Spam from "postmaster"? (undeliverable mail)
Daniel
MSN or Hotmail. The problem/suspicious part is that I know for sure I
didn't send those messages. They are usually spam type of subjects that are
in the returned messages. I don't see them in my "sent items" showing that
I had sent them. I don't even open the messages that are spam (just right
click, properties, see from part, determine if needs to be added to
kill-filter, close message properties, delete message, PREVIEW PAIN IS
TURNED OFF FOR SAFETY REASONS...did this after Nimda).
So my question is did spammers find another way to try to get people to
look at their mail? Forge header info from the postmaster of a domain, send
their spam attached, making it look like you tried to send that message but
were unable to so it's being returned, and because you forgot what it was
you had sent you open it to see, and then get your spam? Below is the
message header from the most recent one (my e-mail address removed).
X-Apparently-To: my_ad...@removed.com via 216.136.174.42; 19 Dec 2002
06:51:26 -0800 (PST)
X-Track: 1: 100
Return-Path: <>
Received: from 205.158.62.35 (EHLO spf8.us4.outblaze.com) (205.158.62.35)
by mta190.mail.scd.yahoo.com with SMTP; 19 Dec 2002 06:51:24 -0800 (PST)
Received: from cpimssmtpoa01.msn.com (cpimssmtpb06.msn.com [207.46.181.46])
by spf8.us4.outblaze.com (8.11.6/8.11.6) with ESMTP id gBJEpNI14215
for <my_ad...@removed.com>; Thu, 19 Dec 2002 14:51:23 GMT
Received: from cpimssmtpa23.msn.com ([207.46.181.28]) by
cpimssmtpoa01.msn.com with Microsoft SMTPSVC(5.0.2195.4905);
Thu, 19 Dec 2002 06:50:10 -0800
X-MSN-Trace: {D475E2A2-DB89-41EC-8789-2AA006369546}
From: postm...@msn.com
To: my_ad...@removed.com
Date: Thu, 19 Dec 2002 06:50:10 -0800
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="9B095B5ADSN=_01C2A094D28118B800345B4Acpimssmtpa23.msn"
Message-ID: <We25lQFt...@cpimssmtpa23.msn.com>
Subject: Delivery Status Notification (Failure)
X-OriginalArrivalTime: 19 Dec 2002 14:50:10.0548 (UTC)
FILETIME=[EDF75B40:01C2A76D]
Here is the message header in the attached message (one I supposedly sent).
Again only my e-mail is removed/changed (not account I'm posting this from),
but the name "columbia" is apparently the from name I used (according to
them at least). Also shouldn't my IP address be there somewhere? It's
saying I'm using AOL...when I'm actually using COX (cable).
X-MSN-Trace: {56E4B13E-4804-43E6-A480-0622DC52E2AE}
Received: from aol.com ([80.188.45.122]) by cpimssmtpa23.msn.com with
Microsoft SMTPSVC(5.0.2195.4905);
Thu, 19 Dec 2002 06:50:02 -0800
Message-Id: <J7RW1J4S5TB.5HDI1Y2B4UWP4OIUO.Colombia<my_ad...@removed.com>>
From: Colombia<my_ad...@removed.com>
Content-Type: text/html; charset="iso-8859-1"
Received: from aol.com by 063X6.aol.com with SMTP for blo...@msn.com; Thu,
19 Dec 2002 07:57:05 -0700
X-Priority: 3 (Normal)
Date: Thu, 19 Dec 2002 07:57:05 -0700
Content-Transfer-Encoding: Quoted-Printable
Importance: Normal
To: blo...@msn.com
Subject: Too Many Bills? help is here
X-Sender: Colombia<my_ad...@removed.com>
Return-Path: my_ad...@removed.com
X-OriginalArrivalTime: 19 Dec 2002 14:50:04.0045 (UTC)
FILETIME=[EA1713D0:01C2A76D]
Just to be on the safe side...any known viruses do this or is this just a
new spammer's tactic (that someone is going to way too much trouble to do)?
