undeliverable message spam

[Adam Russell]

I've been getting more and more of these emails saying the message was
undeliverable. They appear to imply that I am sending out spam which is
being bounced back. I'm pretty sure it's not me sending out messages
because I have nis updated and xp updated so should be worm free. I usually
just delete them, but now I'm up to 57 in about 4 hours. Am I personally
under attack? Is there a good way to stop this? I'd block them but it
seems like they are from all different sources.

 

[Dan Shackelford]

I've been getting more and more of these emails saying the message was
undeliverable. They appear to imply that I am sending out spam which is
being bounced back. I'm pretty sure it's not me sending out messages
because I have nis updated and xp updated so should be worm free. I
usually just delete them, but now I'm up to 57 in about 4 hours. Am I
personally under attack? Is there a good way to stop this? I'd block
them but it seems like they are from all different sources.

You are under attack, as are a lot of us. They are not originating FROM
you, the SWEN virus is spoofing your address. I am getting a lot of them
myself, the "undeliverable address" ones too, which is pretty amusing. I
am running Linux, so there is no way my computer could have originated
them, but I still am getting them as addressed as "undeliverable". Sad
thing is ... if people had applied patches to Windows that have been out
for a long time, this worm would never work. I am being flooded at dozens
per hour too.

 

[DC]

On Thu, 18 Sep 2003 20:13:52 -0700, Adam Russell wrote:
[snip]

you, the SWEN virus is spoofing your address. I am getting a lot of them
myself, the "undeliverable address" ones too, which is pretty amusing. I
am running Linux, so there is no way my computer could have originated
them, but I still am getting them as addressed as "undeliverable".

Dan, have you viewed the message source of one of those "undeliverable
address" ones? It's enlightening... }:O)

 

[Dan Shackelford]

On Thu, 18 Sep 2003 20:13:52 -0700, Adam Russell wrote: [snip]

you, the SWEN virus is spoofing your address. I am getting a lot of them
myself, the "undeliverable address" ones too, which is pretty amusing. I
am running Linux, so there is no way my computer could have originated
them, but I still am getting them as addressed as "undeliverable".

Dan, have you viewed the message source of one of those "undeliverable
address" ones? It's enlightening... }:O)

Well, originally, they were all from Europe ... but now I am getting them
from ATT and Comcast too .. I run em through spamcop to make sure my eyes
are not deceiving me. I am now up to 50/hr, easy. This is ridiculous,
since the patch that fixed this vunerability in Windows came out in 2001.
I thought SoBig.F was bad .... this is worse.

 

[DC]

On Thu, 18 Sep 2003 20:13:52 -0700, Adam Russell wrote: [snip]

you, the SWEN virus is spoofing your address. I am getting a lot of them
myself, the "undeliverable address" ones too, which is pretty amusing. I
am running Linux, so there is no way my computer could have originated
them, but I still am getting them as addressed as "undeliverable".

Dan, have you viewed the message source of one of those "undeliverable
address" ones? It's enlightening... }:O)

Well, originally, they were all from Europe ... but now I am getting them
from ATT and Comcast too .. I run em through spamcop to make sure my eyes
are not deceiving me. I am now up to 50/hr, easy. This is ridiculous,
since the patch that fixed this vunerability in Windows came out in 2001.
I thought SoBig.F was bad .... this is worse.

That isn't what I meant. Never mind where, geographically, the messages
come from. Look at the message source, as in "view source". Those
aren't genuine bounce messages. There is an .exe embedded.

 

[DC]

That isn't what I meant. Never mind where, geographically, the messages
come from. Look at the message source, as in "view source". Those
aren't genuine bounce messages. There is an .exe embedded.

<piggyback>

Looky here: http://m0053m4n.tripod.com/screens/undeliverable.png

 

[Dan Shackelford]

13:52 -0700, Adam Russell wrote: [snip]

you, the SWEN virus is spoofing your address. I am getting a lot of
them myself, the "undeliverable address" ones too, which is pretty
amusing. I am running Linux, so there is no way my computer could have
originated them, but I still am getting them as addressed as
"undeliverable".

