Pages: [1] 
|
 |
|
Author
|
Topic: virus attempt thru neomail (Read 351 times)
|
rriverstone
ZboXian
 Offline
Posts: 49
Self Portrait
|
I just got one of those "Mail Delivery" things, but it's a fake. It says someone at "00rriverstone at rriverstone.com" -- and uses a phoney name -- tried to send spam from my neomail account.
"00rriverstone" is the address I used on my xbox websites, so I can detect incoming spam botts. REAL people don't use it, as there are instructions on my pages to remove the "00."
Part of the email's contents I've listed below, so you'll recognize it. NEVER open the attachment from such an email.
By the way, I checked my "sent" email folders. No such email came from me, so I know I don't have one of those address book viruses or anything. It's pure fake.
Here's part of the email. I changed some "@" to "at":
Date: 4/09/2006 12:52:01 +0400
From: Mail Delivery System <Mailer-Daemon@at73.arbatek.ru>
To: 00rriverstone at rriverstone.com
Subject: Mail delivery failed: returning message to sender All headers
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
info@5566.ru
mailbox is full: retry timeout exceeded
------ This is a copy of the message, including all the headers. ------
Return-path: <00rriverstone at rriverstone.com>
Received: from ru5566 by at73.arbatek.ru with local-bsmtp (Exim 4.52)
id 1FQiOp-0001zB-TR
for info@5566.ru; Tue, 04 Apr 2006 14:04:36 +0400
Received: from localhost by at73.arbatek.ru
with SpamAssassin (version 3.1.0);
Tue, 04 Apr 2006 14:04:36 +0400
From: margarit cecilius <00rriverstone at rriverstone.com>
To: info@5566.ru
Subject: =?windows-1251?B?MTAwMCDq7u3i5fDy7uIgxTY1IOIg7uTo7SD24uXyIOLx5ePuIDLwLjQ36i4g+PLz?=
=?windows-1251?B?6uAhISE=?=
Date: Tue, 04 Apr 2006 09:54:42 +0000
Message-Id: <50ab01c657cd$7dd01c7a$b457159c at rriverstone.com>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on at73.arbatek.ru
X-Spam-Level: ******************
X-Spam-Status: Yes, score=18.1 required=5.0 tests=BAYES_99,EXTRA_MPART_TYPE,
HTML_90_100,HTML_FONT_LOW_CONTRAST,HTML_IMAGE_ONLY_08,HTML_MESSAGE,
PLING_PLING,RCVD_IN_DSBL,RCVD_IN_XBL,RCVD_NUMERIC_HELO,
SUBJECT_ENCODED_TWICE autolearn=spam version=3.1.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_443244B4.97DFC7AA"
This is a multi-part message in MIME format.
------------=_443244B4.97DFC7AA
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "at73.arbatek.ru", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: ~ .." ~___- `.- ~ .." ~___- `.- [...]
Content analysis details: (18.1 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.7 SUBJECT_ENCODED_TWICE Subject: MIME encoded twice
1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry
1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
0.1 HTML_90_100 BODY: Message is 90% to 100% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
3.1 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words
0.2 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar to background
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
2.6 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
[<http://dsbl.org/listing?211.36.156.107>;]
3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[211.36.156.107 listed in sbl-xbl.spamhaus.org]
0.3 PLING_PLING Subject has lots of exclamation marks
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
|
|
|
|
|
Logged
|
|
|
|
ZboX
Founder
Administrator
Posting Maniac
Offline
Posts: 1662
What 'ya got there??
|
Hi Rogi,
Thanks for that. I'll do some investigating and see if I can take some action. This happens to me from time to time also. One of my email addy's will be used but it obviously didn't come from me as the entire header is spoofed.
~;-)
Bert
|
|
|
|
|
Logged
|
|
|
|
rriverstone
ZboXian
Offline
Posts: 49
Self Portrait
|
 I said "xbox." I meant "zbox." they're very close together on the kybd. Sorry, Bert...LOL 
|
|
|
|
|
Logged
|
|
|
|
Pages: [1] 
|
|
|
|
|
