Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

? Mailer Daemon

1 view
Skip to first unread message

Jip (North)

unread,
Apr 2, 2003, 5:47:15 PM4/2/03
to
Hi - can someone help me with this please? Received 2 email to an unused
yahoo address last week + since have had 1x mail with Daemon Mailer
(undeliverable) Still have the 2x emails received from the person (replied
to one)

Looking up the properties on an email in yahoo - doesn't tell you much
(email written in hypertext transfer protocol) Is it likely that the first
email was infected with Mailer Daemon, and that this was in the text (there
were no attachments)

I'm wanting to know out of curiousity more than anything - but also to
notify this person. I'm just glad (I think) that this was sent to my yahoo
box, not my pop3 email, as I've read that it can be difficult to remove from
OE and is not detected by A-V programs. The sender has a signature
indicating that AVG antivirus was up to date. Does anyone know much about
it? (ie M.D.) ie where on system does this thing reside? (please be nice)

Jip

Thanks

BTW my OE and NAV are up-to -date, and I run AdAware and Spybot weekly.


FromTheRafters

unread,
Apr 2, 2003, 8:41:05 PM4/2/03
to

"Jip (North)" <jipn...@yahoo.com.au> wrote in message news:b6fpgc$p2$1...@possum.melbpc.org.au...

> Hi - can someone help me with this please? Received 2 email to an unused
> yahoo address last week + since have had 1x mail with Daemon Mailer
> (undeliverable) Still have the 2x emails received from the person (replied
> to one)
>
> Looking up the properties on an email in yahoo - doesn't tell you much
> (email written in hypertext transfer protocol) Is it likely that the first
> email was infected with Mailer Daemon,

What follows is guesswork, and I am assuming nobody
would be stoopid enough to actually name a malware
program "Mailer Daemon"

Mailer Daemon is not a virus, it is the program that
informs the sender (suposedly) that the e-mail that
they sent was (either temporarily or permanently)
undeliverable. However, there are some viruses and
or worm programs which generate fake returned
mail messages in an attempt to fool the victim into
running the attachment.

Anti-virus scanners (recently updated) are very good
for determining which malware the file contains, that is,
provided that the malware is 'known' to the scanner

> and that this was in the text (there
> were no attachments)

Some one of the 'middlemen' handlers of the e-mail
(Yahoo's AV choice) may have stripped the malware
from the e-mail along the way, or the content just
doesn't 'show up' as an attachment in the e-mail program
used. The overall size of the file can sometimes be an
indicator that there indeed may be malicious content.

> I'm wanting to know out of curiousity more than anything - but also to
> notify this person.

Examination of the original e-mails headers is required
in order to (perhaps) ascertain the true origin (IP#). In
the case of the Mailer Daemon, it may very well be that
the worm program chose to place an address which was
invalid to send to, and your address as the from, causing
the mail to be refused at the proposed destination (address
doesn't exist) and send the notification of that fact to you
(with a completely intact original e-mail (with malware and
headers) as a .dat file), attached. If some program then
stripped the attachment enroute (and the nested malware),
it may well have also stripped the needed original header
information, becoming useless for your purposes.

> I'm just glad (I think) that this was sent to my yahoo
> box, not my pop3 email, as I've read that it can be difficult to remove from
> OE and is not detected by A-V programs.

That all depends on what we are talking about, which actually
hasn't even been determined yet. If it is a known virus or worm,
it is pretty likely that an AV can detect it, and in most cases also
remove it.

...and yes, an unpatched OE can be very malware friendly.

> The sender has a signature
> indicating that AVG antivirus was up to date.

Hahaha!

AVG's certification signature means absolutely nothing.
Think of how easily any malware could forge this, and
how misleading it would be if the AVG were not quite
as up-to-date (within seconds) as the malware was.
With new malware coming out constantly, it should
be obvious that there is a lag time before definitions
(scan strings for instance) are created for them. The
longer the lag time, the greater the risk of something
sneaking in under the wire.

....and AVG's definition updates come less often
than some other vendors.

> Does anyone know much about
> it? (ie M.D.) ie where on system does this thing reside? (please be nice)

Ummm, on the mail server at the ISP hosting the services.
(it is not malware, despite the demonic sounding name)

(Apologies to the group for speculating....)


Jip (North)

unread,
Apr 2, 2003, 9:59:38 PM4/2/03
to
Hey thanks for that - what I probably didn't make clear was that These 2
emails were from same person (replying to an ad), previously empty email
box, and the messages made sense but Mailer Daemon messages started at same
time (have deleted them now!)

Couldn't reproduce headers from suspect email as Properties on Yahoo
messages in Yahoo doesn't come up with much (as opposed to same on emails in
OE) UNLESS I'm missing something. Did say 28000 odd bytes & message size on
inbox was 3k.

As yahoo messages are apparently stored on server - not so much of a
problem, but have seen where these MD undelivered messages get downloaded to
OE, and apparently block other incoming mail and are difficult to remove.

Anyway thanks -will post back with more details (if I can find them) if it
recurs

"FromTheRafters" <!00...@nomad.fake> wrote in message
news:v8n4a9b...@corp.supernews.com...

FromTheRafters

unread,
Apr 3, 2003, 5:27:28 PM4/3/03
to

"Jip (North)" <jipn...@yahoo.com.au> wrote in message news:b6g8bh$5i9$1...@possum.melbpc.org.au...

> Hey thanks for that - what I probably didn't make clear was that These 2
> emails were from same person (replying to an ad), previously empty email
> box, and the messages made sense but Mailer Daemon messages started at same
> time (have deleted them now!)