Dan, have you viewed the message source of one of those "undeliverable
address" ones? It's enlightening... }:O)

Well, originally, they were all from Europe ... but now I am getting
them from ATT and Comcast too .. I run em through spamcop to make sure
my eyes are not deceiving me. I am now up to 50/hr, easy. This is
ridiculous, since the patch that fixed this vunerability in Windows came
out in 2001. I thought SoBig.F was bad .... this is worse.

That isn't what I meant. Never mind where, geographically, the messages
come from. Look at the message source, as in "view source". Those aren't
genuine bounce messages. There is an .exe embedded.

Well, of course, all of the msgs have an Windows executable in one form or
another. And none of these SWEN msgs are genuine in either who they are
from or how they were generated. Since I am not using Windows, they are
not executing or duplicating at my machine either. They are simply false
msgs with Windows executables being spread around. Really spread around,
boy is my inbox bulging!

 

[RB]

I've been getting a fair number of those, too. I was afraid the attachment
is a virus instead of what it purports to be. The email shows up as a
return of one of my bounced messages, which, of course, didn't come from my
machine, and which has an email address unknown to me. I haven't dared open
one of the attachments. Are they harmless?

 

[Claire]

I've been getting a fair number of those, too. I was afraid the attachment
is a virus instead of what it purports to be. The email shows up as a
return of one of my bounced messages, which, of course, didn't come from my
machine, and which has an email address unknown to me. I haven't dared open
one of the attachments. Are they harmless?

Ive run mine against mcafee and it didnt complain. Same with the patches
purporting to come from microsoft.
(I wouldnt open them anyway).
In my case, for each "returned" email Im also getting a "patch" email
arriving at the same time. See below for snipped example source code headers

--
Claire Humphrey
Senior Software Engineer
Robinson Instruments Ltd.

"Patch" header:

x-recipient: <[email protected]>
Received: from mwinf0103.wanadoo.fr [193.252.22.30] by blah.co.uk (FTGate 2,
2, 2, 1);
Fri, 19 Sep 2003 10:24:23 +0100
Received: from pcgbmhfm (ASte-Genev-Bois-108-2-1-186.w80-13.abo.wanadoo.fr
[80.13.30.186])
by mwinf0103.wanadoo.fr (SMTP Server) with SMTP
id 9F1D21BFC2E1; Fri, 19 Sep 2003 11:22:30 +0200 (CEST)
From: "Internet Security Center" <[email protected]>
To: "Microsoft User" <[email protected]>
SUBJECT: network upgrade
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="iouhlzaieqlvvhrls"
Message-Id: <[email protected]>
Date: Fri, 19 Sep 2003 11:22:30 +0200 (CEST)

Returned email header:

x-recipient:[email protected]
Received: from mwinf0103.wanadoo.fr [193.252.22.30] by blah.co.uk (FTGate 2,
2, 2, 1);
Fri, 19 Sep 2003 10:26:04 +0100
Received: from oivwc (ASte-Genev-Bois-108-2-1-79.w80-13.abo.wanadoo.fr
[80.13.30.79])
by mwinf0103.wanadoo.fr (SMTP Server) with SMTP
id B4F301BFFF82; Fri, 19 Sep 2003 11:24:12 +0200 (CEST)
From: "Internet Delivery Service" <[email protected]>
To: "Inet Client" <[email protected]>
SUBJECT: Undeliverable Mail
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="cgicsqoiqaphvu"
Message-Id: <[email protected]>
Date: Fri, 19 Sep 2003 11:24:12 +0200 (CEST)

--cgicsqoiqaphvu
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

 

[Claire]

Ive just updated my mcafee again and it now tells me these are all swen
virus. Potential disaster there if Id trusted mcafee yesterday.

