Virus, worm, trojan???

[L. A. Powell]

At least once daily I get an email from AOL with the subject "Returned
mail User unknown". Problems are:

1. Don't know anybody with the AOL address mentioned.
2. Often, the time the original mail was sent is a time when my computer
was turned off.
3. Asking for help from AOL, as well as my own ISP (comcast.net), and
Verizon (formerly gte.net) has yielded no info at all.

Suspecting one of my regular email correspondents has a trojan or virus
on their computers that is using their address books, I emailed them
describing the problem.

My brother, whose IPS id gte.net (now Verizon) is probably the source of
the offensive messages. Now what can he and I do to stop the trash?

A couple of other correspondents have reported similar problems, though
with different addressees.

I have the latest AVG virus definitions, run a total scan daily, use
Zone Alarm firewall, and regularly run Ad-Aware and Spybot S&D.

Following is a copy of the most recent, including the header: (I have
disguised my own email address, rather than risk getting on anyone
else's spam list)

<<<Message Begins>>>

Received: from omr-m05.mx.aol.com ([64.12.138.17])
by sccrmxc12.comcast.net (sccrmxc12) with ESMTP
id <20040505180223s1200ofrboe>; Wed, 5 May 2004 18:02:23 +0000
X-Originating-IP: [64.12.138.17]
Received: from rly-xl05.mx.aol.com (rly-xl05.mail.aol.com
[172.20.83.74]) by omr-m05.mx.aol.com (v98.19) with ESMTP id
RELAYIN5-640992c0f349; Wed, 05 May 2004 14:01:51 -0400
Received: from localhost (localhost)
by rly-xl05.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
with internal id OAE25744;
Wed, 5 May 2004 14:01:51 -0400 (EDT)
Date: Wed, 5 May 2004 14:01:51 -0400 (EDT)
From: Mail Delivery Subsystem <[email protected]>
Message-Id: <[email protected]>
To: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="OAE25744.1083780111/rly-xl05.mx.aol.com"
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)
X-AOL-IP: 172.20.83.74

This is a MIME-encapsulated message

--OAE25744.1083780111/rly-xl05.mx.aol.com

The original message was received at Wed, 5 May 2004 14:00:57 -0400
(EDT)
from bdsl.66.13.154.202.gte.net [66.13.154.202]


*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with
its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal
errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail
could
not be delivered. The next line contains a second error message which
is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster



----- The following addresses had permanent fatal errors -----
<[email protected]>

----- Transcript of session follows -----
.... while talking to air-xl04.mail.aol.com.:<<< 550 MAILBOX NOT FOUND
550 <[email protected]>... User unknown

--OAE25744.1083780111/rly-xl05.mx.aol.com
Content-Type: message/delivery-status

Reporting-MTA: dns; rly-xl05.mx.aol.com
Arrival-Date: Wed, 5 May 2004 14:00:57 -0400 (EDT)

Final-Recipient: RFC822; (e-mail address removed)
Action: failed
Status: 5.1.1
Remote-MTA: DNS; air-xl04.mail.aol.com
Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
Last-Attempt-Date: Wed, 5 May 2004 14:01:51 -0400 (EDT)

--OAE25744.1083780111/rly-xl05.mx.aol.com
Content-Type: text/rfc822-headers

Received: from PR1.net (bdsl.66.13.154.202.gte.net [66.13.154.202]) by
rly-xl05.mx.aol.com (v98.5) with ESMTP id
MAILRELAYINXL59-5db40992bd534e; Wed, 05 May 2004 14:00:55 -0400
Date: Wed, 05 May 2004 13:00:54 -0600
To: "" <[email protected]>
From: "Lupowell" <[email protected]>
Subject: Re: Hi
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------szodsgaorjhifwljokxm"
X-AOL-IP: 66.13.154.202
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0

--OAE25744.1083780111/rly-xl05.mx.aol.com--

<<<Message Ends>>>

My actual email is lupowell at comcast dot net.

 

[Shannon and Shannon]

This can be considered spam and very normal. It's happening to everyone.
Just delete the message and whatever you do, do not open the attachment as
it usually contains a virus.

Cheers,
Joel Shannon

At least once daily I get an email from AOL with the subject "Returned
mail User unknown". Problems are:

1. Don't know anybody with the AOL address mentioned.
2. Often, the time the original mail was sent is a time when my computer
was turned off.
3. Asking for help from AOL, as well as my own ISP (comcast.net), and
Verizon (formerly gte.net) has yielded no info at all.

Suspecting one of my regular email correspondents has a trojan or virus
on their computers that is using their address books, I emailed them
describing the problem.

My brother, whose IPS id gte.net (now Verizon) is probably the source of
the offensive messages. Now what can he and I do to stop the trash?

A couple of other correspondents have reported similar problems, though
with different addressees.

I have the latest AVG virus definitions, run a total scan daily, use
Zone Alarm firewall, and regularly run Ad-Aware and Spybot S&D.

