Consulting Ukraine - runs the malfunctioning antivirus software, that sends bogus Klez virus warnings to the absolutely unrelated people, and they didn't stop this abuse even after my two warnings to them about it! Also, their RIPE registered e-mail box, dvv@cu.kiev.ua, has bounced as user unknown. cu.kiev.ua, [212.90.164.0 - 212.90.165.255]: Access denied! === My first warning === Content-Type: text/plain; charset="iso-8859-1" From: Admin Reply-To: admin@dolphinwave.org Organization: Private person Subject: Bogus Klez virus warnings! Fwd: Undelivered mail: Happy humour Assumption Date: Fri, 16 Aug 2002 15:58:21 +0300 User-Agent: KMail/1.4.1 To: support@dials.ru, admin@dolphinwave.org, postmaster@cu.kiev.ua, postmaster@monster.cu.kiev.ua X-Complaints-To: abuse@dolphinwave.org (live person) X-PGP-key: 0xAAE2A579 X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133 FA87 000B 0FB6 AAE2 A579 X-No-Confirm: Yes MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200208161558.26025@2002.dolphinwave.org> Status: R X-Status: N -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please, stop sending your bogus Klez virus warnings to the absolutely unrelated persons! Klez virus/e-mail worm forges the "Mail from:" headers, and as a result your virus warnings bounce to the wrong people. Mind you, none of my computers can be infected by that stuff cause I do not even run Windows! Regards, Alexander Sheremet DolphinWave.org Admin. - ---------- Forwarded Message ---------- Received: from monster.cu.kiev.ua (monster.cu.kiev.ua [212.90.165.202]) by mail.dolphinwave.org (8.11.6/8.11.6) with ESMTP id g7GBrel18610 for ; Fri, 16 Aug 2002 14:53:42 +0300 Received: from monster.cu.kiev.ua (localhost.localdomain [127.0.0.1]) by monster.cu.kiev.ua (8.12.2/8.12.2) with ESMTP id g7GBrYLQ004818 for ; Fri, 16 Aug 2002 14:53:34 +0300 Received: (from root@localhost) by monster.cu.kiev.ua (8.12.2/8.12.2/Submit) id g7GBrYeB004813 for ; Fri, 16 Aug 2002 14:53:34 +0300 Date: Fri, 16 Aug 2002 14:53:34 +0300 From: postmaster@cu.kiev.ua Message-Id: <200208161153.g7GBrYeB004813@monster.cu.kiev.ua> Subject: Undelivered mail: Happy humour Assumption Content-Type: text/plain; charset=us-ascii Status: R X-Status: N Dear User, The message sent by is infected by a virus and has not been delivered. DrWeb antivirus filter reports: - --- DrWeb report --- ====================== DrWeb scanning report: ====================== 127.0.0.1 [4811] /var/drweb/spool/drweb.tmp_GYD560 - archive MAIL 127.0.0.1 [4811] >/var/drweb/spool/drweb.tmp_GYD560/html.1 infected with Trojan.IframeExec 127.0.0.1 [4811] >/var/drweb/spool/drweb.tmp_GYD560/valign.exe infected with Win32.HLLM.Klez.4 127.0.0.1 [4811] >/var/drweb/spool/drweb.tmp_GYD560/home.htm - Ok ======== Summary: ======== known virus is found : 2 unknown code or multiple errors : 1 - --- DrWeb report --- An original message was storied in archive record named: In order to receive the original message, please send request to postmaster, referring to the archive record name given above. - --- Antivirus service provided by DrWeb Daemon (http://www.drweb.ru) Please send your comments to DialogueScience, Inc. (http://www.dials.ru, support@dials.ru) - ------------------------------------------------------- - -- URL: http://www.DolphinWave.org