Strange Email

[John R]

Using WinXP Home Edition with OE. I get many unwanted emails that do not
have my specific address in the "From" section. Also, I received a Mail Not
Delivered notice that indicated a message from me was not delivered. A
message I never sent. Just curious how these things came happen and if there
is a cure.

 

[dev]

/John R/ said:

Using WinXP Home Edition with OE. I get many unwanted emails that do not
have my specific address in the "From" section. Also, I received a Mail Not
Delivered notice that indicated a message from me was not delivered. A
message I never sent. Just curious how these things came happen and if there
is a cure.

Common for SPAM message, and sometimes an attempt to deliver a worm or
virus. Simply delete the messages, and do not open attachments.

 

[Guest]

Hi,

These emails are most likely emails from other PCs (on the
Internet) that have been infected by a virus (e.g. Mydoom).

http://vil.nai.com/vil/content/v_100988.htm

If an email is not directly addressed to you then I would
delete it. I have had several strange emails like you
described and deleted them.

Make sure you have an up-to-date antivirus program on your
PC and that it is always running in your system tray.

Regards,

Tim

 

[Chuck]

Using WinXP Home Edition with OE. I get many unwanted emails that do not
have my specific address in the "From" section. Also, I received a Mail Not
Delivered notice that indicated a message from me was not delivered. A
message I never sent. Just curious how these things came happen and if there
is a cure.

John,

The virus of the month, Mydoom / Novarg, is known for producing both
of those effects.

The cure for that is education and protection.

If you want to report the problem (infected computers), you have to do
it properly. Mydoom forges most of the addressing information. DO
NOT Reply to Sender - Reply To: and From: are forged, and are part of
the effect, which is a Denial Of Service attack against the Abuse
desks in the ISPs.

In the example below, there is ONE genuine clue about its origination,
"(219.140.52.69)" in "Received:". The Received: header is created by
the email server processing the incoming email, and cannot be forged.

Everything else is forged by the virus. The "From:" header is an
address found on the infected computer by the virus, and that person,
if exists, becomes another victim when folks use Reply To.

####### Start Example Message #######

X-Apparently-To: *deleted* via 66.218.93.62; Mon, 02 Feb 2004 23:04:55
-0800
X-YahooFilteredBulk: 219.140.52.69
Return-Path: <[email protected]>
Received: from 219.140.52.69 (EHLO cyts.com.cn) (219.140.52.69) by
mta267.mail.scd.yahoo.com with SMTP; Mon, 02 Feb 2004 23:04:52 -0800
From: (e-mail address removed) Add to Address Book
To: *deleted*
Subject: hi
Date: Tue, 3 Feb 2004 15:06:04 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0013_E7F9D54F.059D8F41"
X-Priority: 3
X-MSMail-Priority: Normal
Content-Length: 22347

The message contains Unicode characters and has been sent as a binary
attachment.

Attachment
plngjsb.zip
..zip file

######## End Example Message #######

The infected computer is 219.140.52.69. That is the ONE genuine clue.

2/9/2004 07:52:30 whois -h whois.apnic.net 219.140.52.69
% [whois.apnic.net node-1]
% Whois data copyright terms
http://www.apnic.net/db/dbcopyright.html

inetnum: 219.140.0.0 - 219.140.255.255
netname: CHINANET-HB-WH
country: CN
descr: Chinanet network in Wuhan city Hubei province
admin-c: CHW9-AP
admin-c: CHA1-AP
tech-c: YH51-AP
tech-c: WX145-AP
status: ASSIGNED NON-PORTABLE
changed: (e-mail address removed) 20030922
mnt-by: MAINT-CN-CHINANET-HB
source: APNIC

role: CHINANET HB WH
address: No.1 HongShan Road Wuhan city
address: Hubei Province P.R.China
country: CN
phone: +86-27-87811065
phone: +86-27-87897599
fax-no: +86-27-87811653
e-mail: (e-mail address removed)
trouble: send spam reports to (e-mail address removed)
trouble: and abuse reports to (e-mail address removed)
trouble: Please include detailed information and
trouble: times in GMT+8
admin-c: WX145-AP
tech-c: YH51-AP
tech-c: WX145-AP
nic-hdl: CHW9-AP
notify: (e-mail address removed)
mnt-by: MAINT-CN-CHINANET-HB
changed: (e-mail address removed) 20031114
source: APNIC

role: CHINANET HB ADMIN
address: 8th floor of JinGuang Building
address: #232 of Macao Road
address: HanKou Wuhan Hubei Province
address: P.R.China
country: CN
phone: +86 27 82862199
fax-no: +86 27 82861499
e-mail: (e-mail address removed)
trouble: send spam reports to (e-mail address removed)
trouble: and abuse reports to (e-mail address removed)
trouble: Please include detailed information and
trouble: times in GMT+8
admin-c: YZ83-AP
admin-c: ZC77-AP
tech-c: YZ83-AP
tech-c: ZC77-AP
nic-hdl: CHA1-AP
notify: (e-mail address removed)
mnt-by: MAINT-CN-CHINANET-HB
changed: (e-mail address removed) 20031114
source: APNIC

person: Ying Hai
nic-hdl: YH51-AP
e-mail: (e-mail address removed)
address: No.1 HongShan Road
address: Wuhan Hubei province
address: P.R.China
phone: +86-27-87811065
fax-no: +86-27-87811653
country: CN
changed: (e-mail address removed) 20030919
mnt-by: MAINT-NEW
source: APNIC

person: WANG XI
address: No.1 Hongshan Road
address: Wuchang, Wuhan,Hubei province
address: P.R.China
country: CN
phone: +86-27-87270127
fax-no: +86-27-87313806
e-mail: (e-mail address removed)
nic-hdl: WX145-AP
mnt-by: MAINT-CN-CHINANET-HB
changed: (e-mail address removed) 20020409
source: APNIC

Send infection reports to:
(e-mail address removed), (e-mail address removed),
(e-mail address removed), (e-mail address removed), (e-mail address removed).

Send promptly - the longer you wait, the more emails the infected
computer sends out, which results in more infected computers.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Bruce Chambers]

Greetings --

What you received is the output of a computer infected by one of
several widely publicized, wide-spread, mass emailing worms. The
virus' authors have deliberately spoofed the Microsoft information in
the hopes of garnering more victims. This sort of email has been
quite common for at least the past 9 months. The most widely-known
are:

W32.Swen.A_mm
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

W32.Dumaru_mm
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

W32.Gibe_mm
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Trojan.Xombe
http://www.symantec.com/avcenter/venc/data/trojan.xombe.html

Microsoft never has, does not currently, and very probably never
will email unsolicited security patches. At the most, if, and only
if, you subscribe to their security notification newsletter, they will
send you an email informing you that a new patch is available for
downloading.

Microsoft Policies on Software Distribution
http://www.microsoft.com/technet/treeview/?url=/technet/security/policy/swdist.asp

Information on Bogus Microsoft Security Bulletin Emails
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/patch_hoax.asp

How to Tell If a Microsoft Security-Related Message Is Genuine
http://www.microsoft.com/security/antivirus/authenticate_mail.asp

Remember, any and all legitimate patches and updates are readily
available at http://windowsupdate.microsoft.com/. You should develop
the habit of checking this site at least once a month to keep your
computer up-to-date. (Notice that this is the true URL, rather than
the bogus one that may have been contained in the email you received.)
Any messages that point to any other source(s) or claim to have the
patch attached are bogus.

You're receiving these emails because your email address is in
the address book of someone infected with a worm, and/or because you
posted your real email address somewhere on-line, either in a forum
accessible to the public and spambots, such as Usenet, or on an
untrustworthy web site that subsequently sold your address as part of
a mailing list. One thing you can do is notify _everyone_ with whom
you've ever corresponded via email that one or more of them may be
infected with a mass emailing worm, and should take the appropriate
steps.


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Alex Nichol]

Using WinXP Home Edition with OE. I get many unwanted emails that do not
have my specific address in the "From" section. Also, I received a Mail Not
Delivered notice that indicated a message from me was not delivered. A
message I never sent. Just curious how these things came happen and if there
is a cure.

These are example of the way the MyDoom trojan is spreading itself. The
attachments are the infection - delete them immediately. You may find
some cases where an AV program has removed the attachment leaving just
the 'come on' message