Drew Wutka
dbatech at wolfwares.com
Mon Sep 8 13:14:08 CDT 2003
Very common with the MSBlast and SoBig viruses, because they use their own SMTP server. The To and From fields for the email are completely random, so it can very easy seem like 'you' are sending out an email. However, if you look at the header of the email, that will tell you who is actually sending them (and it usually isn't the same domain as the person in the To box, though that can happen sometimes). The problem is, many people have the 'Alert sender of virus' option turned on, on their systems. So when their virus protection software finds a virus, it sends an email back to the 'sender' that they just sent a virus out. However, the virus software just goes off of the From field (which is extremely easy to spoof), not where the email actually originated. That is how you got that email (I was getting a few a day last week. Drew ----- Original Message ----- From: "Shamil Salakhetdinov" <shamil at SMSConsulting.spb.ru> To: "Discussion of Hardware and Software issues" <dba-tech at databaseadvisors.com> Sent: Monday, September 08, 2003 1:02 PM Subject: Re: [dba-Tech] I don't know what I don't know from where issendingmessages usingmy e-mail address... > > virus where they are spoofing the from > Yes, John, this looks like a virus running somewhere but not on my PC and > spoofing my e-mail addresses - have you seen something like that > manipulating/spoofing your e-mail addresses? - is that a common problem > everywhere? - I started to get such messages only several days ago... > > Shamil > > ----- Original Message ----- > From: "John Colby" <jcolby at colbyconsulting.com> > To: "Discussion of Hardware and Software issues" > <dba-tech at databaseadvisors.com> > Sent: Monday, September 08, 2003 9:42 PM > Subject: RE: [dba-Tech] I don't know what I don't know from where is > sendingmessages usingmy e-mail address... > > > > It could be spam where they are spoofing the from address. Or it could be > a > > virus where they are spoofing the from. In either case, you can delete > it. > > > > John W. Colby > > www.colbyconsulting.com > > > > -----Original Message----- > > From: dba-tech-bounces at databaseadvisors.com > > [mailto:dba-tech-bounces at databaseadvisors.com]On Behalf Of Shamil > > Salakhetdinov > > Sent: Monday, September 08, 2003 1:34 PM > > To: dba - Tech > > Subject: [dba-Tech] I don't know what I don't know from where is sending > > messages usingmy e-mail address... > > > > > > Hi All, > > > > Have you ever seen a message returned to your mailbox, having your e-mail > > address in From field, which you didn't send? (see example in P.S.) > > This doesn't seem to be a virus running on my PC - my PC is scanned > > periodically using NAV with latest updates. > > And the recipients e-mail addresses of such messages aren't written in my > > address book, and even MS Outlook Express version I use is different! > > > > What is this? A virus NAV missing while scanning my PC? Or...? Could you > > please advice? > > > > This looks very much like SOBIG virus but I don't have it on my PC! > > > > So much confused, > > TIA for any info, > > Shamil > > > > P.S. Strange messages header: > > > > Return-path: <shamil at smsconsulting.spb.ru> > > Received: from conversion-daemon.mailgw2.cityu.edu.hk by > > mailgw2.cityu.edu.hk > > (iPlanet Messaging Server 5.2 HotFix 1.17 (built Jun 23 2003)) > > id <0HKW00601M6XOB at mailgw2.cityu.edu.hk> > > (original mail from shamil at smsconsulting.spb.ru); Tue, > > 9 Sep 2003 01:11:56 +0800 (CST) > > Received: from USER-VJCG7U5W26 (171-043.onebb.com [202.180.171.43]) > > by mailgw2.cityu.edu.hk > > (iPlanet Messaging Server 5.2 HotFix 1.17 (built Jun 23 2003)) > > with ESMTP id <0HKW007I6N4417 at mailgw2.cityu.edu.hk> for > > college.office at cityu.edu.hk; Tue, 09 Sep 2003 00:57:47 +0800 (CST) > > Date: Tue, 09 Sep 2003 01:28:39 +0800 > > From: shamil at smsconsulting.spb.ru > > Subject: Thank you! > > To: college.office at cityu.edu.hk > > Message-id: <0HKW007I7N4417 at mailgw2.cityu.edu.hk> > > MIME-version: 1.0 > > X-Mailer: Microsoft Outlook Express 6.00.2600.0000 > > Content-type: multipart/mixed; > > boundary="Boundary_(ID_5Tw3yk+UVcZTNnkh000UIg)" > > Importance: Normal > > X-Priority: 3 (Normal) > > X-MSMail-priority: Normal > > X-MailScanner: Found to be clean > > > > This is a multipart message in MIME format > > > > --Boundary_(ID_5Tw3yk+UVcZTNnkh000UIg) > > Content-type: text/plain; charset=iso-8859-1 > > Content-transfer-encoding: 7BIT > > > > See the attached file for details > > > > --Boundary_(ID_5Tw3yk+UVcZTNnkh000UIg) > > Content-type: text/plain; Name=UnsafeFile.txt > > Content-transfer-encoding: 7BIT > > Content-disposition: inline > > Content-description: Unsafe file movie0045.pif is removed! > > > > ********* UNSAFE FILE REMOVED! ********* > > > > The system has removed the following unsafe file from this mail: > > > > * Name of the file being removed: movie0045.pif > > > > Postmaster (Mail Administrator), > > City University of Hong Kong > > Email: postmaster at cityu.edu.hk > > > > (Reference number: 20030909_011156_13779) > > ******************************************** > > > > > > -- > > e-mail: shamil at smsconsulting.spb.ru > > http://smsconsulting.spb.ru/shamil_s > > > > _______________________________________________ > > dba-Tech mailing list > > dba-Tech at databaseadvisors.com > > http://databaseadvisors.com/mailman/listinfo/dba-tech > > Website: http://www.databaseadvisors.com > > > > > > > > _______________________________________________ > > dba-Tech mailing list > > dba-Tech at databaseadvisors.com > > http://databaseadvisors.com/mailman/listinfo/dba-tech > > Website: http://www.databaseadvisors.com > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com >