Is this a virus I've been sent???
Thread Starter
Join Date: Nov 2000
Location: Greystation
Posts: 1,086
Likes: 0
Received 0 Likes
on
0 Posts
Is this a virus I've been sent???
I've just checked in my Bulk E-Mail folder and received an e-mail from "[email protected]" titled "Mail Delivery (failed <my e-mail address>)". I know I have definately not sent an e-mail to the sender, and have no dealings with dyson.com, furthermore my e-mail address is reasonably unique and although I do get the occasional NetSky(?) virus sent (about twice a week at most), receive no bulk/trash mails.
Anyhow I can open the actual mail safely to see the text and have this written:
the link is available to click on, which I obviously haven't done, and the e-mail size shows up as 42k, the NetSky ones all come through as 41k. I'm confused that the link shows to take me to my own inbox, or is it just a cover-up and its actually going to take me to a nasty site? I've run Norton already just to check nothing has already happenned and got the all clear. I've never seen an unusual e-mail like this before with just a link in it so all advice is very welcome.
Thanks to all and Merry Christmas.
5mb
Anyhow I can open the actual mail safely to see the text and have this written:
If the message will not displayed automatically,
follow the link to read the delivered message.
Received message is available at:
www.btinternet.com/inbox/<my Yahoo! id>/read.php?sessionid-<5 numbers>
follow the link to read the delivered message.
Received message is available at:
www.btinternet.com/inbox/<my Yahoo! id>/read.php?sessionid-<5 numbers>
Thanks to all and Merry Christmas.
5mb
Thread Starter
Join Date: Nov 2000
Location: Greystation
Posts: 1,086
Likes: 0
Received 0 Likes
on
0 Posts
Thanks Tuba, thought as much. I rarely look at stuff I'm not expecting anyhow, just found it unusual for it to be sent in this way. The Netsky one I was on about is also a W32. one as I have just received another. Fortunately Norton sorts them out before I can get anywhere near. How are they able to use so many different user names, and such a variety too? I've even had them sent from lookalike Post Office and Inland Revenue addresses, it certainly makes you think before binning them all.
Finally, how do they get your e-mail address? I very rarely give it out to anybody, always check the box to receive no advertising, and never display it on-line. The only people that have it are good friends so to me it looks like btinternet, my provider, are to blame!! Is there any way I can stop getting them?
Cheers
5mb
Finally, how do they get your e-mail address? I very rarely give it out to anybody, always check the box to receive no advertising, and never display it on-line. The only people that have it are good friends so to me it looks like btinternet, my provider, are to blame!! Is there any way I can stop getting them?
Cheers
5mb
Guest
Posts: n/a
As for the user names, the sender will be using his/her own SMTP engine rather than an off-the-shelf mail client, with a programmed element that produces randomised sender names and (purported) source addresses.
As regards your email address, I doubt whether btinternet is to blame... can you be sure that when you check the box for no advertising, your request is honoured?
BTW, the W32 bit refers to the fact that the worm runs on 32-bit Windows systems - that is to say, most worms these days
As regards your email address, I doubt whether btinternet is to blame... can you be sure that when you check the box for no advertising, your request is honoured?
BTW, the W32 bit refers to the fact that the worm runs on 32-bit Windows systems - that is to say, most worms these days
The Oracle
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes
on
0 Posts
5milesbaby,
I am sure that Email Addy has been spoofed. Expand the Email Header and post the info here. We will be able to give you details on where the Email come from.
Take Care,
Richard
I am sure that Email Addy has been spoofed. Expand the Email Header and post the info here. We will be able to give you details on where the Email come from.
Take Care,
Richard
Thread Starter
Join Date: Nov 2000
Location: Greystation
Posts: 1,086
Likes: 0
Received 0 Likes
on
0 Posts
Naples, it was received from 81.103.54.144 (EHLO btinternet.com) (81.103.54.144) by mta818.mail.ukl.yahoo.com with SMTP; Mon, 13 Dec 2004 12:13:55 +0000. On the authentication results it said mta818.mail.ukl.yahoo.com with SMTP; domainkeys=neutral (no sig). For content type it says multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_001B_01C0CA80.6B015D10".
