Email from news@mac.com containing malware

Discussion in 'Apple Music, Apple Pay, iCloud, Apple Services' started by Mr Skills, Dec 17, 2008.

  1. Mr Skills macrumors 6502a

    Mr Skills

    Joined:
    Nov 21, 2005
    #1
    I just got an email from "news@mac.com" telling me that my account has been suspended due to overuse. It also asks me to open a zip file for more information.

    It's clearly nonsense, and I have no doubt the file is a trojan. I'm curious though - since they have gone to the effort of sending it from a .mac address, will they also have gone to the effort of making a mac-specific trojan?

    And if so, does this need more publicity so people know not to open it?

    EDIT - I just scanned the Zip with Clam X AV and it didn't find anything, so maybe it's a new trojan? Either way, I'm not trusting it!
     
  2. sushi Moderator emeritus

    sushi

    Joined:
    Jul 19, 2002
    Location:
    キャンプスワ&#
    #2
    Is it an exe file? If so, then it is for the PC.

    Also, it is very easy to spoof a sender's address. This means that the sender doesn't need to have a "news@mac.com" address to send from that address.
     
  3. kolax macrumors G3

    kolax

    Joined:
    Mar 20, 2007
    #3
    Yeah. Just a simple PHP script will send an email with you choosing what the alias will be.

    I'd report it to Apple - follow these instructions:

    http://support.apple.com/kb/HT2073

    And send it to them.
     
  4. Mr Skills thread starter macrumors 6502a

    Mr Skills

    Joined:
    Nov 21, 2005
    #4
    Well I didn't unzip it :)

    I just scanned the zip (I'm assuming Clam can scan inside a zip without needing to open it?)
     
  5. kolax macrumors G3

    kolax

    Joined:
    Mar 20, 2007
    #5
    If it is just a zip file, you're safe to open it.

    It will almost certainly be an exe file. If it is a pkg file, let us know but don't run it!
     
  6. tersono macrumors 68000

    tersono

    Joined:
    Jan 18, 2005
    Location:
    UK
    #6
    I'd bet good money that it didn't actually come from a .mac address - it will just be a spoofed header (which should become apparent if you look at the headers in detail).

    It happens all the time - not much that Apple can do about it if it isn't passing through their servers (which is likely to be the case). Just delete it and move on...
     
  7. kolax macrumors G3

    kolax

    Joined:
    Mar 20, 2007
    #7
    It is passing through their servers to get to him ;)

    They could block any further emails from news@mac.com because news@mac would never be an allowed alias and Apple doesn't use that to send MobileMe news.
     
  8. Mr Skills thread starter macrumors 6502a

    Mr Skills

    Joined:
    Nov 21, 2005
    #8
    I just got another one on my other MobileMe address - exactly the same format and attachment, but this time the subject is "your membership details".

    Interesting that I've got the same thing to 2 addresses - maybe they're doing a big spam-out today!

    This is, I think, the first spam I've ever had on dotmac/mobileme, after 18 months. I hope it's not the start of the deluge :( My old gmail account gets hundreds each day (although they are very good at sending them to the junk mail folder).
     
  9. sushi Moderator emeritus

    sushi

    Joined:
    Jul 19, 2002
    Location:
    キャンプスワ&#
    #9
    Do you or any of your friends use Outlook via Windows?

    If so, there is a good chance that someone is owned and thus you are being spammed.
     
  10. Mr Skills thread starter macrumors 6502a

    Mr Skills

    Joined:
    Nov 21, 2005
    #10
    Aha! Good point. I don't use it personally, but I'm sure I know people who do. How can I tell who it's coming from, so I can warn them?
     
  11. drichards macrumors 6502a

    drichards

    Joined:
    Nov 30, 2008
    #11
    If their provider is responsible about itself, they'll flag the user, suspend their send email rights, and notify them.
     
  12. PowerFullMac macrumors 601

    PowerFullMac

    Joined:
    Oct 16, 2006
    #12
    How will they know what the e-mails contain though? Arn't there privacy laws that stop providers from looking at their customer's internet traffic?
     