Mail: on the web page (no spam) ICQ: 6615461 -----BEGIN PGP SIGNATURE----- Comment: Key ID: 0xAAE2A579 iD8DBQE9XPbxAAsPtqripXkRAlPeAKCXEJQ2LW9t4fNK/0a+WW8lxE1KWwCg2fI5 icUUz7y53ElUL+OWAMkM35g= =yJIa -----END PGP SIGNATURE----- === Bogus warnings still come, my second e-mail === Content-Type: text/plain; charset="iso-8859-1" From: Admin Reply-To: abuse@2002.dolphinwave.org Organization: Private person Subject: [email] Bogus Klez virus reports: cu.kiev.ua! [Fwd: Undelivered mail: A very nice game] Date: Tue, 20 Aug 2002 13:54:59 +0300 User-Agent: KMail/1.4.1 To: , nanas-sub@cybernothing.org, postmaster@cu.kiev.ua, dvv@cu.kiev.ua X-Complaints-To: abuse@dolphinwave.org (live person) X-PGP-key: 0xAAE2A579 X-PGP-key-fingerprint: 5B8E 3B28 7199 8CD3 4133 FA87 000B 0FB6 AAE2 A579 X-No-Confirm: Yes MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200208201355.00108@2002.dolphinwave.org> Status: R X-Status: N -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [e-mailed and archived on news.admin.net-abuse.sightings] I repeat again: please STOP wasting the time of absolutely unrelated people with your bogus Klez virus warnings! Klez virus/e-mail worm forged the Mail - From envelope when sends itself, so you bounce your virus reports to people who have nothing to do with it! Mind you, I don't even run Windows on my network and there is absolutely no way that my network might be infected by something designed especially to exploit Windows security holes! If you will not disable your malfunctioning antivirus software from abusing other people's e-mail boxes, I will have no other choice but to block your whole [212.90.164.0 - 212.90.165.255] network from accessing my mailservers ever again. - ---------- Forwarded Message ---------- Received: from monster.cu.kiev.ua (monster.cu.kiev.ua [212.90.165.202]) by mail.dolphinwave.org (8.11.6/8.11.6) with ESMTP id g7KAQ9l23221 for ; Tue, 20 Aug 2002 13:26:13 +0300 Received: from monster.cu.kiev.ua (localhost.localdomain [127.0.0.1]) by monster.cu.kiev.ua (8.12.2/8.12.2) with ESMTP id g7KAPxLQ015909 for ; Tue, 20 Aug 2002 13:25:59 +0300 Received: (from root@localhost) by monster.cu.kiev.ua (8.12.2/8.12.2/Submit) id g7KAPxMc015898 for ; Tue, 20 Aug 2002 13:25:59 +0300 Date: Tue, 20 Aug 2002 13:25:59 +0300 From: postmaster@cu.kiev.ua Message-Id: <200208201025.g7KAPxMc015898@monster.cu.kiev.ua> Subject: Undelivered mail: A very nice game Content-Type: text/plain; charset=us-ascii Status: R X-Status: N Dear User, The message sent by is infected by a virus and has not been delivered. DrWeb antivirus filter reports: - --- DrWeb report --- ====================== DrWeb scanning report: ====================== 127.0.0.1 [15896] /var/drweb/spool/drweb.tmp_V83yIs - archive MAIL 127.0.0.1 [15896] >/var/drweb/spool/drweb.tmp_V83yIs/html.1 - Ok 127.0.0.1 [15896] >/var/drweb/spool/drweb.tmp_V83yIs/demo.exe infected with Win32.HLLM.Klez.4 127.0.0.1 [15896] >/var/drweb/spool/drweb.tmp_V83yIs/MSP60DVPatch_Readme_ger.txt - Ok ======== Summary: ======== known virus is found : 1 unknown code or multiple errors : 1 - --- DrWeb report --- An original message was storied in archive record named: In order to receive the original message, please send request to postmaster, referring to the archive record name given above. - --- Antivirus service provided by DrWeb Daemon (http://www.drweb.ru) Please send your comments to DialogueScience, Inc. (http://www.dials.ru, support@dials.ru) - ------------------------------------------------------- ======= My previous request ======= From: Admin Subject: Bogus Klez virus warnings! Fwd: Undelivered mail: Happy humour Assumption Date: Fri, 16 Aug 2002 15:58:21 +0300 To: support@dials.ru, admin@dolphinwave.