Following is a copy of the most recent, including the header: (I have
disguised my own email address, rather than risk getting on anyone
else's spam list)

<<<Message Begins>>>

Received: from omr-m05.mx.aol.com ([64.12.138.17])
by sccrmxc12.comcast.net (sccrmxc12) with ESMTP
id <20040505180223s1200ofrboe>; Wed, 5 May 2004 18:02:23 +0000
X-Originating-IP: [64.12.138.17]
Received: from rly-xl05.mx.aol.com (rly-xl05.mail.aol.com
[172.20.83.74]) by omr-m05.mx.aol.com (v98.19) with ESMTP id
RELAYIN5-640992c0f349; Wed, 05 May 2004 14:01:51 -0400
Received: from localhost (localhost)
by rly-xl05.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
with internal id OAE25744;
Wed, 5 May 2004 14:01:51 -0400 (EDT)
Date: Wed, 5 May 2004 14:01:51 -0400 (EDT)
From: Mail Delivery Subsystem <[email protected]>
Message-Id: <[email protected]>
To: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="OAE25744.1083780111/rly-xl05.mx.aol.com"
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)
X-AOL-IP: 172.20.83.74

This is a MIME-encapsulated message

--OAE25744.1083780111/rly-xl05.mx.aol.com

The original message was received at Wed, 5 May 2004 14:00:57 -0400
(EDT)
from bdsl.66.13.154.202.gte.net [66.13.154.202]


*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with
its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal
errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail
could
not be delivered. The next line contains a second error message which
is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster



----- The following addresses had permanent fatal errors -----
<[email protected]>

----- Transcript of session follows -----
... while talking to air-xl04.mail.aol.com.:<<< 550 MAILBOX NOT FOUND
550 <[email protected]>... User unknown

--OAE25744.1083780111/rly-xl05.mx.aol.com
Content-Type: message/delivery-status

Reporting-MTA: dns; rly-xl05.mx.aol.com
Arrival-Date: Wed, 5 May 2004 14:00:57 -0400 (EDT)

Final-Recipient: RFC822; (e-mail address removed)
Action: failed
Status: 5.1.1
Remote-MTA: DNS; air-xl04.mail.aol.com
Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
Last-Attempt-Date: Wed, 5 May 2004 14:01:51 -0400 (EDT)

--OAE25744.1083780111/rly-xl05.mx.aol.com
Content-Type: text/rfc822-headers

Received: from PR1.net (bdsl.66.13.154.202.gte.net [66.13.154.202]) by
rly-xl05.mx.aol.com (v98.5) with ESMTP id
MAILRELAYINXL59-5db40992bd534e; Wed, 05 May 2004 14:00:55 -0400
Date: Wed, 05 May 2004 13:00:54 -0600
To: "" <[email protected]>
From: "Lupowell" <[email protected]>
Subject: Re: Hi
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------szodsgaorjhifwljokxm"
X-AOL-IP: 66.13.154.202
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0

--OAE25744.1083780111/rly-xl05.mx.aol.com--

<<<Message Ends>>>

My actual email is lupowell at comcast dot net.

 

[GSV Three Minds in a Can]

At least once daily I get an email from AOL with the subject "Returned
mail User unknown". Problems are:

Received: from PR1.net (bdsl.66.13.154.202.gte.net [66.13.154.202]) by

whois record for: 66.13.154.202

GTE.net LLC VZN-DSL (NET-66-12-0-0-1)
66.12.0.0 - 66.15.191.255
Genuity DSL VZN-DSL-GEN-BLK04 (NET-66-13-128-0-1)
66.13.128.0 - 66.13.255.255

# ARIN WHOIS database, last updated 2004-05-05 19:15

So try dinging (e-mail address removed), who may be able to tell you who is
hanging on IP address 66.13.154.202 at the time (or if it's DSL, then
maybe it's even a fixed IP address). Whoever it is, they are probably
either infected themselves or being used as a relay.

 

[L. A. Powell]

Never has attachments.

This can be considered spam and very normal. It's happening to everyone.
Just delete the message and whatever you do, do not open the attachment as
it usually contains a virus.

Cheers,
Joel Shannon

At least once daily I get an email from AOL with the subject "Returned
mail User unknown". Problems are:

1. Don't know anybody with the AOL address mentioned.
2. Often, the time the original mail was sent is a time when my computer
was turned off.
3. Asking for help from AOL, as well as my own ISP (comcast.net), and
Verizon (formerly gte.net) has yielded no info at all.

Suspecting one of my regular email correspondents has a trojan or virus
on their computers that is using their address books, I emailed them
describing the problem.

My brother, whose IPS id gte.net (now Verizon) is probably the source of
the offensive messages. Now what can he and I do to stop the trash?

A couple of other correspondents have reported similar problems, though
with different addressees.

I have the latest AVG virus definitions, run a total scan daily, use
Zone Alarm firewall, and regularly run Ad-Aware and Spybot S&D.

