• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Anybody here smarter than my IPS tech support?

F

Felecha

Golden Member
I've been getting 5 to 10 emails returned every day for a couple of weeks now, saying they were either undeliverable as addressed or that they contain a virus. Almost all contain an attachment entitled something fishy - "Hello Honey" or "Have a funny Epiphany" or some silly come-on. All have been sent to email addresses I never heard of. My ISP's tech support has said it's probably someone else's machine that has received email from me at some time, and that has a virus that sends out bogus emails with MY EMAIL ADDRESS as the return, so when it's returned, it comes back to me, not the sender. "Sorry, not much we can do about it..."

Anybody know anything that can help me?

I have Norton AntiVirus, I update my definitions once or twice a week, I run regular scans, I think I'm clean on my own box. I've looked at the right click-Properties-Details for the messages, and don't see anything in there that gives a clue. I've not opened any of the attachments, of course.

Any help GREATLY appreciated.

Not as bad as wiping out the hard drive, but this could go on forever.

Thanks

 
Well, I've gotten a few like that too ...
Usually they have 2 attachments, one is a SCR or EXE (the worm or virus) and the other I have seen be a jpg or a html doc. Usually, if you look at all the headers, you wshould be able to see that they originated from a totally seperate network. I dont think there really is anything you can do about it since you are not the one sending out the emails. (in other words, I agree with your ISP tech support.)
 
I'd guess it's Klez and the good news is that, most likely, you DON'T have it.

Klez spoofs the FROM: address, using somebody that's in your address book. I.e., you probably don't have Klez, but somebody you know does. The true sender's identity can be found from dissecting the header information of the actual email. The BOTTOM Received From: line will be the sender. Then you can contact them and let 'em know.

I've just gone through a round of this myself. The Received From:, though, was an IP address, which I was able to track down to a particular ISP. I was able to contact that ISP and have them contact the specific user (since they wouldn't tell me who the specific user was that was assigned to that ISP...)

Good luck

OZEE
 
Thanks for the input.

I looked at them again. Here's the details from one of them:
Return-Path: <>
Delivered-To: ******@******.***
Received: (qmail 995 invoked from network); 5 Jan 2003 20:38:19 -0000
Received: from valen.gwi.net (207.5.128.33)
by diesel.gwi.net with SMTP; 5 Jan 2003 20:38:19 -0000
Received: from localhost (localhost)
by valen.gwi.net (8.11.6/8.11.6) id h05KcJf07048;
Sun, 5 Jan 2003 15:38:19 -0500 (EST)
Date: Sun, 5 Jan 2003 15:38:19 -0500 (EST)
From: Mail Delivery Subsystem <MAILER-DAEMON@valen.gwi.net>
Message-Id: <200301052038.h05KcJf07048@valen.gwi.net>
To: <******@******.***>
MIME-Version: 1.0

(I've *'ed out my email address there, not sure I want that out front. I was told by tech support that valen and diesel are servers at gwi.net.)

Here's the body of the return email:

The original message was received at Sun, 5 Jan 2003 15:38:10 -0500 (EST)
from 207-5-245-254.metrocast.net [207.5.245.254]

----- The following addresses had permanent fatal errors -----
<vpaes1@el.m.e>
(reason: 550 Host unknown)

----- Transcript of session follows -----
550 5.1.2 <vpaes1@el.m.e>... Host unknown (Name server: el.m.e: host not found)
Content-Type: multipart/report; report-type=delivery-status;
boundary="h05KcJf07048.1041799099/valen.gwi.net"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)

I don't see anything that means anything to me in either the body or the details. metrocast.net and gwi.net are basically the same company, by the way. and the address shown in the body is the address that the email was returned from, back to me (when I didn't send it out).

I'd love to be able to contact someone and ask them to clean up their viruses, but I don't see it there.

F
 
I too get at least 2 viruses a week like this - NAV catches them every time, and it's always Klez. The headers appear to be forged, and I really don't know what to do about it.
I'll have to try OZEE's recommendation of finding the ISP's and notifying them.
 
Send copies of the email to technical support at GWI.net (include all the headers). They can use the message ID to see what user's account sent the message, and notify that person.
 
well, that's why I posted this on the Forum. They told me there was nothing they could do. I hoped someone here would have more of an idea.
 
Originally posted by: Felecha
well, that's why I posted this on the Forum. They told me there was nothing they could do. I hoped someone here would have more of an idea.
Click to expand...

this
207-5-245-254.metrocast.net [207.5.245.254]
Click to expand...
is most likely the source but if that's a 56k dialup IP (or dynamic DSL) the only ones who will know who it belonged(belongs) to is your ISP thru using that email and all the headers..gl
 
Oooh, ScrapSilicon is right (partially). The Metrocast.net address is the source of the ORIGINAL message. The headers of the email you pasted are the headers of the bounce message, from the destination going through your own ISP (rather than the headers of the virus email like I was thinking). Metrocast.net should be able to track down the user through the timestamp and that IP address.

Metrocast.net also appears to be a cable ISP, so the IP may not be very dynamic.
 
Yup, that Metrocast.net is the source of the IP address. Their phone number is 1-207-286-2057, tech email address is hostmaster@gwi.net

You should be able to contact them and they can trace that IP address and put a stop to it... If all of 'em have this same header info -- which I'd just about bet the farm they do...

This info ought to get you on your way to recovery from this Klez attack! Good Luck!
 
OK, I sent everything off to their "abuse" guys. The frontline soldier said he was not allowed to deal with contacting other customers on my behalf, and gave me the address of their abuse department. We'll see

Thanks, all
 
Some ISPs are really good about contacting users who have viruses, some aren't. If this one isn't, you're pretty much out of luck. Just have to start filtering emails with certain subject lines and contents.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top