  13. drichards macrumors 6502a

    drichards

    Joined:
    Nov 30, 2008
    #13
    They base it on quantity of email, not content. Spambot checkers are automated, nobody is looking.
     
  14. sushi Moderator emeritus

    sushi

    Joined:
    Jul 19, 2002
    Location:
    キャンプスワ&#
    #14
    Not an easy thing to determine from the end user. You might be able to determine from the long headers.

    If it is just a couple of friends, you might just send a polite message and suggest that they check their computers for Malware (Viruses, Trojans, Worms, etc.).

    I had this happen before with a bunch of users. So I just mass e-mailed them and said that I had received a certain message with a virus and suggested that they check their systems. More than one had been infected with various forms of Malware.

    The problem, is that many times spam comes from someone other than the from address. So the provider may not catch it for a while. Meanwhile the spam continues. Although, providers are getting better at this.

    Most providers these days can and do scan your incoming messages for malware attachments. Many will deliver the message with a note saying that they removed the malware attachment. Others simply delete all suspect type files such as those ending in zip, exe, and mdb.
     
  15. PowerFullMac macrumors 601

    PowerFullMac

    Joined:
    Oct 16, 2006
    #15
    Oh I see.

    I just hope I dont get my e-mail stopped, I send a lot of those things! (E-mails, that is).

    EDIT: So they just check the attachments then sushi?
     
  16. drichards macrumors 6502a

    drichards

    Joined:
    Nov 30, 2008
    #16
    Well yeah, that sort of thing does tend to take a bit. I didn't mean to imply that the account would be bot-flagged immediately.

    Some providers won't accept those attachments at all anymore. Even gmail is a pain, can't send .app, .exe, .zip and others too. Its rather annoying.
     
  17. Mr Skills thread starter macrumors 6502a

    Mr Skills

    Joined:
    Nov 21, 2005
    #17
    I've just received the third! Here are the full headers (I've put XXX@mac.com in place of my own address) any clues as to how I can trace which of my contacts has a compromised computer?

    HTML:
    Return-path: <mail@mac.com>
    Received: from smtpin125-bge351000 ([10.150.68.125])
     by ms264.mac.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26
     2008; 64bit)) with ESMTP id <0KC200LFLMHJIS00@ms264.mac.com> for
     XXX@mac.com; Thu, 18 Dec 2008 03:56:07 -0800 (PST)
    Original-recipient: rfc822;XXX@mac.com
    Received: from mac.com ([86.105.74.205])
     by smtpin125.mac.com (Sun Java(tm) System Messaging Server 6.3-7.03 (built Aug
     4 2008; 32bit)) with ESMTP id <0KC200JMCMHDEO60@smtpin125.mac.com> for
     XXX@mac.com (ORCPT XXX@mac.com); Thu,
     18 Dec 2008 03:56:07 -0800 (PST)
    X-Brightmail-Tracker: AAAAAA==
    Message-id: <0KC200JMFMHDEO60@smtpin125.mac.com>
    From: mail@mac.com
    To: XXX@mac.com
    Subject: Your Membership Details!
    Date: Thu, 18 Dec 2008 13:56:02 +0200
    MIME-version: 1.0
    Content-type: multipart/mixed;
     boundary="----=_NextPart_000_0003_E6567F61.968B079A"
    X-Priority: 3
    X-MSMail-priority: Normal
     
  18. Mr Skills thread starter macrumors 6502a

    Mr Skills

    Joined:
    Nov 21, 2005
  19. PowerFullMac macrumors 601

    PowerFullMac

    Joined:
    Oct 16, 2006
    #19
    I just had something very similar to me happen on MSN... Nice try, you stupid little Windows virus!

    Picture 3.png

    You would have to be quite stupid to fall for that, I must admit!
     
  20. Mr Skills thread starter macrumors 6502a

    Mr Skills

    Joined:
    Nov 21, 2005
  21. PowerFullMac macrumors 601

    PowerFullMac

    Joined:
    Oct 16, 2006
    #21
    Pink... Errr, I mean, I dont know, I never downloaded it! :p
     

Share This Page