Strange emails

[sscsr1]

I have been getting emails that contain no message in the body. I just considered it spam and went on about my way. Then after a few days I am getting the udeliverable mail message so far 3 times and the address it is trying to mail to is the mail I got with no message in the body. I ran norton for Av and swat it looking for trojans but came up empty. Anyone know what is going on? Win XP, Outlook 2002.

[fink]

Hi.. my guess from the info is that someone you know (who has your email address)has been infected with a worm/virus and is sending mail out to all the people on their address list. Some of these worms randomly choose one address from the address book to use as a fake sender and perhaps that's what's happened to you.

Have a look at the email's headers to see if it gives you a clue as to who the real sender is. (file>properties) You'll see all the servers and routers the email has gone through to get to you. If you recognize who sent you the email by the originating email server/ISP then send them a note telling them they may be infected.

It also wouldn't hurt to do another scan here to be triple sure it's not you who is infected..

http://housecall.antivirus.com/

[sscsr1]

Thanks for the reply fink. I looked in the only thing I could find that looked like headers ( r-click/options ) and didn't see anything I reconized. But then again I didn't understand half of what I was looking at. I could put the headers fron the mail I recieve and the ones from the message from the postmaster here for all to see if you think that might help. They are both about the same I think.

[fink]

Yes, copy and paste them here and we'll have a look see and hopefully let you know which ISP it may be coming from. You can set up a kill filter to delete them off the server for the time being if you like. Not positive about Outlook 2002 but in Outlook express they're in
Tools>message rules

[sscsr1]

This is the one that says from the postmaster:

Received: from prserv.net ([32.97.166.34]) by mail.anaweb.com with Microsoft SMTPSVC(5.0.2195.4453);
Tue, 27 Aug 2002 15:06:12 -0500
Date: Tue, 27 Aug 2002 20:04:28 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium.
Received: from Vmahy (slip-12-65-223-224.mis.prserv.net[12.65.223.224])
by prserv.net (out4) with SMTP
id <2002082720040820406ngep6e>; Tue, 27 Aug 2002 20:04:09 +0000
From: postmaster <[email protected]>
To: [email protected]
Subject: Undeliverable mail--"2002 2nd Story Software, Inc. All rights"
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=J649q1OC5832r5m3
Return-Path: [email protected]
Message-ID: <[email protected]>
X-OriginalArrivalTime: 27 Aug 2002 20:06:12.0729 (UTC) FILETIME=[31370E90:01C24E05]

And this one is from a mail i recieved a few days ago:

Received: from prserv.net ([32.97.166.32]) by mail.anaweb.com with Microsoft SMTPSVC(5.0.2195.4453);
Fri, 30 Aug 2002 13:14:44 -0500
Date: Fri, 30 Aug 2002 18:13:00 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium.
Received: from Nxx (slip-12-65-198-42.mis.prserv.net[12.65.198.42])
by prserv.net (out2) with SMTP
id <2002083018124020206ecod1e>; Fri, 30 Aug 2002 18:12:43 +0000
From: lwaterb <[email protected]>
To: [email protected]
Subject: Darling
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=MJf0x4j7B130g977
Return-Path: [email protected]
Message-ID: <[email protected]>
X-OriginalArrivalTime: 30 Aug 2002 18:14:44.0105 (UTC) FILETIME=[1DB94790:01C25051]

This one I got right after getting your first reply:

Received: from prserv.net ([32.97.166.31]) by mail.anaweb.com with Microsoft SMTPSVC(5.0.2195.4453);
Sat, 31 Aug 2002 15:50:09 -0500
Date: Sat, 31 Aug 2002 20:48:23 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium.
Received: from Xeetzpz (slip-12-64-228-201.mis.prserv.net[12.64.228.201])
by prserv.net (out1) with SMTP
id <20020831204732201071gks4e>; Sat, 31 Aug 2002 20:47:37 +0000
From: PURVIS13 <[email protected]>
To: [email protected]
Subject: Fw:let's be friends
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=C3909L1QYo
Return-Path: [email protected]
Message-ID: <[email protected]>
X-OriginalArrivalTime: 31 Aug 2002 20:50:09.0313 (UTC) FILETIME=[FE64D910:01C2512F]

I hope this helps. I am also hoping it's just spam so I can filter it and forget it.

[fink]

So, the some of the relelvant info above is that it's not being sent by a proper email program.. which would mean it's just being sent by some worm type program that doesn't conform to industry standards.

And it's coming from Illinois.. some place probably near Schaumburg or Morton.. do those places mean anything to you? Or maybe you've done online business with a company there?

They may not necessarily be the actual city or town that someone who you might know lives in but could be nearby.

One or two things left to do.. if you know who's machine may be sending you these things tell them and then filter it.

[sscsr1]

Yes I have a friend in Ill. He has a server and that is where my email account is. He gives me a free acount. I will tell him he might have a worm. He is usually on top of this kinda stuff.
So I take it that you don't think there is anything on my system, but instead it is on his server?

[FinalFantasyFan2002]

I have been getting these junk mails as well and loads of postmaster.

[fink]

"that is where my email account is"

Hmmm.. that adds a whole new dimension to the problem. Is that the actual account that is receiving and/or sending the emails? Did you do a scan at Houscall? Download this little program and copy paste the results here. It will list everything starting up on your computer. I don't think we can totally rule out you having the worm at this point so let's have a look at the results of this program.

http://home.earthlink.net/~rmbox/Ret...d/StartLog.zip


I'm going to be away for a day so I'm sure someone else can jump in here now too

Good luck.

[sscsr1]

I got the program, installed it, it dosen't want to work. It gives a black window and then goes back to the desktop. Does it not run in winxp pro?

[fink]

Oops, sorry about that... you're right it is only for win9x ... I'm not that familiar with XP but I believe it has a version of msconfig? What processes does it show in startup?

[IMM]

Well - I can't tell you who's got it (don't think so anyway) but a quick glance thro' the headers indicates that it's the Klez worm (perhaps .g or .h or other). The subject lines are a dead giveaway.

To see them shoot over to http://www.symantec.com/avcenter/[email protected] and read through it. There's some info in the manual removal section u can check for (or download the removal tool) to see if you've got it or are just an unsuccessful target of it.

How many people's address books do you think you are in (or your friend is in?)

let's be friends
or
Darling
are pretty definitive subject headings.
The other one
Undeliverable mail--"2002 2nd Story Software, Inc. All rights"
is an 'interesting' rendition of
Undeliverable mail--"[Random word]"
and seems sophisticated - do you have any software from that outfit ??

[KatMac]

Originally posted by fink
... I'm not that familiar with XP but I believe it has a version of msconfig? What processes does it show in startup?

Yes, XP has msconfig. Just in case sscsr1 is not familiar with it, it's Start>Run> type msconfig in box, go to Start-Up tab.

[marv6]

The other day I got a similiar e-mail from someone I did not know. It had no body, but had a file called blank.bat, which contained the W32KlezH@mm worm. My Norton VS caught it and I deleted it, hopefully before it did any damage to my system.

Marvin

[fink]

Marv6.. a .bat file would have to be opened before it could deliver it's payload so unless it was double clicked, and apparently it wasn't, then it's gone. You're safe.