More speculation I'm afraid...

It could be that the person responding to the ad, in doing so,
provided another e-mail address for their 'infection' to harvest.
Once harvested it could be used as the 'to' and/or 'from' mail
addresses in any worm generated mails. You can probably
expect it to get worse now (imo) as subsequent 'infections'
or 'infestations' may also be able to use your address.

Eventually your AV, or an AV enroute, will hopefully identify
for you which worm you are dealing with.

> Couldn't reproduce headers from suspect email as Properties on Yahoo
> messages in Yahoo doesn't come up with much (as opposed to same on emails in
> OE) UNLESS I'm missing something. Did say 28000 odd bytes & message size on
> inbox was 3k.

Many of the recent mass mailing worms are ten or more
times that size, but they are not even really trying to be
small these days. More effort seems to be going into
making them to spread as widely as possible, or as quickly
as possible.

> As yahoo messages are apparently stored on server - not so much of a
> problem, but have seen where these MD undelivered messages get downloaded to
> OE, and apparently block other incoming mail and are difficult to remove.

Haven't heard of that happening, but I'm not an IT
professional.

> Anyway thanks -will post back with more details (if I can find them) if it
> recurs

My guess.....it will.


Jip (North)

unread,
Apr 3, 2003, 11:11:09 PM4/3/03
to
Hi thanks - that reassures me <g>

This person is already flaming me on another NG, and I haven't even
mentioned this junk that came with her email........

Below is what I actually found for someone else a few weeks ago, who had OE
"blocked" with these undeliverables...eventually managed to delete them, and
haven't heard that they have returned.

>Microsoft.public.windows.inetexplorer.ie6_outlookexpress, >may help.
Suggests
>using web-based mail access, or mailwasher >or similar to delete messages
or
>? getting provider to delete them. Also >suggests setting up a mail-rule to
>prevent them coming back.

>This is the original post, but it doesn't seem to >copy and paste
>successfully
news:OH#6FUg7C...@TK2MSFTNGP12.phx.gbl...

There are vague references to all this in various NG's, but nothing where
anyone actually defines exactly what the specific cause is ie worm or
whatever. I don't know much about much, but anyway it seems to have gone
away for the moment.


FromTheRafters

unread,
Apr 4, 2003, 8:19:36 PM4/4/03
to

"Jip (North)" <jipn...@yahoo.com.au> wrote in message news:b6j0kd$3pb$1...@possum.melbpc.org.au...

Weird....maybe someone is crafting smtp sends which
cause problems on some servers, and is spamming it
to various places just to be an annoyance. Some people
are like that.

I just received a strange 'undeliverable mail' evidently
to and from myself (6k including two attachments) from
comcast (I think) ~ investigating now.


Jip (North)

unread,
Apr 6, 2003, 11:40:08 PM4/6/03
to

FromTheRafters wrote

> Weird....maybe someone is crafting smtp sends which
> cause problems on some servers, and is spamming it
> to various places just to be an annoyance. Some people
> are like that.
>
> I just received a strange 'undeliverable mail' evidently
> to and from myself (6k including two attachments) from
> comcast (I think) ~ investigating now.

Just got around to doing a google search (ref's below)on this MD nuisance -
not appropriate to this NG, but a bounceback program like like must be
making the web congestion worse


http://www.hillary.net/DAEMON.html

http://www.jedi.com/obiwan/dearmd.html

http://support.bb4.com/archive/199710/threads.html


FromTheRafters

unread,
Apr 7, 2003, 6:17:19 PM4/7/03
to

"Jip (North)" <jipn...@yahoo.com.au> wrote in message news:b6qrua$par$1...@possum.melbpc.org.au...

>
> FromTheRafters wrote
> > Weird....maybe someone is crafting smtp sends which
> > cause problems on some servers, and is spamming it
> > to various places just to be an annoyance. Some people
> > are like that.
> >
> > I just received a strange 'undeliverable mail' evidently
> > to and from myself (6k including two attachments) from
> > comcast (I think) ~ investigating now.
>
> Just got around to doing a google search (ref's below)on this MD nuisance -
> not appropriate to this NG, but a bounceback program like like must be
> making the web congestion worse

It is just like the postal worker retuning a mail to you
because the stamp fell off, it is a necessary function.
The problem is that someone has put the you as the
return address and purposely left off the stamp so that
you get a returned mail that you didn't send. This was
an illegal way to send snail mail for free, until the post
office started to ensure return addresses were of local
origin.

Now it appears that someone has crafted e-mail with
identical to and from addresses (and non-compliance
to some RFC822 specifics) to cause mailer-daemons
to play "pong" with each other (speculation on my part).

Still checking it out....


Jip (North)

unread,
Apr 7, 2003, 9:39:25 PM4/7/03
to

FromTheRafters wrote

> Now it appears that someone has crafted e-mail with
> identical to and from addresses (and non-compliance
> to some RFC822 specifics) to cause mailer-daemons
> to play "pong" with each other (speculation on my part).
>
> Still checking it out....

Interested to hear outcome of your checking.......What would the appropriate
NG be....?alt.comp.web-congesters

FromTheRafters

unread,
Apr 8, 2003, 9:28:20 PM4/8/03
to

"Jip (North)" <jipn...@yahoo.com.au> wrote in message news:b6t984$kll$1...@possum.melbpc.org.au...

It was 'damaged' porno-spam from orgycorner.net. I usually
pay them no attention, but this one was a MD bounced 'to'
and 'from' me, evidently.


0 new messages