Cheers, 5mb
Cheers, 5mb
The Oracle
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes
on
0 Posts
5milesbaby,
There should have been a lot more to the header. As an example:
And with a little digging you see this email was generated with an AOL Client out of:
In your case, it looks like the email came from (But I cannot give any more details without the full header):
Take Care,
Richard
There should have been a lot more to the header. As an example:
Return-Path: <[email protected]>
Received: from cdk.cdk.net (root@localhost)
by naples-air-center.com (8.11.6/8.11.6) with ESMTP id iBG7eYN16628;
Wed, 15 Dec 2004 23:40:34 -0800
X-ClientAddr: 221.127.7.245
Received: from 65.18.128.126 ([221.127.7.245])
by cdk.cdk.net (8.11.6/8.11.6) with SMTP id iBG7eMj16617;
Wed, 15 Dec 2004 23:40:23 -0800
Received: from 136.34.126.240 by 221.127.7.245; Thu, 16 Dec 2004 08:39:17 +0100
Message-ID: <[email protected]>
From: "Sharon" <[email protected]>
Reply-To: "Sharon" <[email protected]>
To: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: we carry real vicodin
Date: Thu, 16 Dec 2004 02:39:17 -0500
X-Mailer: AOL 9.0 for Windows US sub 212
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--7740178784474255283"
X-Priority: 3
X-MSMail-Priority: Normal
X-IP: 116.56.246.0
Received: from cdk.cdk.net (root@localhost)
by naples-air-center.com (8.11.6/8.11.6) with ESMTP id iBG7eYN16628;
Wed, 15 Dec 2004 23:40:34 -0800
X-ClientAddr: 221.127.7.245
Received: from 65.18.128.126 ([221.127.7.245])
by cdk.cdk.net (8.11.6/8.11.6) with SMTP id iBG7eMj16617;
Wed, 15 Dec 2004 23:40:23 -0800
Received: from 136.34.126.240 by 221.127.7.245; Thu, 16 Dec 2004 08:39:17 +0100
Message-ID: <[email protected]>
From: "Sharon" <[email protected]>
Reply-To: "Sharon" <[email protected]>
To: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: we carry real vicodin
Date: Thu, 16 Dec 2004 02:39:17 -0500
X-Mailer: AOL 9.0 for Windows US sub 212
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--7740178784474255283"
X-Priority: 3
X-MSMail-Priority: Normal
X-IP: 116.56.246.0
inetnum: 221.124.0.0 - 221.127.255.255
netname: HGC
descr: Hutchison Global Communications
country: HK
admin-c: IH17-AP
tech-c: IH17-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-HGCADMIN
status: ALLOCATED PORTABLE
remarks: This object can only be modified by APNIC hostmaster
remarks: If you wish to modify this object details please
remarks: send email to [email protected] with your organisation
remarks: account name in the subject line.
changed: [email protected] 20040209
changed: [email protected] 20040212
source: APNIC
person: ITMM HGC
nic-hdl: IH17-AP
e-mail: [email protected]
remarks: ---------------------
remarks: for spamming/hacking complaints
remarks: send reports to
remarks: [email protected]
remarks: ---------------------
address: 2/F COSCO-HIT TOWER,
address: TERMINAL 8 EAST, CONTAINER PORT,
address: ROAD SOUTHKWAI CHUNG,
address: HONG KONG
phone: +852-21229555
fax-no: +852-21239523
country: HK
changed: [email protected] 20040207
mnt-by: MAINT-HK-HGCADMIN
source: APNIC
netname: HGC
descr: Hutchison Global Communications
country: HK
admin-c: IH17-AP
tech-c: IH17-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-HGCADMIN
status: ALLOCATED PORTABLE
remarks: This object can only be modified by APNIC hostmaster
remarks: If you wish to modify this object details please
remarks: send email to [email protected] with your organisation
remarks: account name in the subject line.
