Any web gurus out there? Need virus/spam help.

[chayton]

I've got a couple (non-gambling) domains, and one of them I'm getting blasted over the last couple of weeks with email viruses. The first couple were from "The IRS" saying oh no we can't process your refund unless you fill out the attached form. Then I got a bunch from "The Police" with my speeding/red light infraction attached. Now it's "the Post Office/FedEx/UPS" with a parcel I have to claim by filling out the attached form.

Anyhow it's not a huge deal because I have decent virus protection on my computer but it's getting to be a pain in the rear - since this started I must have gotten about 20 of these things. I was hoping I could stop it as soon as it hit my server, I've got Spam ASSP on the server, it's all turned on but under the virus log it's empty, so it doesn't seem to be working.

I'm wondering if there's uhhhmmm a cpanel plugin or some kind of thing like that I can install? Or is this something I should get on the case of my hosting company about??

 

[Silencio]

If you use joomla as a cms I could give you some tips.. Anyhow, can you provide some details? I'm studying to become an internet security specialist so perhaps I could provide some help.. Not too many details though, don't want your problem to get worse Are you on a windows or linux server?

 

[chayton]

It's Linux.

I shot a mail to my hosting company last night, and they said they'd run a scan of my mails....then this morning they wrote back and said the scan didn't find anything, and to forward the headers of the mails I was receiving. So I sent headers for the 3 I got yesterday, and I'll see what they say.

At the bottom of the header is this Assp data (my email's hidden)

X-Assp-Score: -15 (PBwhite)
X-Assp-Delay: ****@****.com not delayed (whitebox 171.245.207.98);
24 Aug 2011 01:11:09 -0700
X-Assp-Score: 1 (bombSubjectRe: 'notification')
X-Assp-Envelope-From: support.3@ups.com
X-Assp-Intended-For: ****@****.com
X-Assp-Passing: White Org/Domain 'Bank of America'
X-Assp-ID: cwh2.canadianwebhosting.com ()
X-Assp-Version: 1.7.1.3(1.0.2)
X-Antivirus: avast! (VPS 110823-1, 23/08/2011), Inbound message
X-Antivirus-Status: Infected
X-Attachment: UPS_document.zip#372764068|>UPS_Document.exe Virus: Win32arcel [Susp] Deleted

 

[Silencio]

alright, well I just got a linux vps myself last week.. and didn't even create a single mail address for it.

So if I read it correctly Avast is telling you a file is infected, could very well be a false flag, did you try updating the virus definitions?

And you said you have decent virus protection on your computer.. except the virus was on the server/mailbox right?
If you are running avast on your pc try another virus scanner, like nod, or if you are working in windows, switch to ubuntu/linux. It's allot safer..

 

[Webzcas]

If you use CPanel, then setup boxtrapper on any email addreses you have configured for the domain. This will blackhole 99% of all spam sent to you.

 

[chayton]

Well I got a message back from my hosting company that yes, they were virus mails, and the reason that ASSP didn't catch them is that it uses a different algorithm to find viruses. They said, "We've run a scan and removed the viruses and we've blocked that email address."

I said, "So what good will that do because the email addresses are forged?" And they said, "Well MOST of this mail came from this address." So today I get 4 of them from a different address. sigh.

 

[chayton]

If you use CPanel, then setup boxtrapper on any email addreses you have configured for the domain. This will blackhole 99% of all spam sent to you.

I don't have boxtrapper, I didn't think it was available anymore?

 

[Webzcas]

Yep it is still very much part of the latest CPanel software release. But then again, your hosting company may not have enabled it for your hosting account. You might want to ask them. Failing that there are several third party programs that you could use, that do the same thing. I know Simmo! uses one such program, I'll give him a nudge and ask him to drop a link to it in this thread.