.
Vlogging in from Austin.
Omikase/"American Idol"

Jeremy Blachman's Weblog: 2007
Happy Passover
Looking for Advice re: LA
Google Books

Stay of Execution
What I've Learned From This Blog, or My Yellow Underpants
The End
Mid Thirties

Legal Theory Blog
Program Announcement: Summer Programs on the Constitution at George Washington
Book Announement: Political Foundations of Judicial Supremacy by Whittington
Entry Level Hiring Report

The Volokh Conspiracy
Making the Daily Show:
Civil unions pass New Hampshire House:
Profile of Yale Law Dean Harold Koh:

Crescat Sententia
Hillary II
Politics and Principal/Agents

Law Dork
Election Approaches
Following Lewis
New Jersey High Court: 'Same Rights and Benefits'

Surveying the revival
Birds of paradise

Half the Sins of Mankind
Cheney Has Spoken Religious conservatives who may ...
Does Ahmadinejad Know Christianity Better Than MSN...
Borders as Genocide In discussions of climate chan...

For lovers of garden gnomes...and any China-freaks out there
We Interrupt Your Regularly Scheduled Programming

Does SOX explain the flight from NY?
More Litvak on SOX effect on cross-listed firms
What did the market learn from internal controls reporting?

The Yin Blog
Iowa City = Riyadh
Jeffrey Rosen's "The Supreme Court"
Geek alert -- who would win between Battlestar Galactica and the U.S.S. Enterprise?

Letters of Marque
And there we are

Signing Off

Dark Bilious Vapors
Jim (The Waco Kid): Where you headed, cowboy?
Bart: Nowhere special.
Jim: Nowhere special. I always wanted to go there.
Bart: Come on.
--"Blazing Saddles"

Technical Difficulties... please stand by....
The Onion should have gotten a patent first....

Legal Ethics Forum
Interesting new Expert DQ case
Decency, Due Care, and The Yoo-Delahunty Memorandum
Thinking About the Fired U.S. Attorneys

Ex Post
Student Symposium- Chicago!
More Hmong - Now at Law School
Good Samaritan Laws: Good For America?

Appellate Law & Practice
Those turned over documents
CA1: courts can’t help people acquitted of crimes purge the taint of acquitted conduct
CA1: restrictions on chain liquor stores in Rhode Island are STILL okay

the imbroglio
High schoolers turn in plagiarism screeners for copyright infringement
Paris to offer 20,600 bikes at 1,450 stations to rent by the end of the year

The Republic of T.
The Secret of the Snack Attack
links for 2007-04-04
Where You Link is What You Get

Distractions for stressed law students

The Other Side: Twisted AnimationsSomething Positive, a truly good webcomic

Syndicate This Site



Stop Spam Harvesters, Join Project Honey Pot