They did get the e-mail address of mine correct, as well as the timezone
(the -0700, central time). But again I didn't see my IP address in there.
--
--
Daniel daniel_h_w@_yahoo.com
刎刎刎刎刎刎刎刎刎刎刎
"The day Microsoft makes something that doesn't suck, is probably the day
Microsoft starts making vacuum cleaners."
刎刎刎刎刎刎刎刎刎刎刎
Unk
I wouldn't worry about it. Just make sure you delete it.
If you want to check your computer to make sure YOU don't
have it, look here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
Here's the link to the removal tool:
http://securityresponse.symantec.com/avcenter/FixKlez.com
If you're free of the virus, the program will tell you so.
Unk
Daniel
news:ono40vg7llpbcd2kv...@4ax.com...
> Someone who has your email address also has the w32.klez virus.
> I wouldn't worry about it. Just make sure you delete it.
>
> If you want to check your computer to make sure YOU don't
> have it, look here:
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.too
l.html
> Here's the link to the removal tool:
> http://securityresponse.symantec.com/avcenter/FixKlez.com
> If you're free of the virus, the program will tell you so.
>
networked with combined total of 200GB of hard drive wouldn't be fun to
clean). As for someone being infected & having my e-mail...is there a way
to trace down who that might be? I've opened both suspicious e-mails (in
WordPad), and the other wasn't from me (or claiming to be from me). It's
from an AOL user whom I don't know. The suspicious part about that one is
at one point it says "content-type: audio/x-wav; name=String,.scr" (just
above the "content-transfer-encoding: base64", the content ID, and then the
encoded attachment/body). Seeing that the message claims to be a .wav but
then also says the file is a .scr (screen saver = executable), this does
remind me of one of the recent viruses (though I think Nimda was the one
that did that to make it auto-download & execute...contained an executable
disguised/claiming to be a JPG or GIF or something Outlook Express would
automatically display). This too is from an AOL address & AOL's servers.
Any other way to track down who has this/who is infected? The TO and FROM
(the entire header actually) in this e-mail doesn't mention my address.
Mara
<snip>
>> >X-MSN-Trace: {56E4B13E-4804-43E6-A480-0622DC52E2AE}
>> >Received: from aol.com ([80.188.45.122]) by cpimssmtpa23.msn.com with
>> >Microsoft SMTPSVC(5.0.2195.4905);
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 80.188.0.0 - 80.188.255.255
netname: CZ-CZNET-20020613
descr: Provider Local Registry
descr: Czech Telecom International
country: CZ
admin-c: JB4700-RIPE
tech-c: LET9-RIPE
status: ALLOCATED PA
notify: r...@telecom.cz
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: AS5610-MTN
mnt-routes: AS5610-MTN
changed: hostm...@ripe.net 20020613
source: RIPE
route: 80.188.44.0/22
descr: CZ.CZNET PLZEN
origin: AS5610
notify: hostm...@iol.cz
mnt-by: AS5610-MTN
changed: tomas...@hq.iol.cz 20020726
source: RIPE
person: Jan Boucek
address: Czech Telecom a.s. - IOL
address: Krizikova 11-13
address: Praha 8
address: 18621
address: The Czech Republic
phone: +420 2 71466373
e-mail: jan.b...@hq.iol.cz
nic-hdl: JB4700-RIPE
notify: hostm...@iol.cz
changed: hostm...@iol.cz 20000726
source: RIPE
person: Miroslav Letak
address: Czech Telecom,a.s. - IOL
address: Thamova 11-13
address: Prague 8
address: The Czech Republic
phone: +420 2 71466182
fax-no: +420 2 71466337
e-mail: l...@iol.cz
nic-hdl: LET9-RIPE
notify: hostm...@iol.cz
changed: hostm...@iol.cz 20011108
source: RIPE
<snip>
--
"No lusers were harmed in the creation of this usenet article.
AND I WANT TO KNOW WHY NOT!"