 

[David]

Since most of the AV programs that scan email missed it before they updated
to recent defs, It will be interesting to see which heuristics engines
caught it for those gullible enough to open and run them

 

[W.S. Blevins]

Since most of the AV programs that scan email missed it before they updated
to recent defs, It will be interesting to see which heuristics engines
caught it for those gullible enough to open and run them

Except that those gullible enough to open and run them probably
couldn't pronounce "heuristics" much less know what it means.

 

[FromTheRafters]

...Sad thing is ... if people had applied patches to Windows that have been out
for a long time, this worm would never work.

Oh yes it would, it still relies heavily on user stupidity which is
(and probably always will be) in abundant supply.

 

[FromTheRafters]

I've been getting a fair number of those, too. I was afraid the attachment
is a virus instead of what it purports to be. The email shows up as a
return of one of my bounced messages, which, of course, didn't come from my
machine, and which has an email address unknown to me. I haven't dared open
one of the attachments. Are they harmless?

Who cares. If you didn't specifically request them, delete them.

They are almost certainly harmless if you delete them, and if you
attempt to execute them they may not be at all harmless.

Some are faked "return mail" with embedded autoexecutables.
Some are legitimate "return mail" with or without autoexecute
capabilities, but may still carry the executable clickme fake patch.

Some have probably been stripped of malicious code enroute,
but why take the chance.

 

[Adam Russell]

Who cares. If you didn't specifically request them, delete them.

They are almost certainly harmless if you delete them, and if you
attempt to execute them they may not be at all harmless.

Some are faked "return mail" with embedded autoexecutables.
Some are legitimate "return mail" with or without autoexecute
capabilities, but may still carry the executable clickme fake patch.

Some have probably been stripped of malicious code enroute,
but why take the chance.

Virus or no virus, 500 bogus emails a day is hardly harmless.

 

[FromTheRafters]

Ive just updated my mcafee again and it now tells me these are all swen
virus. Potential disaster there if Id trusted mcafee yesterday.

An important lesson for you and probably many other readers here.

No AV program can ever really tell you that a thing is not malicious.
It can say either "I think it is such and such a malware" or "I don't
know". When it says "no virus found" what it means is "I don't know",
and you are really no better off than you were before scanning it.

....except that you can be reasonably sure that it doesn't contain an
old and well known, to the AV involved, malware ~ for whatever
that is worth.

Scanning a file and then running it if nothing is detected, is not a safe
practice.

 

[BoB]

Oh yes it would, it still relies heavily on user stupidity which is
(and probably always will be) in abundant supply.

You have to be a real sucker to click on a phony patch when you
received a 100 damn copies. If everyone only received one [1] copy
they could have reeled in a lot more suckers. I think they shot
themselves in the foot with the flooding.

BoB

 

[Bill]

You have to be a real sucker to click on a phony patch when you
received a 100 damn copies. If everyone only received one [1] copy
they could have reeled in a lot more suckers. I think they shot
themselves in the foot with the flooding.

Obviously they didn't. Otherwise there would be no flooding. No
suckers = No flooding.

 

[FromTheRafters]

Virus or no virus, 500 bogus emails a day is hardly harmless.

Agreed, but I was only referring to RB's attachment on the
"returned mail". RB was exhibiting a strong curiosity factor
which is probably easily exploitable. Even if the worm does
make non-replicative sends, by design or by bugginess, it
is evident that this spam factor has filter evasiveness so that
not only will AV miss it (not viable), but spam filters have
some trouble with it also.

Not a new thing, but it is evidently pretty good at it.

 

[FromTheRafters]

You have to be a real sucker to click on a phony patch when you
received a 100 damn copies.

Microsoft must really think that this is an important patch
or they wouldn't have sent me so many of them ~ I better
install one right away. ;o)

If everyone only received one [1] copy
they could have reeled in a lot more suckers. I think they shot
themselves in the foot with the flooding.

I think that the flooding is a by-product of the fact that so many
computers are already affected (infested). A great number of
end users have a limited circle of friends, and they don't get as
flooded as those of us with our e-mail addresses scattered far
and wide. I, for instance, haven't yet received one copy.