What the heck is going on?

TheMSsForum.com: The Microsoft Software Forum

I have received about 14 Non-deliverable messages in my Hotmail Inbox today.
All with a variety of email addresses I have never sent to and from Domains
I have never heard of. All telling me a virus I sent them caused the e-mail
to be non-deliverable. Some even include the virus in ASCII rendition of
the binary.

So I sent a email using my Hotmail address to a location I knew did not
exist. I did this to see if my IP address was in the Non-deliverable
e-mail. And it was. But in these Non-deliverable virus emails they do not
include my IP address nor do they contain the SMTP header:

X-Originating-IP:

This makes it difficult determing what the IP address of the originating
email was that generated the non-delivery. Here is an example:

X-Message-Info: JGTYoYF78jEHjJx36Oi8+YDSEg8qKPPD
Received: from agmay.LIQUIDWWW.COM ([64.246.50.15]) by
mc3-f34.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Mon, 25 Aug 2003 12:09:50 -0700
Received: from mailnull by agmay.LIQUIDWWW.COM with local (Exim 4.20)
id 19rMiu-00076V-VB
for hesterloli@hotmail.com; Mon, 25 Aug 2003 14:09:52 -0500
X-Failed-Recipients: agmay@agmay.com
From: Mail Delivery System <Mailer-Daemon@agmay.LIQUIDWWW.COM>
To: hesterloli@hotmail.com
Subject: Mail delivery failed: returning message to sender
Message-Id: <E19rMiu-00076V-VB@agmay.LIQUIDWWW.COM>
Date: Mon, 25 Aug 2003 14:09:52 -0500
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - agmay.LIQUIDWWW.COM
X-AntiAbuse: Original Domain - hotmail.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
Return-Path: <>
X-OriginalArrivalTime: 25 Aug 2003 19:09:51.0233 (UTC)
FILETIME=[75A2F710:01C36B3C]

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

agmay@agmay.com
This message has been rejected because it has
a potentially executable attachment "document_9446.pif"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.

------ This is a copy of the message, including all the headers. ------

Return-path: <hesterloli@hotmail.com>
Received: from [212.235.64.119] (helo=P850)
by agmay.LIQUIDWWW.COM with esmtp (Exim 4.20)
id 19rMiX-000765-1l
for agmay@agmay.com; Mon, 25 Aug 2003 14:09:31 -0500
From: <hesterloli@hotmail.com>
To: <agmay@agmay.com>
Subject: Re: Re: My details
Date: Mon, 25 Aug 2003 21:09:14 +0200
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_02CC0A5A"
Message-Id: <E19rMiX-000765-1l@agmay.LIQUIDWWW.COM>

This is a multipart message in MIME format

--_NextPart_000_02CC0A5A
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Please see the attached file for details.
--_NextPart_000_02CC0A5A
Content-Type: application/octet-stream;
name="document_9446.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="document_9446.pif"

Can anyone tell me where the:

X-Originating-IP:

is in these headers? Thanks.

--
George Hester
__________________________________
Top

Re: What the heck is going on? by Chris

Chris
Mon Aug 25 15:33:27 CDT 2003

It's a virus that is spoofing email addresses. Just keep taking all of the
normal security precautions (firewall, anti-virus, and don't open
attachments) and ignore any messages you get trying to spread the virus.

--
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
--
"George Hester" <hesterloli@hotmail.com> wrote in message
news:%23I9dkA0aDHA.3248@tk2msftngp13.phx.gbl...
> I have received about 14 Non-deliverable messages in my Hotmail Inbox
today.
> All with a variety of email addresses I have never sent to and from
Domains
> I have never heard of. All telling me a virus I sent them caused the
e-mail
> to be non-deliverable. Some even include the virus in ASCII rendition of
> the binary.
>
> So I sent a email using my Hotmail address to a location I knew did not
> exist. I did this to see if my IP address was in the Non-deliverable
> e-mail. And it was. But in these Non-deliverable virus emails they do
not
> include my IP address nor do they contain the SMTP header:
>
> X-Originating-IP:
>
> This makes it difficult determing what the IP address of the originating
> email was that generated the non-delivery. Here is an example:
>
> X-Message-Info: JGTYoYF78jEHjJx36Oi8+YDSEg8qKPPD
> Received: from agmay.LIQUIDWWW.COM ([64.246.50.15]) by
> mc3-f34.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
> Mon, 25 Aug 2003 12:09:50 -0700
> Received: from mailnull by agmay.LIQUIDWWW.COM with local (Exim 4.20)
> id 19rMiu-00076V-VB
> for hesterloli@hotmail.com; Mon, 25 Aug 2003 14:09:52 -0500
> X-Failed-Recipients: agmay@agmay.com
> From: Mail Delivery System <Mailer-Daemon@agmay.LIQUIDWWW.COM>
> To: hesterloli@hotmail.com
> Subject: Mail delivery failed: returning message to sender
> Message-Id: <E19rMiu-00076V-VB@agmay.LIQUIDWWW.COM>
> Date: Mon, 25 Aug 2003 14:09:52 -0500
> X-AntiAbuse: This header was added to track abuse, please include it with
> any abuse report
> X-AntiAbuse: Primary Hostname - agmay.LIQUIDWWW.COM
> X-AntiAbuse: Original Domain - hotmail.com
> X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
> X-AntiAbuse: Sender Address Domain -
> Return-Path: <>
> X-OriginalArrivalTime: 25 Aug 2003 19:09:51.0233 (UTC)
> FILETIME=[75A2F710:01C36B3C]
>
> This message was created automatically by mail delivery software.
>
> A message that you sent could not be delivered to one or more of its
> recipients. This is a permanent error. The following address(es) failed:
>
> agmay@agmay.com
> This message has been rejected because it has
> a potentially executable attachment "document_9446.pif"
> This form of attachment has been used by
> recent viruses or other malware.
> If you meant to send this file then please
> package it up as a zip file and resend it.
>
> ------ This is a copy of the message, including all the headers. ------
>
> Return-path: <hesterloli@hotmail.com>
> Received: from [212.235.64.119] (helo=P850)
> by agmay.LIQUIDWWW.COM with esmtp (Exim 4.20)
> id 19rMiX-000765-1l
> for agmay@agmay.com; Mon, 25 Aug 2003 14:09:31 -0500
> From: <hesterloli@hotmail.com>
> To: <agmay@agmay.com>
> Subject: Re: Re: My details
> Date: Mon, 25 Aug 2003 21:09:14 +0200
> X-MailScanner: Found to be clean
> Importance: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> X-MSMail-Priority: Normal
> X-Priority: 3 (Normal)
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="_NextPart_000_02CC0A5A"
> Message-Id: <E19rMiX-000765-1l@agmay.LIQUIDWWW.COM>
>
> This is a multipart message in MIME format
>
> --_NextPart_000_02CC0A5A
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
>
> Please see the attached file for details.
> --_NextPart_000_02CC0A5A
> Content-Type: application/octet-stream;
> name="document_9446.pif"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
> filename="document_9446.pif"
>
> Can anyone tell me where the:
>
> X-Originating-IP:
>
> is in these headers? Thanks.
>
> --
> George Hester
> __________________________________
>
>


Top

Re: What the heck is going on? by George

George
Mon Aug 25 15:57:23 CDT 2003

I would. But it is filling my Inbox up. These returned emails are on the
order of 150KB each. The ones that send me the binary in ASCII form anyway.
Since I have only 2MB at Hotmail that means I will fill up after 10 such
mailings. I have already received 15 today. What I have done now is put my
Inbox at close to 100% capacity. That way I won't get them. But
Microsoft's determination of how much available space I have left is not
very exact. Since I rarely send a message 50+ KB, I am trying to get as
close to 50KB space left. It's not easy.

You didn't see the originating IP address in the non-deliverable I gave you?
This issue is going to break the Internet quick seems to me.

