The following was sent to all members. If your profile does not have your current email address, please update it:
The email pretending to be from fpnadmin and instructing you to download a new JavaScript version and ignore any virus warning messages did not originate from fpnadmin. If you check the headers it will be clear that it didn't originate from FPN, but that it is a spoof.
If you did activate the link in that message, and you ignored the virus warnings, your computer will now be infected with a virus. This virus spreads itself via message boards as well. If you log in to a message board, like FPN, The board gets infected with it, and via FPN it can then be spread faster than only via email.
In order to get rid of this virus, please first get the latest virus updates, next scan your pc, and delete any viruses found.
Next, turn your computer off, completely. Wait 10 seconds and then restart your computer. The virus should be gone now.
Fortunately it is very easy to remove the virus from FPN itself.
However, since we won´t reach everybody in time before they log in to FPN, it is likely that the virus will get injected a few times again. If you do get virus messages from your scanner, do not ignore them, but log out from FPN.
We will attend to it as fast as possible, every time it reappears. In this case you can try occasionally to see if it has disappeared. Once everybody who has an infected computer has it cleaned, things should return to normal again.
Kind regards,
the FPN Admin Team
Full Version: Information about virus that hit FPN
Thanks to the admin team for jumping on this problem and fixing it (at least fixing it the first time 
) so quickly.
I appreciate all of your efforts!
kathy wc
) so quickly.I appreciate all of your efforts!
kathy wc
Thank you FPN Admin folks. If we were paying you I would put you in for a bonus.
I saw the message late last evening, it did come as a popup but it appears my ZONE ALARM killed it before it did any harm.
I saw the message late last evening, it did come as a popup but it appears my ZONE ALARM killed it before it did any harm.
QUOTE(jd50ae @ Feb 9 2007, 10:13 AM)
Thank you FPN Admin folks. If we were paying you I would put you in for a bonus.
I saw the message late last evening, it did come as a popup but it appears my ZONE ALARM killed it before it did any harm.
I saw the message late last evening, it did come as a popup but it appears my ZONE ALARM killed it before it did any harm.
If you really want to give us a bonus:
Donation Link
QUOTE(FPN Admin Team @ Feb 9 2007, 01:19 PM)
QUOTE(jd50ae @ Feb 9 2007, 10:13 AM)
Thank you FPN Admin folks. If we were paying you I would put you in for a bonus.
I saw the message late last evening, it did come as a popup but it appears my ZONE ALARM killed it before it did any harm.
I saw the message late last evening, it did come as a popup but it appears my ZONE ALARM killed it before it did any harm.
If you really want to give us a bonus:
Donation Link
Done, wish it could be more.
Hi Admins one and all,
Thank you for sorting out the virus hit, as usual brilliant work and much appreciated.
Cheers John
Thank you for sorting out the virus hit, as usual brilliant work and much appreciated.
Cheers John
Donation sent.
Thanks.
Thanks.
Odd, I did not receive the suspicious email, and my email address on file is correct (I always receive email from other forumers, PM notification emails, etc.)
I even plumbed through the depths of my *shudder* spam folder, but I didn't see anything. Maybe gmail just rox my sox and deleted the mail before it even went into my spam folder.
I even plumbed through the depths of my *shudder* spam folder, but I didn't see anything. Maybe gmail just rox my sox and deleted the mail before it even went into my spam folder.
Could be. I didn't get one either, and am glad I didn't. Another admin did.
There appears to be some randomness for whatever reason.
Regards,
Gerry
There appears to be some randomness for whatever reason.
Regards,
Gerry
Donation sent, and thank you!
QUOTE(FPN Admin Team @ Feb 9 2007, 04:38 PM)
The email pretending to be from fpnadmin and instructing you to download a new JavaScript version and ignore any virus warning messages did not originate from fpnadmin. If you check the headers it will be clear that it didn't originate from FPN, but that it is a spoof.
