| Author |
 Topic  |
|
|
Roland
Advanced Member
Netherlands
9335 Posts |
 Posted - 16 January 2003 : 07:26:15
|
This is the second time I've received a "Returned mail" today, but neither make sense. Here's what was in the first one:
quote:
The following mail can't be sent to ruirib@[hidden by me]:
From: [my email address]
To: ruirib@[hidden by me]
Subject: vbNewLine
The file is the original mail
The header information for that email shows this:
quote:
Received: from dtcimfe3.celcom.net.my [203.82.64.132] by mail014 with ESMTP
(SMTPD32-7.10) id A590DBB0100; Wed, 15 Jan 2003 22:31:12 -0600
Received: from Hklury ([202.156.166.180]) by dtcimfe3.celcom.net.my
with SMTP id <20030116043112.PVBT1779.dtcimfe3@Hklury>
for <[my email address]>; Thu, 16 Jan 2003 12:31:12 +0800
From: postmaster <[postmaster at mydomain]>
To: [my email address]
Subject: Returned mail--"vbNewLine"
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=JRR86q138N4z2tJ358S6Xo9j0w7cH
Message-Id: <20030116043112.PVBT1779.dtcimfe3@Hklury>
Date: Thu, 16 Jan 2003 12:31:22 +0800
X-RCPT-TO: <[my email address]>
Status: U
X-UIDL: 327488348
A trace of the IP addresses (shown bold) shows them originating in Malaysia and Singapore. That doesn't make sense if it was a returned mail from my site's mail server 'cause that's located in the US, right?
Here's the body and header info from the second email:
quote:
The following mail can't be sent to webringinc@yahoo.com:
From: [my email address]
To: webringinc@yahoo.com
Subject: formatStr(chkString(strSigPreview,
The file is the original mail
Header:
quote:
Received: from dtcimfe3.celcom.net.my [203.82.64.132] by mail014 with ESMTP
(SMTPD32-7.10) id AAF0230E0140; Thu, 16 Jan 2003 05:43:44 -0600
Received: from Lceg ([202.156.166.180]) by dtcimfe3.celcom.net.my with SMTP
id <20030116114345.QPMJ1779.dtcimfe3@Lceg>
for <[my email address]>; Thu, 16 Jan 2003 19:43:45 +0800
From: postmaster <[postmaster at my domain]>
To: [my email address]
Subject: Returned mail--"formatStr(chkString(strSigPreview,"
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=S4vu40o192L4j0bX316O6Xu3b0w5yZt6xa1
Message-Id: <20030116114345.QPMJ1779.dtcimfe3@Lceg>
Date: Thu, 16 Jan 2003 19:43:54 +0800
X-RCPT-TO: <[my email address]>
Status: U
X-UIDL: 327488350
Now, [my email address] (the email address I use on these forums) is known to lots of people, so there's no finger-pointing going on, but this is weird.
Any ideas what might be going on here?
Has anyone else received emails like these?
Oh, they're not virus emails as they don't have any attachments and no codes in the body's source. |
|
|
OneWayMule
Dev. Team Member & Support Moderator
Austria
4969 Posts |
|
|
Nikkol
Forum Moderator
USA
6907 Posts |
|
|
Roland
Advanced Member
Netherlands
9335 Posts |
Posted - 16 January 2003 : 08:21:49
|
| The email I got back didn't contain anything except what I posted above. No attachments, no returned original email, and I haven't sent any emails to those receipients. Don't know what's causing this because I've never seen anything like the contents of these emails, especially since there's no virus attached. |
 |
|
|
sy
Average Member
United Kingdom
638 Posts |
Posted - 16 January 2003 : 10:36:57
|
I get these as well to account addresses that appear publically, sometimes there is a small attachment virus (a variant of KLEZ) other times, nothing.
Could any antivirus or similiar be removing the attachments before they get into your mailbox? |
The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails
|
|
|
|
Bookie
Average Member
USA
856 Posts |
Posted - 16 January 2003 : 10:41:34
|
| I wonder if a hacker or someone is trying to send emails out with your address in the from field and routing it through your email server. Since they don't have the proper authentication, it's getting bounced back to you. I'm just guessing that's what is happening. |
Participate in my nonsense |
|
|
|
Roland
Advanced Member
Netherlands
9335 Posts |
Posted - 16 January 2003 : 11:15:10
|
| I don't know what's going on, but sy's right. Norton AntiVirus 2003 automagically deleted the attachments on those emails, which were infected with W32.Klez.H@mm. I must've set that somewhere, thinking it'd be best to have NAV delete at will, but I think I'll change the setting so at least I'll know some kind of action was/will be taken. |
|
|
|
TestMagic
Senior Member
USA
1568 Posts |
Posted - 16 January 2003 : 16:49:02
|
| This happens to me from time to time, and I've also received complaints from people about emails I never sent. I think it has to do with the various worms spoofing the sender's email address. From what I've seen of all these emails I get, it seems that there's something of a "big circle" of people sending email to each other. So, the person who unwittingly sent you that email must have both you and Rui on her/his list. As for NAV, I believe you can check the Activity Log to see what it has done. |
Snitz rocks! · Search 2 |
|
|
|
Nikkol
Forum Moderator
USA
6907 Posts |
Posted - 16 January 2003 : 21:48:42
|
| Thought I'd add on to this one. For about a week now I've been getting around 10 emails a day from big@boss.com. All are blank emails trying to send an attachment. The names vary, but all are .pif files. Can I assume this is someone I know who is infected in some way and email them back to tell them to stop? Or should I just ignore it? |
Nikkol ~ Help Us Help You | ReadMe | 3.4.03 fixes | security fixes ~ |
|
|
|
TestMagic
Senior Member
USA
1568 Posts |
Posted - 16 January 2003 : 21:54:15
|
Yes, I've been getting loads of them, too. NAV tells me they're all infected with the W32.Sobig.A@mm virus, which I'd never seen before just a few days ago.
Here's the link to Symantec's write-up on that virus:
w32.sobig.a@mm.html" target="_blank">http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.a@mm.html |
Snitz rocks! · Search 2 |
|
|
|
Nikkol
Forum Moderator
USA
6907 Posts |
|
|
Nathan
Help Moderator
USA
7664 Posts |
Posted - 17 January 2003 : 01:05:29
|
The email address I use here (and only here) also gets plenty of spam. Most if not all originates from a particular east Asian nation.
I figgure that one of the times the forum got hacked someone harvisted the email addresses out of admin_emaillist.asp |
 Nathan Bales
CoreBoard | Active Users Download |
|
|
|
Roland
Advanced Member
Netherlands
9335 Posts |
Posted - 17 January 2003 : 05:21:52
|
I used to get truck loads of Klez virus emails from Taiwanese (sp?) addresses. One day I decided it was enough and blocked all emails coming from a .tw address in the webmail program provided by Readyhosting. Other than that I haven't gotten many strange or virus-attached emails lately.
Regular updating of the anti-virus files helps though. I check http://securityresponse.symantec.com/avcenter/download/pages/US-N95.html at least once a day, and use NAV's LiveUpdate feature once or twice a week for NAV updates.
It's not fool-proof, but it reduces the chance of getting infected by, and spreading a virus. |
|
|
| |
Topic |
|
Topic Locked
