I have been getting emails that contain no message in the body. I just considered it spam and went on about my way. Then after a few days I am getting the udeliverable mail message so far 3 times and the address it is trying to mail to is the mail I got with no message in the body. I ran norton for Av and swat it looking for trojans but came up empty. Anyone know what is going on? Win XP, Outlook 2002.

Hi.. my guess from the info is that someone you know (who has your email address)has been infected with a worm/virus and is sending mail out to all the people on their address list. Some of these worms randomly choose one address from the address book to use as a fake sender and perhaps that's what's happened to you.

Have a look at the email's headers to see if it gives you a clue as to who the real sender is. (file>properties) You'll see all the servers and routers the email has gone through to get to you. If you recognize who sent you the email by the originating email server/ISP then send them a note telling them they may be infected.

It also wouldn't hurt to do another scan here to be triple sure it's not you who is infected..

http://housecall.antivirus.com/

Thanks for the reply fink. I looked in the only thing I could find that looked like headers ( r-click/options ) and didn't see anything I reconized. But then again I didn't understand half of what I was looking at. I could put the headers fron the mail I recieve and the ones from the message from the postmaster here for all to see if you think that might help. They are both about the same I think.

Yes, copy and paste them here and we'll have a look see and hopefully let you know which ISP it may be coming from. You can set up a kill filter to delete them off the server for the time being if you like. Not positive about Outlook 2002 but in Outlook express they're in
Tools>message rules

This is the one that says from the postmaster:

Received: from prserv.net ([32.97.166.34]) by mail.anaweb.com with Microsoft SMTPSVC(5.0.2195.4453);
Tue, 27 Aug 2002 15:06:12 -0500
Date: Tue, 27 Aug 2002 20:04:28 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium.
Received: from Vmahy (slip-12-65-223-224.mis.prserv.net[12.65.223.224])
by prserv.net (out4) with SMTP
id <2002082720040820406ngep6e>; Tue, 27 Aug 2002 20:04:09 +0000
From: postmaster <postmaster@anaweb.com>
To: jderr@anaweb.com
Subject: Undeliverable mail--"2002 2nd Story Software, Inc. All rights"
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=J649q1OC5832r5m3
Return-Path: lwaterb@dellepro.com
Message-ID: <ALBS2KMAILvuHdPtnhv00000e2e@mail.anaweb.com>
X-OriginalArrivalTime: 27 Aug 2002 20:06:12.0729 (UTC) FILETIME=[31370E90:01C24E05]

And this one is from a mail i recieved a few days ago:

Received: from prserv.net ([32.97.166.32]) by mail.anaweb.com with Microsoft SMTPSVC(5.0.2195.4453);
Fri, 30 Aug 2002 13:14:44 -0500
Date: Fri, 30 Aug 2002 18:13:00 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium.
Received: from Nxx (slip-12-65-198-42.mis.prserv.net[12.65.198.42])
by prserv.net (out2) with SMTP
id <2002083018124020206ecod1e>; Fri, 30 Aug 2002 18:12:43 +0000
From: lwaterb <lwaterb@dellepro.com>
To: jderr@anaweb.com
Subject: Darling
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=MJf0x4j7B130g977
Return-Path: lwaterb@dellepro.com
Message-ID: <ALBS2KMAILkeTxtfkdp00000ef5@mail.anaweb.com>
X-OriginalArrivalTime: 30 Aug 2002 18:14:44.0105 (UTC) FILETIME=[1DB94790:01C25051]

This one I got right after getting your first reply:

Received: from prserv.net ([32.97.166.31]) by mail.anaweb.com with Microsoft SMTPSVC(5.0.2195.4453);
Sat, 31 Aug 2002 15:50:09 -0500
Date: Sat, 31 Aug 2002 20:48:23 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium.
Received: from Xeetzpz (slip-12-64-228-201.mis.prserv.net[12.64.228.201])
by prserv.net (out1) with SMTP
id <20020831204732201071gks4e>; Sat, 31 Aug 2002 20:47:37 +0000
From: PURVIS13 <PURVIS13@aol.com>
To: jderr@anaweb.com
Subject: Fw:let's be friends
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=C3909L1QYo
Return-Path: lwaterb@dellepro.com
Message-ID: <ALBS2KMAILSGCGlhJ4Y00000f34@mail.anaweb.com>
X-OriginalArrivalTime: 31 Aug 2002 20:50:09.0313 (UTC) FILETIME=[FE64D910:01C2512F]

I hope this helps. I am also hoping it's just spam so I can filter it and forget it.;)

So, the some of the relelvant info above is that it's not being sent by a proper email program.. which would mean it's just being sent by some worm type program that doesn't conform to industry standards.

And it's coming from Illinois.. some place probably near Schaumburg or Morton.. do those places mean anything to you? Or maybe you've done online business with a company there?

They may not necessarily be the actual city or town that someone who you might know lives in but could be nearby.

One or two things left to do.. if you know who's machine may be sending you these things tell them and then filter it.

Yes I have a friend in Ill. He has a server and that is where my email account is. He gives me a free acount. I will tell him he might have a worm. He is usually on top of this kinda stuff.
So I take it that you don't think there is anything on my system, but instead it is on his server?

I have been getting these junk mails as well and loads of postmaster.

"that is where my email account is"

Hmmm.. that adds a whole new dimension to the problem. Is that the actual account that is receiving and/or sending the emails? Did you do a scan at Houscall? Download this little program and copy paste the results here. It will list everything starting up on your computer. I don't think we can totally rule out you having the worm at this point so let's have a look at the results of this program.

http://home.earthlink.net/~rmbox/Reticulated/StartLog.zip


I'm going to be away for a day so I'm sure someone else can jump in here now too :)

Good luck.

I got the program, installed it, it dosen't want to work. It gives a black window and then goes back to the desktop. Does it not run in winxp pro?

Oops, sorry about that... you're right it is only for win9x ... I'm not that familiar with XP but I believe it has a version of msconfig? What processes does it show in startup?

Well - I can't tell you who's got it (don't think so anyway) but a quick glance thro' the headers indicates that it's the Klez worm (perhaps .g or .h or other). The subject lines are a dead giveaway.

To see them shoot over to http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html and read through it. There's some info in the manual removal section u can check for (or download the removal tool) to see if you've got it or are just an unsuccessful target of it.

How many people's address books do you think you are in :) (or your friend is in?)

let's be friends
or
Darling
are pretty definitive subject headings.
The other one
Undeliverable mail--"2002 2nd Story Software, Inc. All rights"
is an 'interesting' rendition of
Undeliverable mail--"[Random word]"
and seems sophisticated - do you have any software from that outfit ??

Originally posted by fink
... I'm not that familiar with XP but I believe it has a version of msconfig? What processes does it show in startup?

Yes, XP has msconfig. Just in case sscsr1 is not familiar with it, it's Start>Run> type msconfig in box, go to Start-Up tab.

The other day I got a similiar e-mail from someone I did not know. It had no body, but had a file called blank.bat, which contained the W32KlezH@mm worm. My Norton VS caught it and I deleted it, hopefully before it did any damage to my system.

Marvin

Marv6.. a .bat file would have to be opened before it could deliver it's payload so unless it was double clicked, and apparently it wasn't, then it's gone. You're safe.

:)

Fink, Thanks for your reply. I feel better now, as I was not sure if it had done any damage or not, but Norton VS quarantined it before I even looked at the message so I believe that you are correct.

Marvin

I agree with IMM...looks like Klez. Download the FixKlez tool from the link he left and I'll bet it finds it and removes it.

papac

Sorry it took me this long to reply, been working some long hours the past few days.