###, postmaster@cu.kiev.ua, postmaster@monster.cu.kiev.ua - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please, stop sending your bogus Klez virus warnings to the absolutely unrelated persons! Klez virus/e-mail worm forges the "Mail from:" headers, and as a result your virus warnings bounce to the wrong people. Mind you, none of my computers can be infected by that stuff cause I do not even run Windows! Regards, Alexander Sheremet DolphinWave.org Admin. - - ---------- Forwarded Message ---------- Received: from monster.cu.kiev.ua (monster.cu.kiev.ua [212.90.165.202]) by mail.dolphinwave.org (8.11.6/8.11.6) with ESMTP id g7GBrel18610 for ; Fri, 16 Aug 2002 14:53:42 +0300 Received: from monster.cu.kiev.ua (localhost.localdomain [127.0.0.1]) by monster.cu.kiev.ua (8.12.2/8.12.2) with ESMTP id g7GBrYLQ004818 for ; Fri, 16 Aug 2002 14:53:34 +0300 Received: (from root@localhost) by monster.cu.kiev.ua (8.12.2/8.12.2/Submit) id g7GBrYeB004813 for ; Fri, 16 Aug 2002 14:53:34 +0300 Date: Fri, 16 Aug 2002 14:53:34 +0300 From: postmaster@cu.kiev.ua Message-Id: <200208161153.g7GBrYeB004813@monster.cu.kiev.ua> Subject: Undelivered mail: Happy humour Assumption Content-Type: text/plain; charset=us-ascii Status: R X-Status: N Dear User, The message sent by is infected by a virus and has not been delivered. DrWeb antivirus filter reports: - - --- DrWeb report --- ====================== DrWeb scanning report: ====================== 127.0.0.1 [4811] /var/drweb/spool/drweb.tmp_GYD560 - archive MAIL 127.0.0.1 [4811] >/var/drweb/spool/drweb.tmp_GYD560/html.1 infected with Trojan.IframeExec 127.0.0.1 [4811] >/var/drweb/spool/drweb.tmp_GYD560/valign.exe infected with Win32.HLLM.Klez.4 127.0.0.1 [4811] >/var/drweb/spool/drweb.tmp_GYD560/home.htm - Ok ======== Summary: ======== known virus is found : 2 unknown code or multiple errors : 1 - - --- DrWeb report --- An original message was storied in archive record named: In order to receive the original message, please send request to postmaster, referring to the archive record name given above. - - --- Antivirus service provided by DrWeb Daemon (http://www.drweb.ru) Please send your comments to DialogueScience, Inc. (http://www.dials.ru, support@dials.ru) - - ------------------------------------------------------- - - -- URL: http://www.DolphinWave.org Mail: on the web page (no spam) ICQ: 6615461 - -----BEGIN PGP SIGNATURE----- Comment: Key ID: 0xAAE2A579 iD8DBQE9XPbxAAsPtqripXkRAlPeAKCXEJQ2LW9t4fNK/0a+WW8lxE1KWwCg2fI5 icUUz7y53ElUL+OWAMkM35g= =yJIa - -----END PGP SIGNATURE----- ======= Other bogus reports ======= Received: from monster.cu.kiev.ua (monster.cu.kiev.ua [212.90.165.202]) by mail.dolphinwave.org (8.11.6/8.11.6) with ESMTP id g7J9NHl14429 for ; Mon, 19 Aug 2002 12:23:23 +0300 Received: from monster.cu.kiev.ua (localhost.localdomain [127.0.0.1]) by monster.cu.kiev.ua (8.12.2/8.12.2) with