« Solemn Solomon Prediction | Main | Not the Best Day In The World »

EMERGENCY REQUEST FOR HELP (AND A HEADACHE I DON'T NEED)

In the last two hours, I've started receiving dozens of bounce emails from various sites, all of them claiming that variations on the threeyearofhell.com email address have mailed them. Most of these files had attachments on them, and those attachments seemed particularly dodgy: they seem to be a payload for the SOBER.O virus or some variant. Most of them, however, had this standard SOBER.O text in them:

Account and Password Information are attached!

Visit: http://www.threeyearsofhell.com


Now, here's the disasterous part. Somehow, this seems to have spammed a large number of addresses at USCourts.gov. Yes, that's right, a copy of this virus, seeming to come from my address, appears now to have landed in the inboxes of a completely unknowable number of judges. Or maybe I'm lucky: most of the bounce messages seem to be variations of proper email addresses.

I've now taken a couple of hours away from studying for exams to scan this--and all my other--hard drives to a fare-the-well. I've found nothing. I'm skeptical that these are being sent from my machine anyway: the email address most commonly used (blog--at--threeyearsofhell.com, replace --at-- with @) is one that I don't use to send outgoing mail. Furthermore, none of the addresses that are bouncing back come from my machine--it looks like they came from someone who either (a) had a list of judges on their site for clerkship purposes, and (b) had mailed the "contact me" address at my site. [1] Given that much of my readership is law students, though, that doesn't narrow it down much.

(Another reason that I'm skeptical that the mail is coming from my computer: to the best of my knowledge there's not a list of federal judges on my PC. I'm that far behind in considering clerkships.)

Does anyone know how I might track down the source of this problem? Some of the emails have source IP addresses, but TraceRT can only get so far as some locations in Atlanta that aren't particularly helpful.

In the meantime, if you're one of my readers, and especially if you've sent me an email recently, I'd ask you to please update your virus software and scan your hard drive. It can't hurt.

Just my luck, eh?

[1]: There's also the possibility that rather than poor fortune, someone's doing this intentionally. The last thing on earth I need just before clerk season is every Article III judge in the country getting an email from "me" with a nifty viral payload. But that's more paranoid than I care to be. UPDATE: To make it clear: it would be easy for this to be a coincidence. I really don't think it's intentional.

UPDATE II: One of the bounce messages has now included a copy of the virus. Does anyone know how to take one of these apart? There might be some clues on exactly where it came from.

Posted by Anthony on May 3, 2005 10:02 PM |

Comments

The messages aren't coming from your computer. The programme which is sending them however has harvested your address and is substituting it in the from field. So when a mailserver bounces the message it bounces it back to you and not the original sender. This kind of second order spam (you get spam that's not even trying to sell you stuff, it's just bouncing from someone elses mailserver) has grown a lot in the last few years.

Posted by: martin | May 4, 2005 5:29 AM

1. Don't panic! 2. Sober is nailing a lot of sites. I would hope that uscourts.gov is protected by a virus scanner at the domain level. If there is, and if it is competently managed (which is more than likely) then chances are no one but the admins will see the virus infected messages. 4. I would venture to say that nearly all 5-9's (99.999%) of administrators know that viruses seldom (.001%) come from where it says they come from on their "from" line. 5. This is an example of competent management and a virus scanner installed at the domain level: the team that manages our statewide K-12 network has encountered, at last count, 23,000 messages. I haven't seen one myself, but I'm not an admin. 6. Do not play with virii. In order to do so, you usually have to disable your anti-virus software, and you could accidentally trigger its payload. There are newer virii out there that will target your anti-virus software. If it's not engaged, you'll end up facing a drive wipe, followed by complete windows/program reinstall, and restoring your backups. 7. Don't panic!

Posted by: Jonathan Link | May 4, 2005 7:47 AM

Thanks, guys. Martin: I figured that's what's going on, but checking my own machine made sense. I just want to know how I got the poor luck to have my address being spoofed (if the bounce messages are to be believed) mostly to addresses in uscourts.gov. Jonathan: After a good night's sleep, the panic is mostly gone. As you said, most of the bounce messages are now being followed by autosent messages from certain districts' autosenders saying that messages have been blocked. At least Georgia and Louisiana seem not to have gotten the spoof. Oddly, at least one judge in Alabama may have been hit: I got a copy of the virus delivered to me not in a bounce message, but a further spoof. (Unclear, of course: this could be the original infected fellow just spoofing a different from/to. But the header shows a different source than every other one I've received.)

Posted by: Anthony | May 4, 2005 10:41 AM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

NOTICE TO SPAMMERS, COMMENT ROBOTS, TRACKBACK SPAMMERS AND OTHER NON-HUMAN VISITORS: No comment or trackback left via a robot is ever welcome at Three Years of Hell. Your interference imposes significant costs upon me and my legitimate users. The owner, user or affiliate who advertises using non-human visitors and leaves a comment or trackback on this site therefore agrees to the following: (a) they will pay fifty cents (US$0.50) to Anthony Rickey (hereinafter, the "Host") for every spam trackback or comment processed through any blogs hosted on threeyearsofhell.com, morgrave.com or housevirgo.com, irrespective of whether that comment or trackback is actually posted on the publicly-accessible site, such fees to cover Host's costs of hosting and bandwidth, time in tending to your comment or trackback and costs of enforcement; (b) if such comment or trackback is published on the publicly-accessible site, an additional fee of one dollar (US$1.00) per day per URL included in the comment or trackback for every day the comment or trackback remains publicly available, such fee to represent the value of publicity and search-engine placement advantages.

Giving The Devil His Due

And like that... he is gone (8)
Bateleur wrote: I tip my hat to you - not only for ... [more]

Law Firm Technology (5)
Len Cleavelin wrote: I find it extremely difficult to be... [more]

Post Exam Rant (9)
Tony the Pony wrote: Humbug. Allowing computers already... [more]

Symbols, Shame, and A Number of Reasons that Billy Idol is Wrong (11)
Adam wrote: Well, here's a spin on the theory o... [more]

I've Always Wanted to Say This: What Do You Want? (14)
gcr wrote: a nice cozy victorian in west phill... [more]

Search


Choose Stylesheet

What I'm Reading

cover
D.C. Noir
My city. But darker.
 cover
A Clockwork Orange
About time I read this...

Shopping

The 3YoH Store

Projects I've Been Involved With

A Round-the-World Travel Blog: Devil May Care (A new round-the-world travel blog, co-written with my wife)
Parents for Inclusive Education (From my Clinic)

Syndicated from other sites

The Columbia Continuum
Other Blogs by CLS students