Outlook sending 2 messages instead of 1 and Antivirus found no worm

[ThomasStraten]

Hi,

Everyday, once or twice during the day, when I send 1 message only,
Norton Antivirus (SystemWorks 2002) shows a window "Sending message 1
of 2".

After a short while, i get a reply as follows:
DELIVERY STATUS NOTIFICATION

- These recipients of your message have been processed by the mail
server: (e-mail address removed); Failed; 5.1.1 (bad destination mailbox
address)

Remote MTA correo.terra.cl: SMTP diagnostic: 550 RCPT
TO:<[email protected]> User unknown

Details.txt
Reporting-MTA: dns; mx2.terra.cl
Received-from-MTA: dns; computador6.com (200.54.142.236)
Arrival-Date: Wed, 10 Nov 2004 15:26:21 -0300

Final-Recipient: rfc822; (e-mail address removed)
Action: Failed
Status: 5.1.1 (bad destination mailbox address)
Remote-MTA: dns; correo.terra.cl
Diagnostic-Code: smtp; 550 RCPT TO:<[email protected]> User unknown

ATT0040.txt
Return-Path: <[email protected]>
Received: from computador6.com (200.54.142.236) by mx2.terra.cl
(7.0.028)
id 414A3E6805500F76 for (e-mail address removed); Wed, 10 Nov 2004
15:26:21 -0300
Date: Wed, 10 Nov 2004 15:38:44 -0400
To: "" <[email protected]>
From: "Tstraten" <[email protected]>
Subject: RE: Message Notify
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------ajzhvexanidjdkimvvpy"

NOTES:
3Dtstraten is not me, obviously.
The sent message NEVER APPEARS in the sent box.
The FROM: in the file ATT0040.txt states clearly that I sent the
message (which is false)
Neither Norton, Spybot, McAfee, PestPatrol are able to find something
wrong with my computer....
Subject varies from message to message...

It is driving me crazy!!!!

How could I check my computer (XP Pro Service Pack 2) OUTLOOK XP to
find what is going on....

I even use my DTSearch Forensic software to check for something
suspicious:nothing!!!!

Thanks

Thomas

 

[Jeff Stephenson [MSFT]]

These are probably read-receipts being sent for messages you've read.

 

[Brian Tillman]

Everyday, once or twice during the day, when I send 1 message only,
Norton Antivirus (SystemWorks 2002) shows a window "Sending message 1
of 2".

After a short while, i get a reply as follows:
DELIVERY STATUS NOTIFICATION

- These recipients of your message have been processed by the mail
server: (e-mail address removed); Failed; 5.1.1 (bad destination mailbox
address)

As Jeff said, possibly a read receipt. See
http://www.outlook-tips.net/howto/delete_rr.htm

As to why this message exists at all, I'll be glad to provide a possible
explanation, if you'd like.

 

[ThomasStraten]

NONONONONONONONONONONONO Guys!!!!

Have a look at the text I wrote and the returned messages ATT0040.txt
and details.txt

I CLEARLY sends a message to "3Dtstraten" (NEW message) suuposedly
written by me and with MY address as return!!!!!

I know RR's and so on, and I know Microsoft by heart....this is new...

Now: I have a friend who's identity is Tita in her mail, and suddenly
(before me) she stated that she was rejected by the mail with a funny
"3Dtita" as answer....

SO: My guess: new worm, undiscovered, slow (or stupidly programmed)
and stupid cause it always picks the same 3D+name....to send itself
somewhere...
BUT POTENTIALLY DANGEROUS...

Thanks anyway for reading me, but RR???? Come on..... no way

Tom

 

[Brian Tillman]

SO: My guess: new worm, undiscovered, slow (or stupidly programmed)
and stupid cause it always picks the same 3D+name....to send itself
somewhere...
BUT POTENTIALLY DANGEROUS...

Probably not a new worm, but one that is spoofing your address (badly) as
the sender. The "3D" is the hexadecimal value of the character "=", which
makes me think of broken encoding of the sender address in non-English
characters (where equal signs are part of the string specifying the language
in which the address is encoded. It could also be the result of a harvester
that recorded the address (yours) but wrote it out incorrectly or used it
incorrectly when if came time to spoof the sender.

It's a fact of Internet life now, it would seem.

 

[Jeff Stephenson [MSFT]]

I don't think it's a spoof - note that back in his first post he said that
Norton was saying that two messages were being sent when he only sent one,
and then shortly afterward he got this DSN. I agree that the 3D does look
suspiciously like a broken encoding of "="...

Two things to check:

1) Do you have any Outlook addins installed? Check Tools -> Options ->
Other -> Advanced Options -> Add-In Manager...
2) I don't know about DTSearch Forensic software, but you might try some of
the other anti spy/ad-ware products and see if they turn up anything.