--
George Hester
__________________________________
"Chris Jackson" <chrisj@mvps.org> wrote in message
news:#XU9kg0aDHA.2072@TK2MSFTNGP10.phx.gbl...
> It's a virus that is spoofing email addresses. Just keep taking all of the
> normal security precautions (firewall, anti-virus, and don't open
> attachments) and ignore any messages you get trying to spread the virus.
>
> --
> Chris Jackson
> Software Engineer
> Microsoft MVP - Windows XP
> Windows XP Associate Expert
> --
> "George Hester" <hesterloli@hotmail.com> wrote in message
> news:%23I9dkA0aDHA.3248@tk2msftngp13.phx.gbl...
> > I have received about 14 Non-deliverable messages in my Hotmail Inbox
> today.
> > All with a variety of email addresses I have never sent to and from
> Domains
> > I have never heard of. All telling me a virus I sent them caused the
> e-mail
> > to be non-deliverable. Some even include the virus in ASCII rendition
of
> > the binary.
> >
> > So I sent a email using my Hotmail address to a location I knew did not
> > exist. I did this to see if my IP address was in the Non-deliverable
> > e-mail. And it was. But in these Non-deliverable virus emails they do
> not
> > include my IP address nor do they contain the SMTP header:
> >
> > X-Originating-IP:
> >
> > This makes it difficult determing what the IP address of the originating
> > email was that generated the non-delivery. Here is an example:
> >
> > X-Message-Info: JGTYoYF78jEHjJx36Oi8+YDSEg8qKPPD
> > Received: from agmay.LIQUIDWWW.COM ([64.246.50.15]) by
> > mc3-f34.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
> > Mon, 25 Aug 2003 12:09:50 -0700
> > Received: from mailnull by agmay.LIQUIDWWW.COM with local (Exim 4.20)
> > id 19rMiu-00076V-VB
> > for hesterloli@hotmail.com; Mon, 25 Aug 2003 14:09:52 -0500
> > X-Failed-Recipients: agmay@agmay.com
> > From: Mail Delivery System <Mailer-Daemon@agmay.LIQUIDWWW.COM>
> > To: hesterloli@hotmail.com
> > Subject: Mail delivery failed: returning message to sender
> > Message-Id: <E19rMiu-00076V-VB@agmay.LIQUIDWWW.COM>
> > Date: Mon, 25 Aug 2003 14:09:52 -0500
> > X-AntiAbuse: This header was added to track abuse, please include it
with
> > any abuse report
> > X-AntiAbuse: Primary Hostname - agmay.LIQUIDWWW.COM
> > X-AntiAbuse: Original Domain - hotmail.com
> > X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
> > X-AntiAbuse: Sender Address Domain -
> > Return-Path: <>
> > X-OriginalArrivalTime: 25 Aug 2003 19:09:51.0233 (UTC)
> > FILETIME=[75A2F710:01C36B3C]
> >
> > This message was created automatically by mail delivery software.
> >
> > A message that you sent could not be delivered to one or more of its
> > recipients. This is a permanent error. The following address(es) failed:
> >
> > agmay@agmay.com
> > This message has been rejected because it has
> > a potentially executable attachment "document_9446.pif"
> > This form of attachment has been used by
> > recent viruses or other malware.
> > If you meant to send this file then please
> > package it up as a zip file and resend it.
> >
> > ------ This is a copy of the message, including all the headers. ------
> >
> > Return-path: <hesterloli@hotmail.com>
> > Received: from [212.235.64.119] (helo=P850)
> > by agmay.LIQUIDWWW.COM with esmtp (Exim 4.20)
> > id 19rMiX-000765-1l
> > for agmay@agmay.com; Mon, 25 Aug 2003 14:09:31 -0500
> > From: <hesterloli@hotmail.com>
> > To: <agmay@agmay.com>
> > Subject: Re: Re: My details
> > Date: Mon, 25 Aug 2003 21:09:14 +0200
> > X-MailScanner: Found to be clean
> > Importance: Normal
> > X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> > X-MSMail-Priority: Normal
> > X-Priority: 3 (Normal)
> > MIME-Version: 1.0
> > Content-Type: multipart/mixed;
> > boundary="_NextPart_000_02CC0A5A"
> > Message-Id: <E19rMiX-000765-1l@agmay.LIQUIDWWW.COM>
> >
> > This is a multipart message in MIME format
> >
> > --_NextPart_000_02CC0A5A
> > Content-Type: text/plain;
> > charset="iso-8859-1"
> > Content-Transfer-Encoding: 7bit
> >
> > Please see the attached file for details.
> > --_NextPart_000_02CC0A5A
> > Content-Type: application/octet-stream;
> > name="document_9446.pif"
> > Content-Transfer-Encoding: base64
> > Content-Disposition: attachment;
> > filename="document_9446.pif"
> >
> > Can anyone tell me where the:
> >
> > X-Originating-IP:
> >
> > is in these headers? Thanks.
> >
> > --
> > George Hester
> > __________________________________
> >
> >
>
>


