I've just checked in my Bulk E-Mail folder and received an e-mail from "[email protected]" titled "Mail Delivery (failed <my e-mail address>)". I know I have definately not sent an e-mail to the sender, and have no dealings with dyson.com, furthermore my e-mail address is reasonably unique and although I do get the occasional NetSky(?) virus sent (about twice a week at most), receive no bulk/trash mails.

Anyhow I can open the actual mail safely to see the text and have this written:

If the message will not displayed automatically,
follow the link to read the delivered message.

Received message is available at:
www.btinternet.com/inbox/<my Yahoo! id>/read.php?sessionid-<5 numbers>

the link is available to click on, which I obviously haven't done, and the e-mail size shows up as 42k, the NetSky ones all come through as 41k. I'm confused that the link shows to take me to my own inbox, or is it just a cover-up and its actually going to take me to a nasty site? I've run Norton already just to check nothing has already happenned and got the all clear. I've never seen an unusual e-mail like this before with just a link in it so all advice is very welcome.

Thanks to all and Merry Christmas.

5mb :ok:

5milesbaby, please delete the mail. Following the link will cause infection with a mass-mailing worm known as W32/Baba.

Thanks Tuba, thought as much. I rarely look at stuff I'm not expecting anyhow, just found it unusual for it to be sent in this way. The Netsky one I was on about is also a W32. one as I have just received another. Fortunately Norton sorts them out before I can get anywhere near. How are they able to use so many different user names, and such a variety too? I've even had them sent from lookalike Post Office and Inland Revenue addresses, it certainly makes you think before binning them all.

Finally, how do they get your e-mail address? I very rarely give it out to anybody, always check the box to receive no advertising, and never display it on-line. The only people that have it are good friends so to me it looks like btinternet, my provider, are to blame!! Is there any way I can stop getting them?

Cheers
5mb :ok:

As for the user names, the sender will be using his/her own SMTP engine rather than an off-the-shelf mail client, with a programmed element that produces randomised sender names and (purported) source addresses.

As regards your email address, I doubt whether btinternet is to blame... can you be sure that when you check the box for no advertising, your request is honoured?

BTW, the W32 bit refers to the fact that the worm runs on 32-bit Windows systems - that is to say, most worms these days :rolleyes:

5milesbaby,

I am sure that Email Addy has been spoofed. Expand the Email Header and post the info here. We will be able to give you details on where the Email come from.

Take Care,

Richard

Naples, it was received from 81.103.54.144 (EHLO btinternet.com) (81.103.54.144) by mta818.mail.ukl.yahoo.com with SMTP; Mon, 13 Dec 2004 12:13:55 +0000. On the authentication results it said mta818.mail.ukl.yahoo.com with SMTP; domainkeys=neutral (no sig). For content type it says multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_001B_01C0CA80.6B015D10".

Cheers, 5mb :ok:

5milesbaby,

There should have been a lot more to the header. As an example:

Return-Path: <[email protected]>
Received: from cdk.cdk.net (root@localhost)
by naples-air-center.com (8.11.6/8.11.6) with ESMTP id iBG7eYN16628;
Wed, 15 Dec 2004 23:40:34 -0800
X-ClientAddr: 221.127.7.245
Received: from 65.18.128.126 ([221.127.7.245])
by cdk.cdk.net (8.11.6/8.11.6) with SMTP id iBG7eMj16617;
Wed, 15 Dec 2004 23:40:23 -0800
Received: from 136.34.126.240 by 221.127.7.245; Thu, 16 Dec 2004 08:39:17 +0100
Message-ID: <[email protected]>
From: "Sharon" <[email protected]>
Reply-To: "Sharon" <[email protected]>
To: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: we carry real vicodin
Date: Thu, 16 Dec 2004 02:39:17 -0500
X-Mailer: AOL 9.0 for Windows US sub 212
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--7740178784474255283"
X-Priority: 3
X-MSMail-Priority: Normal
X-IP: 116.56.246.0