changed: [email protected] 20040209
changed: [email protected] 20040212
source: APNIC
person: ITMM HGC
nic-hdl: IH17-AP
e-mail: [email protected]
remarks: ---------------------
remarks: for spamming/hacking complaints
remarks: send reports to
remarks: [email protected]
remarks: ---------------------
address: 2/F COSCO-HIT TOWER,
address: TERMINAL 8 EAST, CONTAINER PORT,
address: ROAD SOUTHKWAI CHUNG,
address: HONG KONG
phone: +852-21229555
fax-no: +852-21239523
country: HK
changed: [email protected] 20040207
mnt-by: MAINT-HK-HGCADMIN
source: APNIC
inetnum: 81.103.48.0 - 81.103.55.255
netname: NTL
descr: NTL Infrastructure - Guildford
country: GB
admin-c: NNMC1-RIPE
tech-c: NNMC1-RIPE
status: ASSIGNED PA
mnt-by: AS5089-MNT
remarks: INFRA-AW
changed: [email protected] 20021114
source: RIPE
route: 81.102.0.0/15
descr: NTL-UK-IP-BLOCK
origin: AS5089
mnt-by: AS5089-MNT
changed: [email protected] 20040929
source: RIPE
role: NTLI Network Management Centre
address: NTL Internet
address: Crawley Court
address: Winchester
address: Hampshire
address: SO21 2QA
trouble: -------------------------------------------------------
trouble: For abuse notifications please -
trouble: file an online case @ http://www.ntlworld.com/netreport
trouble: +44 1633 710142 (Voicemail Only)
trouble: -------------------------------------------------------
trouble: For peering issues/requests please -
trouble: email : [email protected]
trouble: -------------------------------------------------------
admin-c: MH22007-RIPE
admin-c: CF2297-RIPE
admin-c: CM1377-RIPE
tech-c: MH22007-RIPE
tech-c: CF2297-RIPE
tech-c: CM1377-RIPE
nic-hdl: NNMC1-RIPE
mnt-by: AS5089-MNT
notify: [email protected]
e-mail: [email protected]
changed: [email protected] 20030328
changed: [email protected] 20030401
changed: [email protected] 20030603
changed: [email protected] 20030707
changed: [email protected] 20040303
changed: [email protected] 20040312
changed: [email protected] 20040929
source: RIPE
netname: NTL
descr: NTL Infrastructure - Guildford
country: GB
admin-c: NNMC1-RIPE
tech-c: NNMC1-RIPE
status: ASSIGNED PA
mnt-by: AS5089-MNT
remarks: INFRA-AW
changed: [email protected] 20021114
source: RIPE
route: 81.102.0.0/15
descr: NTL-UK-IP-BLOCK
origin: AS5089
mnt-by: AS5089-MNT
changed: [email protected] 20040929
source: RIPE
role: NTLI Network Management Centre
address: NTL Internet
address: Crawley Court
address: Winchester
address: Hampshire
address: SO21 2QA
trouble: -------------------------------------------------------
trouble: For abuse notifications please -
trouble: file an online case @ http://www.ntlworld.com/netreport
trouble: +44 1633 710142 (Voicemail Only)
trouble: -------------------------------------------------------
trouble: For peering issues/requests please -
trouble: email : [email protected]
trouble: -------------------------------------------------------
admin-c: MH22007-RIPE
admin-c: CF2297-RIPE
admin-c: CM1377-RIPE
tech-c: MH22007-RIPE
tech-c: CF2297-RIPE
tech-c: CM1377-RIPE
nic-hdl: NNMC1-RIPE
mnt-by: AS5089-MNT
notify: [email protected]
e-mail: [email protected]
changed: [email protected] 20030328
changed: [email protected] 20030401
changed: [email protected] 20030603
changed: [email protected] 20030707
changed: [email protected] 20040303