ESMTP id g7J9N0LQ026608 for ; Mon, 19 Aug 2002 12:23:01 +0300 Received: (from root@localhost) by monster.cu.kiev.ua (8.12.2/8.12.2/Submit) id g7J9N0wB026603 for ; Mon, 19 Aug 2002 12:23:00 +0300 Date: Mon, 19 Aug 2002 12:23:00 +0300 From: postmaster@cu.kiev.ua Message-Id: <200208190923.g7J9N0wB026603@monster.cu.kiev.ua> Subject: Undelivered mail: A special new website Content-Type: text/plain; charset=us-ascii Status: R X-Status: N Dear User, The message sent by is infected by a virus and has not been delivered. DrWeb antivirus filter reports: - --- DrWeb report --- ====================== DrWeb scanning report: ====================== 127.0.0.1 [26601] /var/drweb/spool/drweb.tmp_Yn6HWI - archive MAIL 127.0.0.1 [26601] >/var/drweb/spool/drweb.tmp_Yn6HWI/html.1 infected with Trojan.IframeExec 127.0.0.1 [26601] >/var/drweb/spool/drweb.tmp_Yn6HWI/is infected with Win32.HLLM.Klez.4 127.0.0.1 [26601] >/var/drweb/spool/drweb.tmp_Yn6HWI/Scenalyzer.txt - Ok ======== Summary: ======== known virus is found : 2 unknown code or multiple errors : 1 - --- DrWeb report --- An original message was storied in archive record named: In order to receive the original message, please send request to postmaster, referring to the archive record name given above. - --- Antivirus service provided by DrWeb Daemon (http://www.drweb.ru) Please send your comments to DialogueScience, Inc. (http://www.dials.ru, support@dials.ru) Received: from monster.cu.kiev.ua (monster.cu.kiev.ua [212.90.165.202]) by mail.dolphinwave.org (8.11.6/8.11.6) with ESMTP id g7JEpNl15786 for ; Mon, 19 Aug 2002 17:51:34 +0300 Received: from monster.cu.kiev.ua (localhost.localdomain [127.0.0.1]) by monster.cu.kiev.ua (8.12.2/8.12.2) with ESMTP id g7JEpALQ019198 for ; Mon, 19 Aug 2002 17:51:10 +0300 Received: (from root@localhost) by monster.cu.kiev.ua (8.12.2/8.12.2/Submit) id g7JEpAPg019192 for ; Mon, 19 Aug 2002 17:51:10 +0300 Date: Mon, 19 Aug 2002 17:51:10 +0300 From: postmaster@cu.kiev.ua Message-Id: <200208191451.g7JEpAPg019192@monster.cu.kiev.ua> Subject: Undelivered mail: Hi,webmaster,welcome to my hometown Content-Type: text/plain; charset=us-ascii Status: R X-Status: N Dear User, The message sent by is infected by a virus and has not been delivered. DrWeb antivirus filter reports: - --- DrWeb report --- ====================== DrWeb scanning report: ====================== 127.0.0.1 [19190] /var/drweb/spool/drweb.tmp_O8wS7B - archive MAIL 127.0.0.1 [19190] >/var/drweb/spool/drweb.tmp_O8wS7B/html.1 infected with Trojan.IframeExec 127.0.0.1 [19190] >/var/drweb/spool/drweb.tmp_O8wS7B/cdonts infected with Win32.HLLM.Klez.4 127.0.0.1 [19190] >/var/drweb/spool/drweb.tmp_O8wS7B/cdonts - archive HTML 127.0.0.1 [19190] >>/var/drweb/spool/drweb.tmp_O8wS7B/cdonts/javascript.0 - Ok 127.0.0.1 [19190] >>/var/drweb/spool/drweb.tmp_O8wS7B/cdonts/javascript1.1.1 - Ok 127.0.0.1 [19190] >>/var/drweb/spool/drweb.tmp_O8wS7B/cdonts/javascript1.2.2 - Ok 127.0.0.1 [19190] >>/var/drweb/spool/drweb.tmp_O8wS7B/cdonts/javascript1.3.3 - Ok 127.0.0.1 [19190] >>/var/drweb/spool/drweb.tmp_O8wS7B/cdonts/javascript.4 - Ok 127.0.0.1 [19190] >>/var/drweb/spool/drweb.tmp_O8wS7B/cdonts/javascript1.2.5 - Ok 127.0.0.1 [19190] >>/var/drweb/spool/drweb.tmp_O8wS7B/cdonts/javascript1.2.6 - Ok ======== Summary: ======== known virus