Is this some kind of new spammer or virus trick?

[Mail Ias]

I just received this message:

=================================
From: (e-mail address removed)
Subject: Mail Delivery ([email protected])

If the message will not displayed automatically,
follow the link to read the delivered message.

Received message is available at:
www.mydomain.com/inbox/me/read.php?sessionid-32484

==================================

First of all, I'm the webmaster for mydomain.com, and I know that there is no
such function on that website. Nor is there even a directory called /inbox
off the root. I figured it was some kind of trick.

I'm using Outlook 2000 and the link is displayed in blue underline like a
normal hyperlink. However, the true link that shows up in the status bar area
in the lower left is:

outbind://16-00000000003E296CE5D68F204A9E8FF32789255437643A2400/cid:
031501Mfdab4$3f3dL780$73387018@57W81fa70Re

I don't know much about the "outbind" prefix and did some searching in Outlook
2000 Help, Microsoft.com, Google and Google Groups. The best I can tell is
that it references a link directly on the creators machine and / or it's a
mechanism for attaching links, etc.

So, I'm thinking the sender screwed up and the link is harmless. Or, is it?

 

[Thomas A. Horsley]

Are you sure that is really text being displayed and not a image
that contains text and is a hyperlink to a completely different
place (I've seen that one before - a good reason to set your
fonts to something other than windows defaults, so the image
will look strange .

 

[Lyle H. Gray]

I just received this message:

=================================
From: (e-mail address removed)
Subject: Mail Delivery ([email protected])

If the message will not displayed automatically, follow the link to read
the delivered message.

Received message is available at:
www.mydomain.com/inbox/me/read.php?sessionid-32484

==================================

My understanding is that this is a new virus trick. The hidden URL
supposedly will connect to the attachment and execute it.

 

[Beauregard T. Shagnasty]

Quoth the raven named Mail Ias:

I just received this message:

Why don't you view source of the email and see what the link really
is? You may find one of those prevalent (in spam) links that
Microsloth products don't understand, and display incorrectly.

So, I'm thinking the sender screwed up and the link is harmless.
Or, is it?

Show us the source. But I would doubt that what you describe is
unintentional.

 

[Wrangler]

I just received this message:

=================================
From: (e-mail address removed)
Subject: Mail Delivery ([email protected])

If the message will not displayed automatically,
follow the link to read the delivered message.

Received message is available at:
www.mydomain.com/inbox/me/read.php?sessionid-32484

This is NetSky.p by the sound of it...

As I understand it, the payload is packaged within the MIME/URL structure in
the message as a Microsoft Executable accessed via the Outbind / CID which
references the executable within the message itself.

 

[Gabriele Neukam]

On that special day, Mail Ias, ([email protected]) said...

From: (e-mail address removed)
Subject: Mail Delivery ([email protected])

If the message will not displayed automatically,
follow the link to read the delivered message.

Received message is available at:
www.mydomain.com/inbox/me/read.php?sessionid-32484

Trick. Read my posting from 26th of march, with the subject:

(sigh) worms heading towards number "z"

There you'll see what is *behind* the URL. It is the worm inside the
mail.


Gabriele Neukam

(e-mail address removed)

 

[Ceily]

Got the same email too. Set off Kaspersky with a virus suspicion warning.
Just by using the preview pane. Exploit Iframe.File download.

Ceily