Persistent moron sending virus attachment!

[Kandimann7]

I am being swamped with a message which I have copied with all headers
below. The attached file is a zipped HTML file which presumably has a
small virus program embedded in it as AVG warned.

Normally I would just delete the messages and attachments and forget
about it but the messages keep on coming.

Am I right in thinking that the Moron who is sending this crap is on the
first received from address working upwards i.e. mx2.core.kcom.com and
that it is the ISP with this domain name that I should send the message
and headers to. Or is there a way I can trace the moron myself??

Thanks



From (e-mail address removed) Thu, 21 Aug 2003 05:25:28 +0100
From:      <[email protected]>
To:       myname <[email protected]>
X-Priority: 1
Return-path: <[email protected]>
Envelope-to: (e-mail address removed)
Delivery-date: Thu, 21 Aug 2003 05:25:46 +0100
Received: from [192.168.0.120] (helo=smtpout.karoo.kcom.com)
        by pop.karoo.kcom.com with esmtp (Exim 4.04)
        id 19ph18-0002PY-00
        for (e-mail address removed); Thu, 21 Aug 2003 05:25:46 +0100
Received: from [212.50.160.100] (helo=mx2.core.kcom.com)
        by smtpout.karoo.kcom.com with esmtp (Exim 4.04)
        id 19ph17-0001sa-00
        for (e-mail address removed); Thu, 21 Aug 2003 05:25:45 +0100
Received: from [61.11.74.85] (helo=localhost)
        by mx2.core.kcom.com with smtp (Exim 3.32 #2)
        id 19ph0l-0000Xt-00
        for (e-mail address removed); Thu, 21 Aug 2003 05:25:28 +0100
Reply-To: (e-mail address removed)
X-Mailer: The Bat! (v1.61)
Message-Id: <[email protected]>
Date: Thu, 21 Aug 2003 05:25:28 +0100
X-UIDL: 42J!!Y"Z"!ShG!!>]I"!
Delivery-Date: Thu, 21 Aug 2003 17:58:34
X-Poco-Attachment: D:\Program Files\PocoMail3\Attach\message.zip
Status: U
X-Poco-Score-Detail: +4 [SUBJECT=      ] (Subject       )
X-Poco-Score-Detail: +2 [FROM=%ADDRESSBOOKS%] (From %addressbooks%)
X-Poco-Scored: +6
Subject: your account                         acdaoioo
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Poco-UID: 00216239
X-Poco-Status: R
X-Account: Myfirstname






Saved attachment: message.zip (moved or deleted)
Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

 

[nicky]

I am being swamped with a message which I have copied with all headers
below. The attached file is a zipped HTML file which presumably has a
small virus program embedded in it as AVG warned.

Its the Mimail worm, it spoofs the 'from' line and to be honest trying to
track down the sender is prolly a waste of time. Just don't open them,
delete them.

Nicky

 

[Eric]

I am being swamped with a message which I have copied with all headers
below. The attached file is a zipped HTML file which presumably has a
small virus program embedded in it as AVG warned.

Normally I would just delete the messages and attachments and forget
about it but the messages keep on coming.

Am I right in thinking that the Moron who is sending this crap is on the
first received from address working upwards i.e. mx2.core.kcom.com and
that it is the ISP with this domain name that I should send the message
and headers to. Or is there a way I can trace the moron myself??

Thanks



From (e-mail address removed) Thu, 21 Aug 2003 05:25:28 +0100
From: <[email protected]>
To: myname <[email protected]>
X-Priority: 1
Return-path: <[email protected]>
Envelope-to: (e-mail address removed)
Delivery-date: Thu, 21 Aug 2003 05:25:46 +0100
Received: from [192.168.0.120] (helo=smtpout.karoo.kcom.com)
by pop.karoo.kcom.com with esmtp (Exim 4.04)
id 19ph18-0002PY-00
for (e-mail address removed); Thu, 21 Aug 2003 05:25:46 +0100
Received: from [212.50.160.100] (helo=mx2.core.kcom.com)
by smtpout.karoo.kcom.com with esmtp (Exim 4.04)
id 19ph17-0001sa-00
for (e-mail address removed); Thu, 21 Aug 2003 05:25:45 +0100
Received: from [61.11.74.85] (helo=localhost)
by mx2.core.kcom.com with smtp (Exim 3.32 #2)
id 19ph0l-0000Xt-00
for (e-mail address removed); Thu, 21 Aug 2003 05:25:28 +0100
Reply-To: (e-mail address removed)
X-Mailer: The Bat! (v1.61)
Message-Id: <[email protected]>
Date: Thu, 21 Aug 2003 05:25:28 +0100
X-UIDL: 42J!!Y"Z"!ShG!!>]I"!
Delivery-Date: Thu, 21 Aug 2003 17:58:34
X-Poco-Attachment: D:\Program Files\PocoMail3\Attach\message.zip
Status: U
X-Poco-Score-Detail: +4 [SUBJECT= ] (Subject )
X-Poco-Score-Detail: +2 [FROM=%ADDRESSBOOKS%] (From %addressbooks%)
X-Poco-Scored: +6
Subject: your account acdaoioo
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Poco-UID: 00216239
X-Poco-Status: R
X-Account: Myfirstname






Saved attachment: message.zip (moved or deleted)
Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator
acdaoioo

The "moron" as you put it, probably is infected him/her self and doesn't
even know that they are sending you email, as a good share of worms and viri
send out email without the actual users knowledge, I would reply to the
individuals address and inform them that their machine is infected so they
can take appropriate action, failing this then I would contact the ISP and
inform them of the problem. You could also set up a "filter" or "block",
depending on your email program, that automatically deletes the offending
email when it comes to your email address.

Eric

 

[FromTheRafters]

I am being swamped with a message which I have copied with all headers
below. The attached file is a zipped HTML file which presumably has a
small virus program embedded in it as AVG warned.

=====
Sounds like "Mimail"
=====

Normally I would just delete the messages and attachments and forget
about it but the messages keep on coming.

Am I right in thinking that the Moron who is sending this crap is on the
first received from address working upwards i.e. mx2.core.kcom.com and
that it is the ISP with this domain name that I should send the message
and headers to.

=====
The domain name cannot be trusted, but the numbers
usually don't lie. The ISP owning that block could be
notified of the problem via their abuse or postmaster
address. They would also need the complete headers
in order to do so.
=====

Or is there a way I can trace the moron myself??

The ISP that owns the IP# can (maybe) check their logs to
determine which of their customers had that IP#, but you
can't access their logs to do it yourself.

 

[Conor]

=====
The domain name cannot be trusted, but the numbers
usually don't lie. The ISP owning that block could be
notified of the problem via their abuse or postmaster
address. They would also need the complete headers
in order to do so.
=====

www.karoo.co.uk, Karoo is the ISP.



--
________________________
Conor Turton
(e-mail address removed)
ICQ:31909763
________________________