Virus - confusing mail message

[AlexR]

Hi,
I got this yesterday. Here is the header and the mail:
HEADER:
Return-Path: <>
Received: from frontend2.messagingengine.com (frontend2.internal [10.202.2.151])
by server2.fastmail.fm (Cyrus v2.2.3) with LMTP; Thu, 18 Mar 2004 08:21:48 -0500
X-Sieve: CMU Sieve 2.2
X-Spam-score: 0.0
X-Spam-hits: BAYES_00, NO_REAL_NAME
X-Virus-checked: Yes
X-Resolved-to: nameATfastmail.__
X-Delivered-to: nameATfastmail.__
X-Mail-from:
Received: from alien.micronet.it (mail.teligo.net [82.145.160.136])
by smtp.us.messagingengine.com (Postfix) with ESMTP id E50FBEB6FA
for <nameATfastmail.__>; Thu, 18 Mar 2004 08:21:43 -0500 (EST)
Subject: Undeliverable mail: warning
From: "MAILER-DAEMON"ATalien.micronet.it
To: <nameATfastmail.__>
Date: Thu, 18 Mar 2004 14:21:53 +0100
Message-ID: <receipt-9715379@alien.micronet.it>
MIME-Version: 1.0
Content-Type: multipart/report; report-type="delivery-status"; boundary="_===9715379====alien.micronet.it===_"
The message:
Failed to deliver to ''
Virus(es) found.
final.zip is infected with W32/Netsky.b@MM!zip
Viruses: 1
Trojans: 0
Jokes: 0
Tests: 0
Captured by McAfee antivirus plugin running on Teligo Srl mail server

The subject of the mail was undeliverable mail warning.

Two things have got me confused:

A) The subject of the mail gives me the impression that I tried to send a mail to someone.

B) The 'failed to deliver to"' section does not contain any info. So, if I did send a mail, who did I send it to?

Does the above mean that I have a worm? I will run NAV to check - but I don't recall opening anything. Doesn't NAV 2003 scan both in and outgoing mails?

Any ideas? I have not deleted the mail yet and won't open the .zip files attached.

Thanks,

AlexR

[kander]

You didn't send it. Viruses spoof From: addresses to make them appear to come from someone else. In this case, it chose you. Result of this is that the Innocent Third Party (you, in this case) receives the bounce messages for the viruses.

I am writing a document called "Forging 'From:' addresses - The Simple Explanation" in which I try to explain how and why this happens. I hope to have it done somewhere around tomorrow, and will post links to it. For now you can check http://php-man.nl/EMD/joejob.html for a similar paper which explains part of this problem.

--K

[davidbstanley]

It would be good to have some guidance for people new to this problem. Maybe even a sticky thread. I know it is very worrying when you get these messages for the first time.

[AlexR]

Thanks for the quick reply Kander.

Interesting to know that my address has been spoofed - I also got another mail from FM yesterday telling me that a virus infected mail had been received - but the virus - I-Worm.Moodown.b - made me think that there was no connection, although it sounds as if there may be.

I shall have a look at your document - but I don't suppose there is a lot you can do when this happens. Anyone working on a 'sandboxed' address book, by any chance?

A

[kander]

One thing you can do to limit this from happening, or at least be able to track the source down easily, is giving out unique addresses to people. Everyone that mails me has a specific address. Should anyone that knows me become infected with a virus it shall either send to me, or send to someone else posing as me, using the unique address. That way I know who it was that got infected. Fastmail makes this easy by means of it's Subdomain feature. You can simply give Bob 'bob AT myalias . fastmail . fm', and give John 'john AT myalias . fastmail . fm'. Works like a charm. So far I have figured out there is one nut who visited the EMD User Map that's infected with Moodown. I kept on getting virus-laden mails to that addy, so I blocked it. (another advantage, blocking specific addy's with viruses).

--K

[AlexR]

Quote:

Originally posted by davidbstanley
It would be good to have some guidance for people new to this problem. Maybe even a sticky thread. I know it is very worrying when you get these messages for the first time.

Good idea David - may help too calm the neves of newbies(like me!!) to this type of thing.

The forum is very useful under these circumstances. I knew that if I posted, someone would come back to me with an explanation.

A

[AlexR]

Kander,

Another good idea - but might become a little fiddly to set-up - still, if it avoids these probelms, it may be worth it. I shall wait for a while and see if more instances of the problem occur.

I suppose I may be to blame a little. I often check my mail from where I work using the web interface and before, not now - due to virus problems, I suspect, windows would keep my address - the auto complete function. And I wonder if a virus has harvested this info and spoofed it?

I pity the grannies of this world who get mixed up in this stuff not knowing what the heck is going on.

A

[kander]

That's part of the reason why I am writing the 'The Simple Explanation' series of email-related documents. I hope they'll be of some help those less email-literate

--K

[AlexR]

Hi Kander,

Read your document draft - interesting and worrying at the same time - and as you wrote a solution needs to be found.

Do you think it would be possible to build some kind of authentification system into mail servers and the header elements of mails? What I would envisage would be a type of mail id linking mail from a specific server to a specific users mail address. So when I send a legitimate mail it is given a server handling ID, lets say. The receiving server would then check this ID against a list of authentic ID's and allow the mail to pass to its destination. If the ID does not match, the mail is discarded or arrives with a message stating that it came from a server not associated with the original mail address. The receiver would then be able to tell the real mails from the spoofed ones. Meanwhile the user who has been spoofed is not aware of any spoofing attempts, unless they wish to be informed.

I don't know if this would be technically possible, I could not do it, that is for sure - but I'm sure it could be done. It would also make it difficult to forge mail headers seeing as the incoming mail would not have the ID indicating that it came from the users mail server/service.

What do you reckon? Pie in the sky or a workable solution.

Regards

Alex

[anj]

Alex, There are lots of ideas about this. Here is one that is a sort of authentication as you suggested:

http://www.emaildiscussions.com/...threadid=17623

[AlexR]

Thanks for the info about the article, anj. Looks as though Yahoo's boffins beat me to it I hadn't read it before.

Their proposal does seem very similar to my idea - so it must be possible. Good to see that they want to release details to all developers. Should lead to something workable before long. Let' hope so.

A

PS I-Worm.Moodown.b = W32/Netsky.b@MM!zip different AV different name. So all the problem mails have the same origins.

[robmueller]

There's a FAQ entry on this as well:

http://www.fastmail.fm/docs/faqparts...htm#EmailForge

Rob

[bitequator]

Real nice work, appreciated kander

Good FAQ too Rob...

[AlexR]

Rob,

I had read the FAQ .....in the past and forgotten about it

My reaction was to post here and learn a little from the very knowledgeable that populate these forums.

It worked and I have learnt a lot.

Thanks for the input from one and all.

Kander,

where is the document you are preparing going to live?

A

[AlexR]

Darn it!

Still getting warnings about sending viruses to people.

Is there anyone I can report this to?

Seems that the virus causing this is:
Worm.SomeFool.P

Can't find out what this virus is - hope it is not a new one.

A