--glmar04 at twirl.mcc.ac.uk in a.s.r
Daniel
"Mara" <g...@awaynow.becauseIsaidso.com> wrote in message
news:7k150vgbqpdgn9oe4...@4ax.com...
why?
wrote:
The info Mara added is the hosting/owner/ISP info of the owner/provider
of the address in the message headers. So if you wish you could send the
entire message to one of the persons listed below as a spam report.
>¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿
>
>"Mara" <g...@awaynow.becauseIsaidso.com> wrote in message
>news:7k150vgbqpdgn9oe4...@4ax.com...
>> On Thu, 19 Dec 2002 20:38:04 -0600, "Daniel" <daniel_h_wATyyahooDOTccom>
>wrote:
>>
>> >"Unk" <n...@aol.com> wrote in message
>> >news:ono40vg7llpbcd2kv...@4ax.com...
>> >> Someone who has your email address also has the w32.klez virus.
>> >> I wouldn't worry about it. Just make sure you delete it.
<snip>
<snip>
Me
Unk
As long as you don't have it, why bother? It's an exercise
in futility. What I did was to email all on my contact list
and give them the same information that I gave you.
None had the virus, but each of them has a contact list.....
and you could have ended up in a forward, CC:, or BCC:,
and on and on and on.............
Waste of time and effort.
Unk
On Thu, 19 Dec 2002 20:38:04 -0600, "Daniel" <daniel_h_wATyyahooDOTccom>
wrote:
>Thanks for the removal tool...lucky for me I didn't have it (3 computers
Mara
>You're welcome.
>
>As long as you don't have it, why bother? It's an exercise
>in futility. What I did was to email all on my contact list
>and give them the same information that I gave you.
>None had the virus, but each of them has a contact list.....
>and you could have ended up in a forward, CC:, or BCC:,
>and on and on and on.............
>Waste of time and effort.
Actually, it isn't. The originating host _should_ be warned that there's an
infected machine on their network. Usually they'll either contact the person
directly or shut their account down until the infection is cleaned up. You'd be
surprised at the number of people who get infected and don't even know enough
about their machines to realise it, and spew on and on and on.
>
>Unk
>
>On Thu, 19 Dec 2002 20:38:04 -0600, "Daniel" <daniel_h_wATyyahooDOTccom>
>wrote:
>
>>Thanks for the removal tool...lucky for me I didn't have it (3 computers
>>networked with combined total of 200GB of hard drive wouldn't be fun to
>>clean). As for someone being infected & having my e-mail...is there a way
>>to trace down who that might be? I've opened both suspicious e-mails (in
>>WordPad), and the other wasn't from me (or claiming to be from me). It's
>>from an AOL user whom I don't know. The suspicious part about that one is
>>at one point it says "content-type: audio/x-wav; name=String,.scr" (just
>>above the "content-transfer-encoding: base64", the content ID, and then the
>>encoded attachment/body). Seeing that the message claims to be a .wav but
>>then also says the file is a .scr (screen saver = executable), this does
>>remind me of one of the recent viruses (though I think Nimda was the one
>>that did that to make it auto-download & execute...contained an executable
>>disguised/claiming to be a JPG or GIF or something Outlook Express would
>>automatically display). This too is from an AOL address & AOL's servers.
>>Any other way to track down who has this/who is infected? The TO and FROM
>>(the entire header actually) in this e-mail doesn't mention my address.
>>
>>
--
Ed L. Pulliam
> Actually, it isn't. The originating host _should_ be warned that
> there's an infected machine on their network. Usually they'll either
> contact the person directly or shut their account down until the
> infection is cleaned up. You'd be surprised at the number of people
> who get infected and don't even know enough about their machines to
I agree with Mara. I had the same problem with email apparently coming
from two different domains. I wrote to abuse@<domain name> for the two
domains, and stopped getting the bounced messages from both offenders
within 24 hours. Sometimes the system does work as advertised.
--
- Ed L. Pulliam pul...@ouisoft.com