Discussion:
Still having "return mail" problems -- Help!
(too old to reply)
Sheldon
2003-08-20 03:14:15 UTC
Permalink
Win XP Home/AOL

I'm still having returned mail problems on this particular computer, and it
appears to be sending out viruses, but we can't find any viruses on this
machine after numerous scans. The complete message from the mailer is below
my signature. Does anybody still think this is a spoof and we are actually
clean? Also, nobody using this computer knows a "sonshirley."

Sheldon
***@sopris.net

The original message was received at Mon, 18 Aug 2003 20:25:45 -0400 (EDT)
from mta3.mail.adelphia.net [64.8.50.181]


*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail
could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster



----- The following addresses had permanent fatal errors -----
<***@aol.com>

----- Transcript of session follows -----
DATA
<<< 554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has not
been sent.
554 <***@aol.com>... Service unavailable



----------------------------------------------------------------------------
----


Final-Recipient: RFC822; ***@aol.com
Action: failed
Status: 5.0.0
Remote-MTA: DNS; air-xl02.mail.aol.com
Diagnostic-Code: SMTP; 554 TRANSACTION FAILED - Unrepairable Virus Detected.
Your mail has not been sent.
Last-Attempt-Date: Mon, 18 Aug 2003 20:26:16 -0400 (EDT)



----------------------------------------------------------------------------
----


Received: from mta3.adelphia.net (mta3.mail.adelphia.net [64.8.50.181]) by
rly-xl04.mx.aol.com (v95.1) with ESMTP id MAILRELAYINXL49-5d13f416e881ba;
Mon, 18 Aug 2003 20:25:44 -0400
Received: from thuy-home ([24.49.28.44]) by mta3.adelphia.net
(InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with SMTP
id <***@thuy-home>
for <***@aol.com>; Mon, 18 Aug 2003 20:25:36 -0400
From: "XXXXXX"<***@aol.com>
To: ***@aol.com
Subject: Re:Kiss you..^@^
Reply-To: ***@aol.com
MIME-Version: 1.0
Content-type: multipart/mixed; boundary="#BOUNDARY#"
Message-Id: <***@thuy-home>
Date: Mon, 18 Aug 2003 20:25:45 -0400
X-AOL-IP: 64.8.50.181
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0
W.S. Blevins
2003-08-20 03:30:09 UTC
Permalink
Post by Sheldon
Win XP Home/AOL
I'm still having returned mail problems on this particular computer
Try filtering your mail. The computer sending out the infected emails
is one in which your email address is in their address book. There's
essentially nothing you can do about it other than filter your mail.
Niko Schwarz
2003-08-20 09:05:10 UTC
Permalink
Post by W.S. Blevins
Post by Sheldon
I'm still having returned mail problems on this particular computer
Try filtering your mail. The computer sending out the infected emails
is one in which your email address is in their address book. There's
essentially nothing you can do about it other than filter your mail.
But filter for what? I've received today around 12 bounces. I can't
filter every bounces, cos often enough I'd like to read when my mail
doesn't arrive. So how to tell my mails from the fakes? Hmm, that brings
me an idea: I'm going to filter for "Outlook Express" in the body, I
think that is going to help a little.

Ah well, vacations at universities... virus time...

regards,

nick
--
Message will arrive in the mail. Destroy, before the FBI sees it.
Ted Davis
2003-08-20 15:35:25 UTC
Permalink
On Wed, 20 Aug 2003 11:05:10 +0200, Niko Schwarz
Post by Niko Schwarz
Post by W.S. Blevins
Post by Sheldon
I'm still having returned mail problems on this particular computer
Try filtering your mail. The computer sending out the infected emails
is one in which your email address is in their address book. There's
essentially nothing you can do about it other than filter your mail.
But filter for what? I've received today around 12 bounces. I can't
filter every bounces, cos often enough I'd like to read when my mail
doesn't arrive. So how to tell my mails from the fakes? Hmm, that brings
me an idea: I'm going to filter for "Outlook Express" in the body, I
think that is going to help a little.
Ah well, vacations at universities... virus time...
Not here - on top of all the virus/worm problems, the freshmen arrived
yesterday.

You might want to look at one of the Bayesian e-mail classifiers. I
use POPFile (free, <http://popfile.sourceforge.net/>) under XP with
great success. I have it configured to insert a new header line.
Eudora's filters then sort the mail on teh basis of those header lines
into several mailboxes - only the real mail (or copies for some types)
goes into the In box. It's normally about 99.something percent
accurate. I will be retraining it to sort viruses and their bounce
messages into a new category, and also trying to write a filter for
the now unfiltered EMWAC/IMS server to delete them before they are
presented to the client.



T.E.D. (***@gearbox.maem.umr.edu)
SPAM filter: Messages to this address *must* contain "T.E.D."
somewhere in the body or they will be automatically rejected.
n***@novirus.com
2003-08-20 03:57:26 UTC
Permalink
Post by Sheldon
Win XP Home/AOL
I'm still having returned mail problems on this particular computer, and it
appears to be sending out viruses, but we can't find any viruses on this
machine after numerous scans. The complete message from the mailer is below
my signature. Does anybody still think this is a spoof and we are actually
clean?
the mail was sent from 24.49.28.44, which is an adelphia IP address (See the
Received: lines in the bounced msg)
Post by Sheldon
Also, nobody using this computer knows a "sonshirley."
no, but the people who are (or were) at 24.49.28.44 have that address in an
address book on their computer. Most likely they are infected with some
version of LOVELORN, because it's using "Re:Kiss you..^@^" as a subject and
uses "thuy-home" as the HELO.

I myself have received 18 bounces today, where my email adress was forged into
the From: field by SOBIG.F
--
Ken
Post by Sheldon
Received: from mta3.adelphia.net (mta3.mail.adelphia.net [64.8.50.181]) by
rly-xl04.mx.aol.com (v95.1) with ESMTP id MAILRELAYINXL49-5d13f416e881ba;
Mon, 18 Aug 2003 20:25:44 -0400
Received: from thuy-home ([24.49.28.44]) by mta3.adelphia.net
(InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with SMTP
MIME-Version: 1.0
Content-type: multipart/mixed; boundary="#BOUNDARY#"
Date: Mon, 18 Aug 2003 20:25:45 -0400
X-AOL-IP: 64.8.50.181
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0
W.S. Blevins
2003-08-20 17:34:05 UTC
Permalink
I've run an updated scan on my computer and it doesn't
find a virus, so is it probable that I'm not infected and the bounces
are all coming to me because my email address was forged?
<sigh> I don't know what is do damn difficult for people to
understand. No, it was not intentionally forged by an individual. The
infected computer has your address in it's address book. The work
propogates by sending email from the infected computer and uses the
addresses it finds in teh address book, in this case yours, as a
return address. Hence, the bounce messages are directed to your inbox.
n***@novirus.com
2003-08-20 17:49:17 UTC
Permalink
Post by W.S. Blevins
I've run an updated scan on my computer and it doesn't
find a virus, so is it probable that I'm not infected and the bounces
are all coming to me because my email address was forged?
<sigh> I don't know what is do damn difficult for people to
understand. No, it was not intentionally forged by an individual.
What's with the attitude? He didn't say an "individual" forged the email
address. That's your word. The way Alan characterized the situation is correct
- unless you are somehow claiming that the term "forged" cannot apply when a
program intentionally inserts the wrong email address in the From: header,
only when an "individual" does.

To Alan: yes, you're right. I've gotten 35 of those types of bounces so far.
Most so far are because of "user unknown" or similar reasons, rather than
SOBIG being detected.

The worm doesn't use any set address(es) so that the message can't be
identified as a worm when the recipient looks at the From: line. Also,
remember the days when you were warned not to open any attachments from
anybody you don't know? Using real addresses found on the infected computer
tries to get around that.

By using the same forged address in the smtp envelope, the bounces go to you
and the owner of the infected machine won't immediately know that he has the
worm.

But, as someone in another SOBIG thread wisely pointed out, the anti-virus
software should know that your address is forged by SOBIG and not send the
bounce to you.
--
Ken
Post by W.S. Blevins
The
infected computer has your address in it's address book. The work
propogates by sending email from the infected computer and uses the
addresses it finds in teh address book, in this case yours, as a
return address. Hence, the bounce messages are directed to your inbox.
Ted Davis
2003-08-22 01:33:30 UTC
Permalink
Post by W.S. Blevins
<sigh> I don't know what is do damn difficult for people to
understand. No, it was not intentionally forged by an individual. The
infected computer has your address in it's address book. The work
propogates by sending email from the infected computer and uses the
addresses it finds in teh address book, in this case yours, as a
return address. Hence, the bounce messages are directed to your inbox.
If you find a way of explaining it to complete computer idiots,
especially those with PhDs and tenure, please teach me how. I am
getting nowhere with them, neither is my boss. For one thing, most of
them are locked into the Microsoft way of thinking, and so can't
imagine that anyone could write malware that abuses users.