I got the removeal program and ran it. It says I am clean. Boy what a relief. I did however get another email from postmaster again today :

Received: from prserv.net ([32.97.166.34]) by albs2kmail.webdomain.com with Microsoft SMTPSVC(5.0.2195.4453);
Thu, 5 Sep 2002 09:34:16 -0500
Date: Thu, 5 Sep 2002 14:32:35 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium.
Received: from Obk (slip-12-64-216-103.mis.prserv.net[12.64.216.103])
by prserv.net (out4) with SMTP
id <20020905143208204010rcqee>; Thu, 5 Sep 2002 14:32:13 +0000
From: postmaster <postmaster@anaweb.com>
To: jderr@anaweb.com
Subject: Returned mail--"additional details, see the"
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Y314k0f5gk9K5U1g77As229di765ORt
Return-Path: lwaterb@dellepro.com
Message-ID: <ALBS2KMAILaiVklUVhj00001053@albs2kmail.webdomain.com>
X-OriginalArrivalTime: 05 Sep 2002 14:34:16.0412 (UTC) FILETIME=[4FE201C0:01C254E9]

I don't reconize the "albs2kmail.webdomain.com " at the beginning but as I sain the anaweb part is my friends server in Ill.
Also I found the msconfig but it won't let me cut and paste. Boy this is turning out to be a lot of trouble for everyone. sorry
:(

Hi.. well I'd say you're safe at this point.. all the scans and the fix tool all say that there's no klez on your PC so set up whatever kill filters you need to and hopefully you won't be bothered much any more. You should send a link to this thread to your friend who runs that domain so he can check out where the infection may be coming from.

As far as being a bother.. you aren't.. we like to help. :)

Hi sscsr1,
For sure don't ever feel like a bother. We've all been in jams here ;) We all help each other out.

Just a note on msconfig. If you want to share what's listed at Startup in msconfig, you won't be able to use cut and paste, as you mentioned earlier. If you want to save the trouble of writing it all down and typing it here, you can do a screenshot, upload it to the web and other members can view it that way.

If you want to do that now, or for future reference, here's how I do it. Others may have a more simplified method:
Get to the screen you want (in this case Startup in msconfig). Press Alt + PrintScrn. That will put the screenshot into your clipboard. Then open a program such as MS Paint and choose Edit>Paste. You should then see your screenshot. If the screenshot image is really large, you can reduce it in Paint by going to Image>Attributes and reduce it there (for more on resizing go to Paint's Help>Index and type in 'resizing' Next do File>Save As, name it and save it in .bmp or .gif format. Save to an easy to get to location on your Hard Drive. Sometimes the info is too large to capture in one screen shot, so you might have to break it up into multiple screenshots by scrolling down and repeating the above steps in increments, until all the info has been captured

You can do one of two things next: either upload the screenshot to the web, and insert the link in your post -or- insert it as an image. My personal preference is inserting the link. Inserting the image takes more time for the page to load (for those of us still on 56k ;) )

To upload to the web: if you already have a site that lets you store photos free, you can use that. If not, check out one like Boomspeed (http://www.boomspeed.com/). If using Boomspeed, once you create your account and login, you'll see My Files and Upload section. Under Upload section select Browse and navigate to where you stored your screenshot on your hard drive. That will put the path of the screenshot into the Upload box. Next select Upload. You will then see your screenshot listed at the top section under My Files. Click on it and it will take you to the URL of your screenshot. Then simply Copy and Paste the URL into your post, and members here will be able to click on the link and view your screenshot. You can also use the IMG command (in vB Code section above Your Reply where you type your post). That will insert the screenshot into your post.

Hope that helps. -Kat

Thanks for the replys and the kind words everyone. I think since I am not infected that I will leave well enough alone and just filter these emails out and be done with them. As for posting my MSCONFIG, thanks for all the info kat. I will save it and probably create an account at boomspeed. I checked it out and it looked pretty easy. But I will probably start a new thread in a more aproprit (sp?) forum since it would be mostly to ask advice on what is junk and what is not. I really shouldn't do that here. But thanks for the detailed info on how to do it.