Hi Admins
Actually, I don't think it was spoofed - it was sent through your network. I'm reporting this only because it may help in dealing with problems like this in future. Here are the headers of the offending message (my email address and domain obscured):
----------
Return-Path: <nobody@host.refactored.com>
Received: from host.refactored.com (unknown97.36.157.204.defenderhosting.com [204.157.36.97])
by smtp.midair.net with ESMTP (Mailtraq/2.8.0.2048) id SMTP53BCDC63
for *@*; Fri, 09 Feb 2007 12:25:14 -0000
Received: from nobody by host.refactored.com with local (Exim 4.52)
id 1HFUlk-0008Tc-3M; Fri, 09 Feb 2007 05:22:24 -0700
To: fpnadmin@gmail.com
Subject: Fountainpennetwork administration ( From The Fountain Pen Network )
From: "The Fountain Pen Network" <fpnadmin@gmail.com>
X-Priority: 3
X-Mailer: IPB PHP Mailer
Message-Id: <E1HFUlk-0008Tc-3M@host.refactored.com>
Date: Fri, 09 Feb 2007 05:22:24 -0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.refactored.com
X-AntiAbuse: Original Domain - *
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - host.refactored.com
----------
And from your genuine message:
----------
Return-Path: <nobody@host.refactored.com>
Received: from host.refactored.com (unknown97.36.157.204.defenderhosting.com [204.157.36.97])
by smtp.midair.net with ESMTP (Mailtraq/2.8.0.2048) id SMTP53BEDC6B
for *@*; Fri, 09 Feb 2007 14:04:18 -0000
Received: from nobody by host.refactored.com with local (Exim 4.52)
id 1HFWK5-00034I-P7; Fri, 09 Feb 2007 07:01:57 -0700
To: fpnadmin@gmail.com
Subject: Urgent! Previous email from spoofed FPN address! ( From The Fountain Pen Network )
From: "The Fountain Pen Network" <fpnadmin@gmail.com>
X-Priority: 3
X-Mailer: IPB PHP Mailer
Message-Id: <E1HFWK5-00034I-P7@host.refactored.com>
Date: Fri, 09 Feb 2007 07:01:57 -0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.refactored.com
X-AntiAbuse: Original Domain - *
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - host.refactored.com
----------
As you can see, those headers clearly show an identical forward path. I run my own mail server here, and this extract from my server log is conclusive:
----------
00001000 00000000 09/02/2007 12:25:08 SMTP: (Accept) Receiving connection from 204.157.36.97
+ 0000001A host.refactored.com (204.157.36.97) [09/02/2007 12:25]
00000001 0000001A 09/02/2007 12:25:09 EHLO host.refactored.com ---> 250 smtp.midair.net
00000001 0000001A 09/02/2007 12:25:13 MAIL FROM:<nobody@host.refactored.com> ---> 250 receiving from nobody@host.refactored.com
00000001 0000001A 09/02/2007 12:25:13 RCPT TO:<*@*> ---> 250 will send to *@*
00000001 0000001A 09/02/2007 12:25:13 DATA ---> 354 send the message, terminate with "."
00000001 0000001A 09/02/2007 12:25:14 DATA ---> 250 received the message, thanks
00000080 00000000 09/02/2007 12:25:14 Routing (Inbound) SMTP53BCDC63 (0 locked, 0 queued)
00000080 00000000 09/02/2007 12:25:14 Router: (Depth 0) SMTP53BCDC64: "(nobody@host.refactored.com) Fountainpennetwork administration ( From The Fountain Pen Network )" from nobody@host.refactored.com for (2 rcpts) *@*,inbound
00000200 00010003 09/02/2007 12:25:14 nobody@host.refactored.com sent "Fountainpennetwork administration ( From The Fountain Pen Network )"
00000001 0000001A 09/02/2007 12:25:14 QUIT ---> 221 have a nice day (SMTP Closing)
00000001 0000001A 09/02/2007 12:25:14 SMTP Client Disconnected (204.157.36.97): Normal Transaction
----------
The HELO argument, MAIL FROM and RCPT TO may all be forged, but not I think your IP address.
Hope this helps, apologies for length.
Kudos for the swift response and for having the nerve to close the forum while it got sorted - would all forum admins 'net-wide had the sense!
...
Of course, being a Mac-man, I had no problems here
/sorry :ph34r:
...
Of course, being a Mac-man, I had no problems here
/sorry :ph34r:
As always, many thanks for a job well done (realizing it is an on-going one)!!!!
I didn't get a spoof email, but my browser told me the website was trying to download something on my computer. As I didn't know what that would be and I didnt see the need to download anything I didn't allow the download. But I did get a virus warning from my anti virus software, and I deleted everything my anti virus told me to. So nothing bad happened here.
Thanks FPN Admin guys for the email. It explained why this website was acting so weird.
Maybe a tip for next time, mention a few admin names in the real email, that way we'll be even more sure that the email came from you guys.
Thanks again for handling this so well!
Thanks FPN Admin guys for the email. It explained why this website was acting so weird.
Maybe a tip for next time, mention a few admin names in the real email, that way we'll be even more sure that the email came from you guys.
Thanks again for handling this so well!
We're thinking of all kinds of ideas, but certainly want to hear suggestions that you may have...
As a standard type of defense, it would be helpful if every member reading this would remember that Admin would never, never send instructions to download something to the members using the Admin bot. If you are ever in doubt - please always check the FPN site itself for information or news about anything we feel needs to be passed on. Don't click on any links ever. Just go to the site independently of the email, and see if there's something in the News.
If it's not there - the email must have been a phoney...
Regards,
Gerry
Ps - regarding similar headers... pretty much anything at all with regard to headers can be forged, and it's becoming rare that a real source of malicious email can be tracked down anymore...