And with a little digging you see this email was generated with an AOL Client out of:

inetnum: 221.124.0.0 - 221.127.255.255
netname: HGC
descr: Hutchison Global Communications
country: HK
admin-c: IH17-AP
tech-c: IH17-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-HGCADMIN
status: ALLOCATED PORTABLE
remarks: This object can only be modified by APNIC hostmaster
remarks: If you wish to modify this object details please
remarks: send email to [email protected] with your organisation
remarks: account name in the subject line.
changed: [email protected] 20040209
changed: [email protected] 20040212
source: APNIC

person: ITMM HGC
nic-hdl: IH17-AP
e-mail: [email protected]
remarks: ---------------------
remarks: for spamming/hacking complaints
remarks: send reports to
remarks: [email protected]
remarks: ---------------------
address: 2/F COSCO-HIT TOWER,
address: TERMINAL 8 EAST, CONTAINER PORT,
address: ROAD SOUTHKWAI CHUNG,
address: HONG KONG
phone: +852-21229555
fax-no: +852-21239523
country: HK
changed: [email protected] 20040207
mnt-by: MAINT-HK-HGCADMIN
source: APNIC


In your case, it looks like the email came from (But I cannot give any more details without the full header):

inetnum: 81.103.48.0 - 81.103.55.255
netname: NTL
descr: NTL Infrastructure - Guildford
country: GB
admin-c: NNMC1-RIPE
tech-c: NNMC1-RIPE
status: ASSIGNED PA
mnt-by: AS5089-MNT
remarks: INFRA-AW
changed: [email protected] 20021114
source: RIPE
route: 81.102.0.0/15
descr: NTL-UK-IP-BLOCK
origin: AS5089
mnt-by: AS5089-MNT
changed: [email protected] 20040929
source: RIPE
role: NTLI Network Management Centre
address: NTL Internet
address: Crawley Court
address: Winchester
address: Hampshire
address: SO21 2QA
trouble: -------------------------------------------------------
trouble: For abuse notifications please -
trouble: file an online case @ http://www.ntlworld.com/netreport
trouble: +44 1633 710142 (Voicemail Only)
trouble: -------------------------------------------------------
trouble: For peering issues/requests please -
trouble: email : [email protected]
trouble: -------------------------------------------------------
admin-c: MH22007-RIPE
admin-c: CF2297-RIPE
admin-c: CM1377-RIPE
tech-c: MH22007-RIPE
tech-c: CF2297-RIPE
tech-c: CM1377-RIPE
nic-hdl: NNMC1-RIPE
mnt-by: AS5089-MNT
notify: [email protected]
e-mail: [email protected]
changed: [email protected] 20030328
changed: [email protected] 20030401
changed: [email protected] 20030603
changed: [email protected] 20030707
changed: [email protected] 20040303
changed: [email protected] 20040312
changed: [email protected] 20040929
source: RIPE

Take Care,

Richard

hi Richard, the full header is below with just my IP and e-mail address removed:

X-Apparently-To: <me>@btinternet.com via <IP address>; Mon, 13 Dec 2004 12:13:55 +0000
X-YahooFilteredBulk: 81.103.54.144
Authentication-Results: mta818.mail.ukl.yahoo.com from=dyson.com; domainkeys=neutral (no sig)
X-Originating-IP: [81.103.54.144]
Return-Path: <[email protected]>
Received: from 81.103.54.144 (EHLO btinternet.com) (81.103.54.144) by mta818.mail.ukl.yahoo.com with SMTP; Mon, 13 Dec 2004 12:13:55 +0000
From: [email protected] Add to Address Book
To: <me>@btinternet.com
Subject: Mail Delivery (failure <me>@btinternet.com)
Date: Mon, 13 Dec 2004 12:13:54 +0000
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
X-Priority: 3
X-MSMail-Priority: Normal
Content-Length: 30626

From looking at what you already think I take it that someone sent it to me using NTL as their ISP in Guildford? Ironically the Management Centre is not too far from where I live!!

5milesbaby,

It looks like:

role: NTLI Network Management Centre
address: NTL Internet
address: Crawley Court
address: Winchester
address: Hampshire
address: SO21 2QA

Is sending emails as if they were:

person: Michael Michael
address: Compusystems Assocs. Ltd
address: Haberfield Park Farm, Pill Road
address: BS8 3RE Abbots Leigh, Bristol
address: GB
phone: +44 117 3129245
fax-no: +44 1275 371422
e-mail: [email protected]

Take Care,

Richard

Thanks Richard, the NTL complaints link in one of your earlier messages has been filled in and I'll let you know of any responses I get. I know its all in vein really and that we will not be able to shut everyone down, but I'm in the mood for trying!!

5mb :ok: