What's the source of your infected emails?

[Richard Jones]

I'm curious as to how many people actually check where incoming
infected messages originate. I've been looking at mine over the past
month or two, and a consistent 75% come from one single system. They
are almost entirely MyDoom.

I've also checked bogus rejects (i.e. where my domain is the spoofed
From address in a virus sent somewhere else). Around 75% of these
other messages seem to originate from the same place too.

The IP address sending these out is 204.38.111.4, which resolves to
lucent-2.jcisd.k12.mi.us. This is a system belonging to Jackson County
Intermediate Schools District, MI. I have no reason to suspect a
malicious user at this site, I think it's just incompetent anti-virus
management.

Unless I'm somehow being targeted (which seems highly unlikely) and
the pattern is consistent, then JCISD are responsible for the majority
of virus email traffic currently circulating!

If others can confirm that a large number of messages originate from
this site, I'll post the address of JCISD's sysadmin. He needs to know
the trouble he's causing (but only if it really is affecting
everyone).

I'm a little reticent, because if I'm right I'm just surprised that
no-one else has picked up on it before.

Rick Jones

 

[StarScripter]

Hi,
If you have the address, maybe a polite email to the sys admin
explaining the situation might do the trick.
What are you afraid of?

 

[Joseph Morlan]

I'm curious as to how many people actually check where incoming
infected messages originate. I've been looking at mine over the past
month or two, and a consistent 75% come from one single system. They
are almost entirely MyDoom.

All my recent Netsky.T flood are coming from a single PacBell DSL user IP
apparently in Southern California. Perhaps Netsky.T uses the kamikaze
email method? Anybody know.

 

[David W. Hodgins]

I'm curious as to how many people actually check where incoming
infected messages originate. I've been looking at mine over the past

When swen first hit, I temporarily resorted to using mail washer, to just
keep my inbox from overflowing. Swen finally convinced me, of the
need to munge my usenet posting address.

Except for those swen that mailwasher deleted, I've been reporting all
email worms sent to me, to the isp responsible for the sending ip.

The IP address sending these out is 204.38.111.4, which resolves to
lucent-2.jcisd.k12.mi.us. This is a system belonging to Jackson County
Intermediate Schools District, MI. I have no reason to suspect a

That's like trying to complain directly to the owner of an infected computer.
I'd give up on that, after the first notification fails.

According to arin (via whois), that ip is in a block assigned to
"Merit Network Inc", and swiped to "South Central Network Consortium".
South Central is responsible for controlling activity from that netblock.

They have an OrgAbuseHandle listed in their whois data, with the
email address of abuse @ msu.edu It's their responsibility, to stop
the abuse being sent from their network. Let them educate, block,
or disconnect their user. If they fail to do so, I'd escalate the complaints
to Merit Network.

I've lost my patience, when it comes to stopping email worms. If the
owner of the box can't stop it after the first notification, the isp responsible
for the ip block, must take action, or risk get blacklisted via spamhaus etc.

The longer an infected computer is allowed to stay online, the more likely
the worm is to spread.

Regards,

 

[FromTheRafters]

Unless I'm somehow being targeted (which seems highly unlikely) and
the pattern is consistent, then JCISD are responsible for the majority
of virus email traffic currently circulating!

Maybe not *everywhere*, but if they are responsible
for the ones *you* are getting then that is enough of
a reason to contact them about it. Admins should not
be offended by someone merely trying to give them a
"heads up".

 

[Richard Jones]

According to arin (via whois), that ip is in a block assigned to
"Merit Network Inc", and swiped to "South Central Network Consortium".
South Central is responsible for controlling activity from that netblock.

They have an OrgAbuseHandle listed in their whois data, with the
email address of abuse @ msu.edu It's their responsibility, to stop
the abuse being sent from their network. Let them educate, block,
or disconnect their user. If they fail to do so, I'd escalate the complaints
to Merit Network.

Ah - thanks for finding that. I hadn't managed to dig far enough.

The longer an infected computer is allowed to stay online, the more likely
the worm is to spread.

I agree absolutely. This pattern suggests to me that it only takes one
or two ill-managed sites to cause major problems all over the 'net.
This is why I find it odd that something like this doesn't get spotted
and jumped on pretty quickly.

Taking a cynical view, the people collating the most information are
the anti-virus vendors, and what incentive do they have to actually
stop virus infections in their tracks? :-/

 

[Richard Jones]

Maybe not *everywhere*, but if they are responsible
for the ones *you* are getting then that is enough of
a reason to contact them about it. Admins should not
be offended by someone merely trying to give them a
"heads up".

Done that. He's not offended, just apparently incapable of
understanding how to do anything about it, even though I told him what
he needed to do to his firewall (assuming they do actually have one!).

 

[Offbreed]

Done that. He's not offended, just apparently incapable of
understanding how to do anything about it, even though I told him what
he needed to do to his firewall (assuming they do actually have one!).

Anyone know someone living in the area?

 

[Cary]

I'm curious as to how many people actually check where incoming
infected messages originate. I've been looking at mine over the past
month or two, and a consistent 75% come from one single system. They
are almost entirely MyDoom.

I've also checked bogus rejects (i.e. where my domain is the spoofed
From address in a virus sent somewhere else). Around 75% of these
other messages seem to originate from the same place too.

The IP address sending these out is 204.38.111.4, which resolves to
lucent-2.jcisd.k12.mi.us. This is a system belonging to Jackson County
Intermediate Schools District, MI. I have no reason to suspect a
malicious user at this site, I think it's just incompetent anti-virus
management.

Unless I'm somehow being targeted (which seems highly unlikely) and
the pattern is consistent, then JCISD are responsible for the majority
of virus email traffic currently circulating!

If others can confirm that a large number of messages originate from
this site, I'll post the address of JCISD's sysadmin. He needs to know
the trouble he's causing (but only if it really is affecting
everyone).

I'm a little reticent, because if I'm right I'm just surprised that
no-one else has picked up on it before.

Rick Jones

Yes I was getting viruses from that network also. Sent my standard,
please have user clean system or remove them, email. When they didn't
stop coming, I just fire walled the whole ip block out. Given my
company is not in Michigan, I see no need to be emailing their school
system or accepting email from. At least on the corporate level. I'm
fairly sure the viruses stopped coming from them after a while, so the
emailed user in my company must be out of someone's computer now.

I've another ip 64.190.235.6, in a cypresscomm.net block that has been
sending viruses for months now. cypresscomm.net refuses to tell their
customer they're infected. I guess its against their policy to get
involved unless a virus is affecting their systems directly. I'd like
to smack them upside their heads with a big clue stick. How can they
be such asses?

My biggest source of incoming viruses is from comcast. Another company
that doesn't seem to want to be bothered with doing anything about it.
It's also one of my biggest sources of zombie machines sending spam.
Who would of guessed?

Cary