Weird email I got

RyanWenke · Newbie Joined: 27 Dec 2006 Posts: 59

Microsoft Corporation has received information that a host/domain name registered to/by your company is acting as an IRC server controlling a network of computers compromised with an unauthorized backdoor, commonly referred to as a 'botnet'. Botnets are often controlled in violation of criminal laws and commonly engage in distributed denial of service attacks or the distribution of malware without authorization.

Specifically, the following information details the botnet hosted on your network:
IRC Server Hostname: irc.chattingaway.com
Server Port Number: 6667
Channel Name: #bot39

We request that you investigate and take action subject to your Terms of Service. Since botnets typically connect to hostnames embedded in malware, you may consider redirecting the DNS entry for this hostname to an abuse site. Otherwise the person(s) controlling this botnet can simply redirect the DNS entry to another IP Address.

Yours sincerely,
Peter Anaman
Internet Investigator

on behalf of Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
United States of America

I got this in a email, and really suspect it's fake. I haven't checked the headers yet to see the incoming mail server and such, but it seems very farfetched. There has never been any such thing running on my network. We get the occasional bot or so, but they are taking care of right away. Even if it is real, maybe this Peter Anaman character should focus on locations that actually have a substantial amount of bots and such, rather than my 90 user network.

PingBad · Posted: Jun 07, 2007 4:11pm Post subject:

my advice: you can either ignore it until a real deal microsofty drops by your front door, or you could make the first move by contacting your local M$ office and confirming the email - its entirely your call, but I also suspect the validity of that email (I received one not too long ago similair in nature - it was pointing out the irc.* subdomain of my own personal domain, which was interesting... i dont have an irc subdomain, letalone a server/network to point it to)

FBI · Posted: Jun 07, 2007 7:42pm Post subject: Re: Weird email I got

intempo · Newbie Joined: 06 Feb 2007 Posts: 75

That's not from Microsoft. The spelling/and or grammer is terrible, I very much doubt it.

ircmojo · Posted: Jun 08, 2007 9:33am Post subject:

Microsoft is a software vendor, not a law enforcement agency so

1. they have no business sending you that email even if it was real.
2 They can't do squat about it if you ignore them other than file legal actions in which unless they own the computers that are "infected" they have no legal grounds to do AND you would WANT them to file just for the fact that the action would be proof of authenticity.
3. if you DO ignore it and it WAS genuine, then the REAL law enforcement agencies that appy to that jurisdiction will contact you as well, because they know that Microsoft is NOT a law enforcement agency.
4. a Microsoft employee wouldn't contact you, their legal department would and would likely reference a case number.
5. Microsoft doesn't police IRC networks, nor botnets.
6. Even if they did they can't force you to change your DNS entries. It's not your DNS that is criminal, it's the infestation of the botnet nodes and redirecting you DNS won't fix that.
7. persons contolling botnets can not change your DNS entries without you giving them accesss or they hack the server.

FBI · Posted: Jun 08, 2007 2:08pm Post subject:

mentor · Posted: Jun 16, 2007 10:46pm Post subject:

Jobe · Posted: Jun 17, 2007 4:35am Post subject:

intempo · Newbie Joined: 06 Feb 2007 Posts: 75

FBI: You just talk utter s****

Do we need backseat 'know it alls' ?

Razz

Jobe · Posted: Jun 17, 2007 9:16am Post subject:

Asmo · none Joined: 06 May 2003 Posts: 28

This is indeed valid. I've received a similar email. They claimed I had a botnet running on a domain that looks very similar ot irc-junkie.org, but obviously isnt. 1) I dont run a network, 2) anyone that knows my site knows I'm all about safe computing and am very, VERY against the use of DDoS and other similar activities.

Replied back to them with their error, and they guy apologised and said he'll update their database reflecting this...

FBI · Posted: Jun 18, 2007 3:45pm Post subject:

mjgreen · none Joined: 23 Mar 2008 Posts: 2

Guys,

This is indeed genuine. And it IS MS Legal.

They're not saying you have an infected host, rather that one or more infected host is connecting or attempting to connect to your network on the dns address above. They're targeting the main control channel, rather than the hosts themselves - take out the control channel and disrupt the network, since often the botnet herder has no other way of controlling the bots.

You're receiving the email as the administrator of the network to kill the channel and/or hosts from your network. And the reason they're sending is it's likely a windows host that's compromised.

Bit nicer than the alternatives - asking your ISP to shut you down, or adding your domain/address to the various malware blocklists.

Willaim · Idler Joined: 27 Jun 2003 Posts: 323 Location: IRC

If it was me, I'd shut down that channel maybe? Unless it's a legitimate channel.

That email didn't really contain spelling errors that I saw, so the second poster is incorrect.

I don't understand what they meant by the DNS. If one botnet's connecting to my network, I'm gonna re-direct my domain name to an abuse site?!

Someone needs to do their research a little more at Microsoft HQ.
(If this is indeed genuine.)

Jobe · Posted: Oct 30, 2009 9:32am Post subject:

mjgreen, Willaim, this thread is over 2 years old, 2007, I'm pretty certain the issue has been resolved by now and is no longer relevant.