changed: [email protected] 20040312
changed: [email protected] 20040929
source: RIPE
Richard
Thread Starter
Join Date: Nov 2000
Location: Greystation
Posts: 1,086
Likes: 0
Received 0 Likes
on
0 Posts
hi Richard, the full header is below with just my IP and e-mail address removed:
X-Apparently-To: <me>@btinternet.com via <IP address>; Mon, 13 Dec 2004 12:13:55 +0000
X-YahooFilteredBulk: 81.103.54.144
Authentication-Results: mta818.mail.ukl.yahoo.com from=dyson.com; domainkeys=neutral (no sig)
X-Originating-IP: [81.103.54.144]
Return-Path: <[email protected]>
Received: from 81.103.54.144 (EHLO btinternet.com) (81.103.54.144) by mta818.mail.ukl.yahoo.com with SMTP; Mon, 13 Dec 2004 12:13:55 +0000
From: [email protected] Add to Address Book
To: <me>@btinternet.com
Subject: Mail Delivery (failure <me>@btinternet.com)
Date: Mon, 13 Dec 2004 12:13:54 +0000
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
X-Priority: 3
X-MSMail-Priority: Normal
Content-Length: 30626
From looking at what you already think I take it that someone sent it to me using NTL as their ISP in Guildford? Ironically the Management Centre is not too far from where I live!!
X-Apparently-To: <me>@btinternet.com via <IP address>; Mon, 13 Dec 2004 12:13:55 +0000
X-YahooFilteredBulk: 81.103.54.144
Authentication-Results: mta818.mail.ukl.yahoo.com from=dyson.com; domainkeys=neutral (no sig)
X-Originating-IP: [81.103.54.144]
Return-Path: <[email protected]>
Received: from 81.103.54.144 (EHLO btinternet.com) (81.103.54.144) by mta818.mail.ukl.yahoo.com with SMTP; Mon, 13 Dec 2004 12:13:55 +0000
From: [email protected] Add to Address Book
To: <me>@btinternet.com
Subject: Mail Delivery (failure <me>@btinternet.com)
Date: Mon, 13 Dec 2004 12:13:54 +0000
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
X-Priority: 3
X-MSMail-Priority: Normal
Content-Length: 30626
From looking at what you already think I take it that someone sent it to me using NTL as their ISP in Guildford? Ironically the Management Centre is not too far from where I live!!
The Oracle
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes
on
0 Posts
5milesbaby,
It looks like:
Is sending emails as if they were:
Take Care,
Richard
It looks like:
role: NTLI Network Management Centre
address: NTL Internet
address: Crawley Court
address: Winchester
address: Hampshire
address: SO21 2QA
address: NTL Internet
address: Crawley Court
address: Winchester
address: Hampshire
address: SO21 2QA
person: Michael Michael
address: Compusystems Assocs. Ltd
address: Haberfield Park Farm, Pill Road
address: BS8 3RE Abbots Leigh, Bristol
address: GB
phone: +44 117 3129245
fax-no: +44 1275 371422
e-mail: [email protected]
address: Compusystems Assocs. Ltd
address: Haberfield Park Farm, Pill Road
address: BS8 3RE Abbots Leigh, Bristol
address: GB
phone: +44 117 3129245
fax-no: +44 1275 371422
e-mail: [email protected]
Richard
Thread Starter
Join Date: Nov 2000
Location: Greystation
Posts: 1,086
Likes: 0
Received 0 Likes
on
0 Posts
Thanks Richard, the NTL complaints link in one of your earlier messages has been filled in and I'll let you know of any responses I get. I know its all in vein really and that we will not be able to shut everyone down, but I'm in the mood for trying!!
5mb
5mb
