Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: email question

  1. #11
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    so it could be someone I know, but they dont know they're doing it......

    some of it doesn't make much sense to me, but at least there's a chance it's not malicious.
    It's very likely that they are unaware. Anyone can change the source address that an email is sent from. I personally have my own domain name but the mail server I use is hosted by a different ISP. When people send me emails to msmittens@msmittens.com (as a destination) or I send out email from msmittens@msmittens.com (as a source) they are hiding the true source/destination. This is a very legal and legitimate technique. However, virus writers have been using this as a form of "social engineering" to convince users to "double-click" because they think it's a legitimate email. There have been some interesting results to this:

    - I received a panicked email from a relative asking if she should apply the patch that "support@microsoft.com" sent her. I reminded her that while MS might be concerned about users and their security, they are not THAT concerned enough to send out those kinds of emails. I also reminded her that .exes are for Windows machines and that her Macintosh probably would object to even trying to run the patch.

    - a recent email I received had me chuckling. It was an "update" for a Symantec Virus package. Underneath it said it had been virus scanned and declared clean by McAfee.

    Just be a bit paranoid and you're odds will improve against getting infected.

    You might want to check other legimate emails to see if any have an IP that match. If they do you may have found the infected person(s) and could notify them of this.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #12
    Junior Member
    Join Date
    Mar 2004
    Posts
    8
    I tired matching IP's but nothing doing.

    also received some odd mails during all this, one claiming to be from my ISP that said my account was being closed due to me breaching their terms of service, only it was written in such bad english it was obviously fake (actually thought that one was quite funny )

    I've also had problems with fake mails from paypal on the same account, and this all started shortly after closing a website mail account that was getting similar virus attacks which my home account never did, so not convinced it's accidental yet, suspect the two are linked.

    I'll keep digging, thanks for all help so far.

  3. #13
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi,

    Well, ntl is the ISP, and the connections you quoted look Like Stevenage and Hatfield, that would make the other one Luton.

    They are cable links so I would expect them to have a fixed IP address. Now if that were deliberate, it would be rather foolish?..........but there are plenty of foolish people around I would be inclined to report it to ntl although I would not expect them to get too excited

    The worm harvests addresses from the infected machine and all mapped drives and spoofs the sender using information gathered from the victim machine.

    If it is working properly, you should only get one letter per user logon, so I would expect more from the work address than home.............does one of the addresses seem to have a much higher volume than the other?

    You might ask around friends/colleagues to find out if they are getting the same thing from the same address..............the chances are that it is a mutual aquaintance of at least some of you? and they should be "harvested" as well?

    I agree, it is very frustrating


    Good luck

  4. #14
    Junior Member
    Join Date
    Mar 2004
    Posts
    2

    Thumbs up email virus

    Hi,
    I've been getting the same virus sent to me by email for the last two months.
    Fortunately I have AVG free edition and it quarantines the virus but the email and notification are getting annoying. I found this site by searching the web and came across this thread so am most interested. I registered immediately.
    All emails sent to me have the same attachment (document.zlo) with the same virus (I-Worm/Netsky.D) but they all come from different elmail addresses - some international, some local and there seems to be no commonality. Some appear to come from some of my own contacts list but there are subtle differences.
    Whilst I am obviously protected, I am getting P..... off!
    I have had some from (supposedly) someone in my contacts saying that I had sent them a virus and that their server had rejected it. When I contacted them they knew nothing about it.
    I started wondering if I was actually the culprit but I have run every anti virus scan I have and also AdAware etc. - nothing
    Hope someone out there has an answer?
    Cheers

  5. #15
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    I have had some from (supposedly) someone in my contacts saying that I had sent them a virus and that their server had rejected it. When I contacted them they knew nothing about it.
    I started wondering if I was actually the culprit but I have run every anti virus scan I have and also AdAware etc. - nothing
    Hope someone out there has an answer?
    Unfortunately, the best answer I can offer you is to do a comparison between the email headers for the IP address and see if it matches anyone you have contact with. That's probably the closest you'll get.

    As for "you" sending out viruses, most likely the virus has taken your address from someone else's address book and spoofed it. I actually got about 10 rejects from mail servers recently. There is also a virus out there that imitates a returned email (Klez I think) when it's just a spoof.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #16
    Junior Member
    Join Date
    Mar 2004
    Posts
    8
    I get the same spoofed mails from my account as well.

    I use AVG as well which doesn't always notify when an attachment is infected so I simply never open them unless I'm 100% sure of it's origin (that's not fool proof either)

    I dont think there's anything you can do unless you can identify the source. You can set up outlook to delete incoming messages that have the same body text and use maintenance settings to empty the deleted items automatically, that way you'll never get to see them.

    Read the email header, the sender IP is on the top line eg.

    Received: from virgin.net ([81.109.147.164 ]) by mta2-svc.business.ntl.com

    and do a search for that here....

    http://www.ripe.net/db/whois/whois.html

    that should tell you who the IP block is assigned to and show you where to report abuse. That's what I've been doing in the hope that they'll contact the sender though I doubt it

    I started getting mails infected with NetskyR as of this morning so have decided to delete the account and be far more careful about who has my email address.

  7. #17
    Junior Member
    Join Date
    Mar 2004
    Posts
    2
    Thanks for your replies.
    Yeah, I've been down that route. Closed accounts ... even took out a new domain name and hosting for my business with all new email addresses. Well that took about six months before 99% of my contacts got around to updating our new addresses. In the meantime we had to keep the other one going so we could get emails from all those people who are a bity slow at these things plus all the spam.
    Well, I don't want to go down that route again. Now the new email addresses are compromised, I just have to put up with it I guess.
    I will take action as you have suggested.
    I've just run a trace route and got all the details so I will report. Who knows? Maybe something will happen!!!

  8. #18
    Junior Member
    Join Date
    Mar 2004
    Posts
    8
    I sent approx 2 dozen abuse reports and have had nothing from the IP for 48hrs, am now getting very odd ones (NetskyR) from a different source, one saying ...

    Modified message has been sent as a binary attachment.
    Or you can view the message at:
    followed by a web address with part of my email as the domain

    no intention of visiting the page but it's all getting a little freaky now.

  9. #19
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    What your seeing is just normal fallout from the Netsky family of viruses.

    The body can also be appended with the following string:

    Or you can view the message at:
    www.[Recipient_Domain]/inmail/[Recipient_Name]/mread.php?
    sessionid-[Random_Number]

    Note: [Recipient_Domain] and [Recipient_Name] are taken from the email address of the recipient.
    Since March 1st my gateway has blocked/trapped/quarantined over 60 thousand copies of Netsky, don't get freaked out, just make sure you keep your AntiVirus software up to date.

    Cheers:
    DjM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •