Mooligan
asked on
Undeliverable message returned to sender spam
Several users are receiving messages such as the following
-----Original Message-----
From:
Sent: Friday, March 26, 2004 7:38 AM
To: <OMITTED>|
Subject: Undeliverable message returned to sender
This message was created automatically by mail delivery software.
Delivery failed for the following recipients(s):
support@ati.com
The message you sent contained an attachment which the recipient has chosen to block.
Usually these sort of attachments are blocked to prevent malicious software from
being sent to the recipient in question.
The name(s) of the blocked file(s) follow:
your_picture.pif
To send this file, please place it in a compressed archive using WinZip (http://www.winzip.com) or the archive software of your choice.
----- Original Message Header -----
Received: by mail18-red (MessageSwitch) id 1080315470766686_4382; Fri, 26 Mar 2004 15:37:50 +0000 (UCT)
Received: from ati.com (h68-147-24-83.cg.shawcabl e.net [68.147.24.83])
by mail18-red.bigfish.com (Postfix) with ESMTP id EAF4B28A89C
for <support@ati.com>; Fri, 26 Mar 2004 15:37:49 +0000 (UCT)
From: <OMITTED>
To: support@ati.com
Subject: Re: Your picture
Date: Fri, 26 Mar 2004 08:41:00 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_0 00_0000_00 006015.000 06681"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040326153749.EAF4B28A89 C@mail18-r ed.bigfish .com>
Now of course the user never actually tried to send something to ATI, but one could assume that he may be infected with a virus that is trying to send itself out. However, latest McAfee/Stinger scans do not find anything.
I seem to think when I see these that it is likely someone else infected who has my user on their contact list which the worm uses to try and spread. The only thing I don't like about that theory is why I am receiving these messages with no virus attached, or indication that the virus was removed at the mail server. Thats what tends to make me think it really is nothing more than spam?
A google search (http://www.google.ca/search?q=%22To+send+this+file%2C+please+place+it+in+a+compressed+archive+using+WinZip+%28http%3A%2F%2Fwww.winzip.com%29+or+the+archive+software+of+your+choice.%22&ie=UTF-8&oe=UTF-8&hl=en&meta=) on a key line in the message returns quite a number of essentially similar messages on various mailing lists...
Input?
-----Original Message-----
From:
Sent: Friday, March 26, 2004 7:38 AM
To: <OMITTED>|
Subject: Undeliverable message returned to sender
This message was created automatically by mail delivery software.
Delivery failed for the following recipients(s):
support@ati.com
The message you sent contained an attachment which the recipient has chosen to block.
Usually these sort of attachments are blocked to prevent malicious software from
being sent to the recipient in question.
The name(s) of the blocked file(s) follow:
your_picture.pif
To send this file, please place it in a compressed archive using WinZip (http://www.winzip.com) or the archive software of your choice.
----- Original Message Header -----
Received: by mail18-red (MessageSwitch) id 1080315470766686_4382; Fri, 26 Mar 2004 15:37:50 +0000 (UCT)
Received: from ati.com (h68-147-24-83.cg.shawcabl
by mail18-red.bigfish.com (Postfix) with ESMTP id EAF4B28A89C
for <support@ati.com>; Fri, 26 Mar 2004 15:37:49 +0000 (UCT)
From: <OMITTED>
To: support@ati.com
Subject: Re: Your picture
Date: Fri, 26 Mar 2004 08:41:00 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_0
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040326153749.EAF4B28A89
Now of course the user never actually tried to send something to ATI, but one could assume that he may be infected with a virus that is trying to send itself out. However, latest McAfee/Stinger scans do not find anything.
I seem to think when I see these that it is likely someone else infected who has my user on their contact list which the worm uses to try and spread. The only thing I don't like about that theory is why I am receiving these messages with no virus attached, or indication that the virus was removed at the mail server. Thats what tends to make me think it really is nothing more than spam?
A google search (http://www.google.ca/search?q=%22To+send+this+file%2C+please+place+it+in+a+compressed+archive+using+WinZip+%28http%3A%2F%2Fwww.winzip.com%29+or+the+archive+software+of+your+choice.%22&ie=UTF-8&oe=UTF-8&hl=en&meta=) on a key line in the message returns quite a number of essentially similar messages on various mailing lists...
Input?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
netsky.Q does this. It will spoof a return mail and have a .pif or .zip attachment for the user to open. It isnt you that is infected but someone else with your email addy in their files.
just make sure you strip the attachments before your users can open it.
just make sure you strip the attachments before your users can open it.
there is also the latest bagle that comes with no attachments but once opened it tries to contact a web server to do a fast download of a worm.
they really are getting to be a pain these days.
they really are getting to be a pain these days.
akboss,
In outlook, is there a difference between viewing in a preview window and actually opening the message?
In outlook, is there a difference between viewing in a preview window and actually opening the message?
I've heard of the bagle variant that akboss mentioned, but I don't know too many details about it. That seems to make the most sense, I suppose. I had some other ideas but was able to rule them out:
1. DDoS on ATI, either by the virus, or by tricking the user into emailing ATI. No, not all the "Delivery Failed" addresses are at ATI according to your Google search.
2. This is a virus email, but ATI virus scanners strip the attachment on the outgoing mail. Once again, no, since this isn't just an ATI thing.
3. The virus writer messed up and forgot to include the attachment. No, because there would be no way of propogating the virus.
My suggestions:
1. Check for "report a new virus" links (or other feedback forms) on AV vendor websites. Contact them to see if they're familiar with this.
2. Check out the mailing lists on http://www.securityfocus.com. I'l subscribed to a few of the mailing lists but having really been following too closely, so maybe I've just missed it.
1. DDoS on ATI, either by the virus, or by tricking the user into emailing ATI. No, not all the "Delivery Failed" addresses are at ATI according to your Google search.
2. This is a virus email, but ATI virus scanners strip the attachment on the outgoing mail. Once again, no, since this isn't just an ATI thing.
3. The virus writer messed up and forgot to include the attachment. No, because there would be no way of propogating the virus.
My suggestions:
1. Check for "report a new virus" links (or other feedback forms) on AV vendor websites. Contact them to see if they're familiar with this.
2. Check out the mailing lists on http://www.securityfocus.com. I'l subscribed to a few of the mailing lists but having really been following too closely, so maybe I've just missed it.
"
The passel of new worms sport a virtual alphabet soup of labels: "Bagle.q," "Bagle.r," "Bagle.s" and "Bagle.t." Some security firms have dubbed the new variants "beagle." They are mutations of the original Bagle worm first discovered in January.
Bagle exploits a flaw in Outlook, revealed in October of 2003, that allows a hacker to upload and execute a file on a user's PC without that user opening the file. Microsoft has issued a patch for the flaw in October, but users who have not updated their systems with this patch are at risk"
The passel of new worms sport a virtual alphabet soup of labels: "Bagle.q," "Bagle.r," "Bagle.s" and "Bagle.t." Some security firms have dubbed the new variants "beagle." They are mutations of the original Bagle worm first discovered in January.
Bagle exploits a flaw in Outlook, revealed in October of 2003, that allows a hacker to upload and execute a file on a user's PC without that user opening the file. Microsoft has issued a patch for the flaw in October, but users who have not updated their systems with this patch are at risk"
Customers of mine have also experienced this problem. Viruses are spoofing addresses and launching themselves directly from people's infected Outlook installations. These endless mails are the result of large numbers of infected Outlook clients out in the open, not necessarily yours !
these virus's also look at infected peoples contact lists, word documents and even webpages they visit to find new email addressed to send themselves to.
many companies have now adopted ethier:-
1) changing e mail addresses to andydis [at] hotmail.com from andydis@hotmail.com
2) incorporate antispam technology into exchange (comes free with 2003), or setup a completey new "spam gateway" in your DMZ.
if you would like infomation on a solution myself have supplied to many customers please feel free to drop me an email.
many companies have now adopted ethier:-
1) changing e mail addresses to andydis [at] hotmail.com from andydis@hotmail.com
2) incorporate antispam technology into exchange (comes free with 2003), or setup a completey new "spam gateway" in your DMZ.
if you would like infomation on a solution myself have supplied to many customers please feel free to drop me an email.
ASKER
I was using this more as a discussion really, John gets points for first response although I thank everyone for their comments!
Thanks for you generosity, Mooligan. It's always a good idea for IT "experts" to discuss things like this - shared information on worms and the like help to keep us informed and on our toes.
ASKER
Thats what I thought as well, that both the addresses were spoofed, and that nothing was likely sent to ATI in the first place.
However, there is no actual attachment with the message which is what makes me question what this is. If it was simply a message like this, with an attachment, then sure its simply the virus using a totally false message trying to entice the user to open the item, but we are receiving several instances of these messages with no actual virus or file attached which is what makes me question what these messages are. I personally don't think they are anything more than spam, as I can't see any signs of infection and the message itself has no means of causing harm...