is found : 2 unknown code or multiple errors : 1 - --- DrWeb report --- An original message was storied in archive record named: In order to receive the original message, please send request to postmaster, referring to the archive record name given above. - --- Antivirus service provided by DrWeb Daemon (http://www.drweb.ru) Please send your comments to DialogueScience, Inc. (http://www.dials.ru, support@dials.ru) -----BEGIN PGP SIGNATURE----- Comment: Key ID: 0xAAE2A579 iD8DBQE9YiADAAsPtqripXkRAqCjAKD0l5riJe4o64FQes+u7BZzhEfBrgCgu4EY HpVOnkZsmCR3E/btIDSdVuU= =0bHS -----END PGP SIGNATURE----- === RIPE contact, dvv@cu.kiev.ua, has bounced === Received: from localhost (localhost)         by mail.dolphinwave.org (8.11.6/8.11.6) id g7KAtuw23434;         Tue, 20 Aug 2002 13:55:56 +0300 Date: Tue, 20 Aug 2002 13:55:56 +0300 From: Mail Delivery Subsystem Message-Id: <200208201055.g7KAtuw23434@mail.dolphinwave.org> To: ### MIME-Version: 1.0 Content-Type: multipart/report;   report-type=delivery-status;   boundary="g7KAtuw23434.1029840956/mail.dolphinwave.org" Subject: Returned mail: see transcript for details Auto-Submitted: auto-generated (failure) Status: R X-Status: N    ----- The following addresses had permanent fatal errors ----- dvv@cu.kiev.ua     (reason: 550 5.1.1 ... User unknown)    ----- Transcript of session follows ----- ... while talking to relay1.cu.kiev.ua.: >>> RCPT To: <<< 550 5.1.1 ... User unknown 550 5.1.1 dvv@cu.kiev.ua... User unknown Attachment: 1 Attachment: 2 === And yet more bogus virus warnings from them === Received: from monster.cu.kiev.ua (monster.cu.kiev.ua [212.90.165.202]) by mail.dolphinwave.org (8.11.6/8.11.6) with ESMTP id g7KGLhl25186 for ; Tue, 20 Aug 2002 19:21:54 +0300 Received: from monster.cu.kiev.ua (localhost.localdomain [127.0.0.1]) by monster.cu.kiev.ua (8.12.2/8.12.2) with ESMTP id g7KGLWLQ008964 for ; Tue, 20 Aug 2002 19:21:32 +0300 Received: (from root@localhost) by monster.cu.kiev.ua (8.12.2/8.12.2/Submit) id g7KGLWY3008955 for ; Tue, 20 Aug 2002 19:21:32 +0300 Date: Tue, 20 Aug 2002 19:21:32 +0300 From: postmaster@cu.kiev.ua Message-Id: <200208201621.g7KGLWY3008955@monster.cu.kiev.ua> Subject: Undelivered mail: The Garden of Eden Content-Type: text/plain; charset=us-ascii X-Loop: dev.null@dolphinwave.org Status: R X-Status: N Dear User, The message sent by is infected by a virus and has not been delivered. DrWeb antivirus filter reports: --- DrWeb report --- ====================== DrWeb scanning report: ====================== 127.0.0.1 [8953] /var/drweb/spool/drweb.tmp_zZB4yr - archive MAIL 127.0.0.1 [8953] >/var/drweb/spool/drweb.tmp_zZB4yr/html.1 infected with Trojan.IframeExec 127.0.0.1 [8953] >/var/drweb/spool/drweb.tmp_zZB4yr/file infected with Win32.HLLM.Klez.4 127.0.0.1 [8953] >/var/drweb/spool/drweb.tmp_zZB4yr/MSP60DVPatch_Readme_ger.txt - Ok ======== Summary: ======== known virus is found : 2 unknown code or multiple errors : 1 --- DrWeb report --- An original message was storied in archive record named: In order to receive the original message, please send request to postmaster, referring to the archive record name given above. --- Antivirus service provided by DrWeb Daemon (http://www.drweb.ru) Please send your comments to DialogueScience, Inc. (http://www.dials.ru, support@dials.ru)