Top

Re: What the heck is going on? by John

John
Mon Aug 25 18:18:08 CDT 2003

"George Hester" <hesterloli@hotmail.com> wrote in message
news:OcT%238W1aDHA.2548@TK2MSFTNGP09.phx.gbl...
> OK that one was pretty simple actually. They are not normally this
simple.
> Usually there are many Received from's. So if there are more then one do
I
> pick the one at the top of the list or at the bottom? Thanks. Actually
to
> me it is clearer seeing:
>
> X-Originating-IP:
>
> but I suppose not all Bouncers are created equal?
>
> --
> George Hester

What you have going on in these SOBIG.F-generated mailings is ever so much
easier to figure out that a spammer's message that bounces among several
countries before getting to you. With worm-generated messages all you need
to look at is that penultimate line and grab the IP address which is added
by the receiving mail server, not by the worm. No way that can be faked
easily and every time I've used this method I seem to have hit upon the
proper place to complain. Just had to go through this with a state-run
network in Iowa today when one of their computers became infected and I
started receiving messages (after two whole days of peace and quiet). On the
second compaint the sysadmin admitted that they had a problem and told me if
I got another one they would shut down the whole subnet and disinfect all
systems connected to it.
--
John McGaw
[Knoxville, TN, USA]

Return address will not work. Please
reply in group or through my website:
http://johnmcgaw.com

Top

Re: What the heck is going on? by George

George
Tue Aug 26 09:00:43 CDT 2003

Nice town Knoxville. I'm a Vol.

--
George Hester
__________________________________
"John McGaw" <nowhere@inparticu.lar> wrote in message
news:#2pYG81aDHA.2960@tk2msftngp13.phx.gbl...
> "George Hester" <hesterloli@hotmail.com> wrote in message
> news:OcT%238W1aDHA.2548@TK2MSFTNGP09.phx.gbl...
> > OK that one was pretty simple actually. They are not normally this
> simple.
> > Usually there are many Received from's. So if there are more then one
do
> I
> > pick the one at the top of the list or at the bottom? Thanks. Actually
> to
> > me it is clearer seeing:
> >
> > X-Originating-IP:
> >
> > but I suppose not all Bouncers are created equal?
> >
> > --
> > George Hester
>
> What you have going on in these SOBIG.F-generated mailings is ever so much
> easier to figure out that a spammer's message that bounces among several
> countries before getting to you. With worm-generated messages all you need
> to look at is that penultimate line and grab the IP address which is added
> by the receiving mail server, not by the worm. No way that can be faked
> easily and every time I've used this method I seem to have hit upon the
> proper place to complain. Just had to go through this with a state-run
> network in Iowa today when one of their computers became infected and I
> started receiving messages (after two whole days of peace and quiet). On
the
> second compaint the sysadmin admitted that they had a problem and told me
if
> I got another one they would shut down the whole subnet and disinfect all
> systems connected to it.
> --
> John McGaw
> [Knoxville, TN, USA]
>
> Return address will not work. Please
> reply in group or through my website:
> http://johnmcgaw.com
>


Top