Following is a copy of the most recent, including the header: (I have
disguised my own email address, rather than risk getting on anyone
else's spam list)

<<<Message Begins>>>

Received: from omr-m05.mx.aol.com ([64.12.138.17])
by sccrmxc12.comcast.net (sccrmxc12) with ESMTP
id <20040505180223s1200ofrboe>; Wed, 5 May 2004 18:02:23 +0000
X-Originating-IP: [64.12.138.17]
Received: from rly-xl05.mx.aol.com (rly-xl05.mail.aol.com
[172.20.83.74]) by omr-m05.mx.aol.com (v98.19) with ESMTP id
RELAYIN5-640992c0f349; Wed, 05 May 2004 14:01:51 -0400
Received: from localhost (localhost)
by rly-xl05.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
with internal id OAE25744;
Wed, 5 May 2004 14:01:51 -0400 (EDT)
Date: Wed, 5 May 2004 14:01:51 -0400 (EDT)
From: Mail Delivery Subsystem <[email protected]>
Message-Id: <[email protected]>
To: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="OAE25744.1083780111/rly-xl05.mx.aol.com"
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)
X-AOL-IP: 172.20.83.74

This is a MIME-encapsulated message

--OAE25744.1083780111/rly-xl05.mx.aol.com

The original message was received at Wed, 5 May 2004 14:00:57 -0400
(EDT)
from bdsl.66.13.154.202.gte.net [66.13.154.202]


*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with
its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal
errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail
could
not be delivered. The next line contains a second error message which
is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster



----- The following addresses had permanent fatal errors -----
<[email protected]>

----- Transcript of session follows -----
... while talking to air-xl04.mail.aol.com.:

RCPT To:<[email protected]>

<<< 550 MAILBOX NOT FOUND
550 <[email protected]>... User unknown

--OAE25744.1083780111/rly-xl05.mx.aol.com
Content-Type: message/delivery-status

Reporting-MTA: dns; rly-xl05.mx.aol.com
Arrival-Date: Wed, 5 May 2004 14:00:57 -0400 (EDT)

Final-Recipient: RFC822; (e-mail address removed)
Action: failed
Status: 5.1.1
Remote-MTA: DNS; air-xl04.mail.aol.com
Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
Last-Attempt-Date: Wed, 5 May 2004 14:01:51 -0400 (EDT)

--OAE25744.1083780111/rly-xl05.mx.aol.com
Content-Type: text/rfc822-headers

Received: from PR1.net (bdsl.66.13.154.202.gte.net [66.13.154.202]) by
rly-xl05.mx.aol.com (v98.5) with ESMTP id
MAILRELAYINXL59-5db40992bd534e; Wed, 05 May 2004 14:00:55 -0400
Date: Wed, 05 May 2004 13:00:54 -0600
To: "" <[email protected]>
From: "Lupowell" <[email protected]>
Subject: Re: Hi
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------szodsgaorjhifwljokxm"
X-AOL-IP: 66.13.154.202
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0

--OAE25744.1083780111/rly-xl05.mx.aol.com--

<<<Message Ends>>>

My actual email is lupowell at comcast dot net.

 

[L. A. Powell]

Thanks. I'll try that.

Bitstring <Adxmc.42707$kh4.2197192@attbi_s52>, from the wonderful person

At least once daily I get an email from AOL with the subject "Returned
mail User unknown". Problems are:

Received: from PR1.net (bdsl.66.13.154.202.gte.net [66.13.154.202])

by


whois record for: 66.13.154.202

GTE.net LLC VZN-DSL (NET-66-12-0-0-1)
66.12.0.0 - 66.15.191.255
Genuity DSL VZN-DSL-GEN-BLK04 (NET-66-13-128-0-1)
66.13.128.0 - 66.13.255.255

# ARIN WHOIS database, last updated 2004-05-05 19:15

So try dinging (e-mail address removed), who may be able to tell you who is
hanging on IP address 66.13.154.202 at the time (or if it's DSL, then
maybe it's even a fixed IP address). Whoever it is, they are probably
either infected themselves or being used as a relay.

typing.

 

[me]

Thanks. I'll try that.

Bitstring <Adxmc.42707$kh4.2197192@attbi_s52>, from the wonderful person

At least once daily I get an email from AOL with the subject "Returned
mail User unknown". Problems are:

Received: from PR1.net (bdsl.66.13.154.202.gte.net [66.13.154.202])

by


whois record for: 66.13.154.202

GTE.net LLC VZN-DSL (NET-66-12-0-0-1)
66.12.0.0 - 66.15.191.255
Genuity DSL VZN-DSL-GEN-BLK04 (NET-66-13-128-0-1)
66.13.128.0 - 66.13.255.255

# ARIN WHOIS database, last updated 2004-05-05 19:15

So try dinging (e-mail address removed), who may be able to tell you who is
hanging on IP address 66.13.154.202 at the time (or if it's DSL, then
maybe it's even a fixed IP address). Whoever it is, they are probably
either infected themselves or being used as a relay.

typing.

From ARIN:

NetRange: 66.12.0.0 - 66.15.191.255
Comment: FOR ABUSE SPAM OR SECURITY ISSUES EMAIL
Comment: (e-mail address removed)

J