T.E.D. (***@gearbox.maem.umr.edu - e-mail must contain "T.E.D." or my .sig in the body)
m***@tadyatam.invalid
2003-08-20 20:27:34 UTC
Permalink
Post by n***@novirus.com
Post by Sheldon
Win XP Home/AOL
I'm still having returned mail problems on this particular computer, and it
appears to be sending out viruses, but we can't find any viruses on this
machine after numerous scans. The complete message from the mailer is below
my signature. Does anybody still think this is a spoof and we are actually
clean?
the mail was sent from 24.49.28.44, which is an adelphia IP address (See the
Received: lines in the bounced msg)
Post by Sheldon
Also, nobody using this computer knows a "sonshirley."
no, but the people who are (or were) at 24.49.28.44 have that address in an
address book on their computer. Most likely they are infected with some
uses "thuy-home" as the HELO.
I myself have received 18 bounces today, where my email adress was forged into
the From: field by SOBIG.F
--
Ken
Post by Sheldon
Received: from mta3.adelphia.net (mta3.mail.adelphia.net [64.8.50.181]) by
rly-xl04.mx.aol.com (v95.1) with ESMTP id MAILRELAYINXL49-5d13f416e881ba;
Mon, 18 Aug 2003 20:25:44 -0400
Received: from thuy-home ([24.49.28.44]) by mta3.adelphia.net
(InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with SMTP
MIME-Version: 1.0
Content-type: multipart/mixed; boundary="#BOUNDARY#"
Date: Mon, 18 Aug 2003 20:25:45 -0400
X-AOL-IP: 64.8.50.181
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0
So with the way this virus works, just because you are getting bounces
claiming that you sent out infected mail, this does not mean you
actually sent that mail and it does not mean you are infected
necessarily. I've run an updated scan on my computer and it doesn't
find a virus, so is it probable that I'm not infected and the bounces
are all coming to me because my email address was forged?
-Alan
Well, yes. Except that your address was not _forged_ -- it was
simply misused.

--J
Replies to: jNpolak(at)Ojuno(dot)Tcom
n***@novirus.com
2003-08-20 23:04:50 UTC
Permalink
Post by m***@tadyatam.invalid
So with the way this virus works, just because you are getting bounces
claiming that you sent out infected mail, this does not mean you
actually sent that mail and it does not mean you are infected
necessarily. I've run an updated scan on my computer and it doesn't
find a virus, so is it probable that I'm not infected and the bounces
are all coming to me because my email address was forged?
-Alan
Well, yes. Except that your address was not _forged_ -- it was
simply misused.
worms can't forge an address?

better call Mcafee:
[the bugbear] "worm has the ability to spoof, or forge, the 'From:' field.
(Often set to an address found on the victim's machine)"
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=99728

better call MessageLabs and star.net.uk, both which seem to make lots of money
in B2B email services. Here's the quote from their bounce to me:
"Some viruses forge the sender address."

those are just 2 examples

--

Ken
n***@novirus.com
2003-08-22 00:49:03 UTC
Permalink
Well, splitting the hair: header field was forged.
as is the address in the MAIL command in the envelope
The addy
itself is "good," no?
Just nitpicking. ;)
sorry, don't meant to be contentious, but the term "manufactured" address
might be used for a made-up one

after all, someone who steals a check does forge the real name, right? So
forging does mean a real address.
--
Ken
Elly Byrne
2003-08-20 21:35:54 UTC
Permalink
Your email address was found in the address book of the infected
computer. Not yours.
so is it probable that I'm not infected and the bounces
are all coming to me because my email address was forged?
Tinnitus is a pain in the neck
Elly's Tinnitus Resources
http://www.eebee.net/
http://www.tinnitusrelief.net/

For email: elly at eebee.cjb.net
m***@tadyatam.invalid
2003-08-20 15:35:44 UTC
Permalink
Post by Sheldon
Win XP Home/AOL
I'm still having returned mail problems on this particular computer, and it
appears to be sending out viruses, but we can't find any viruses on this
machine after numerous scans. The complete message from the mailer is below
my signature. Does anybody still think this is a spoof and we are actually
clean? Also, nobody using this computer knows a "sonshirley."
Sheldon
-snip-
Sheldon,

Just wait it out. It will stop, eventually.

--J
Replies to: jNpolak(at)Ojuno(dot)Tcom
Continue reading on narkive:
Loading...