As a standard type of defense, it would be helpful if every member reading this would remember that Admin would never, never send instructions to download something to the members using the Admin bot. If you are ever in doubt - please always check the FPN site itself for information or news about anything we feel needs to be passed on. Don't click on any links ever. Just go to the site independently of the email, and see if there's something in the News.
If it's not there - the email must have been a phoney...
Regards,
Gerry
Ps - regarding similar headers... pretty much anything at all with regard to headers can be forged, and it's becoming rare that a real source of malicious email can be tracked down anymore...
QUOTE(Johnson @ Feb 9 2007, 01:10 PM)
Odd, I did not receive the suspicious email, and my email address on file is correct (I always receive email from other forumers, PM notification emails, etc.)
Same here. I didn't get the e-mail either. But my virus protection did alert me that I had a virus.
I screamed for my husband/resident-computer-doctor. This is what I do any time I have computer problems. He did whatever computer-doctors do to rectify the problem. So now my computer is squeaky clean - for the moment anyway. Judybug
QUOTE(Judybug @ Feb 9 2007, 06:54 PM)
QUOTE(Johnson @ Feb 9 2007, 01:10 PM)
Odd, I did not receive the suspicious email, and my email address on file is correct (I always receive email from other forumers, PM notification emails, etc.)
Same here. I didn't get the e-mail either. But my virus protection did alert me that I had a virus.
I screamed for my husband/resident-computer-doctor. This is what I do any time I have computer problems. He did whatever computer-doctors do to rectify the problem. So now my computer is squeaky clean - for the moment anyway. Judybug
Judybug, do you have gmail as well?
I'm another one who didn't get anything, and I've got the gmail system tray alert deal going on--so I know that I've gotten every other notification and legitimate messages just fine.
One question remains: whodunnit?
I take it that one can't get the virus simply by logging on to FPN. One has to have received the bogus e-mail, and opened it. Yes? (I hope.)
P.S. I didn't receive the bogus e-mail.
P.S. I didn't receive the bogus e-mail.
QUOTE(Viseguy @ Feb 10 2007, 02:13 PM)
I take it that one can't get the virus simply by logging on to FPN. One has to have received the bogus e-mail, and opened it. Yes? (I hope.)
P.S. I didn't receive the bogus e-mail.
P.S. I didn't receive the bogus e-mail.
Sorry, not correct. Once one person opened that email and then opened FPN, thereby infecting it, the virus could be spread from simply signing into FPN.
The site has been clear since we re-opened it. We also have no idea what the virus does, nor how harmful it is.
My advice, don't surf without virus protection.
Thank you to the admins for their ongoing efforts to maintain and improve this great site!
I didn't get the phony email, but I did get the real one from the Admin Team informing me what had happened... It's weird but I usually log on to FPN in the morning before I go to work to see what's happening, but I was feeling poorly (nasty cold bug) that day and didn't log on....Weird!
I didn't get the phony email, but I did get the real one from the Admin Team informing me what had happened... It's weird but I usually log on to FPN in the morning before I go to work to see what's happening, but I was feeling poorly (nasty cold bug) that day and didn't log on....Weird!
QUOTE(Viseguy @ Feb 10 2007, 02:13 PM)
I take it that one can't get the virus simply by logging on to FPN. One has to have received the bogus e-mail, and opened it. Yes? (I hope.)
P.S. I didn't receive the bogus e-mail.
P.S. I didn't receive the bogus e-mail.
QUOTE(Elaine @ Feb 10 2007, 02:21 PM)
Sorry, not correct.
I also never received an email, but when I went to the FPN website that morning, there was the notification that the site was down due to a virus. My machine locked up for a minute or so while it started "clicking" away, and my Mcafee started popping up saying it had deleted at least two or three trojans.
Rick
QUOTE(Elaine @ Feb 10 2007, 07:21 PM)
We also have no idea what the virus does, nor how harmful it is.
It was a rogue anti-spyware application called SpySheriff. Article at Wikipedia here, or just google on it.
QUOTE(Gerry @ Feb 9 2007, 07:38 PM)
Ps - regarding similar headers... pretty much anything at all with regard to headers can be forged
Not the IP address of the host from which the message arrived at the recipient's email server as inserted in the header by the receiving machine.
--Daniel
QUOTE
I didn't get a spoof email, but my browser told me the website was trying to download something on my computer. As I didn't know what that would be and I didnt see the need to download anything I didn't allow the download. But I did get a virus warning from my anti virus software, and I deleted everything my anti virus told me to. So nothing bad happened here.
Exactly the same for me. I use AVG Free as my antivirus software and I did a complete sweep of my computer using Ad-Aware and Spybot which I keep on my machine. I don't swweep anywhere near often enough and don'y update them as often as I should -- but this was a wake-up call.
Congratulations on the swift action taken.
Thanks guys for jumping on this. ZONE ALARM blocked it from my computer but I appreciate the quick response.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.