blank email in OE

Discussion in 'Computer Security' started by RB, Dec 5, 2004.

  1. RB

    RB Guest

    I'll ask this one here, as I'm not sure there's a better place to direct it.

    At least once and day, I receive an email with a totally blank line in the
    address window. There is the usual little envelope over on the left, but
    the rest of the line is blank.

    If I go to PROPERTIES, there's always an email address for the sender. I'm
    pretty sure the address is spoofed.

    There are different senders of different blank emails. Doesn't seem to be a
    pattern or repeats.

    A friend thinks it's some kind of hacking attempt. Could be. I now know
    two other people who are getting them, too.

    Does anyone know what these are? To date, I've simply been deleting them
    when I come to them in the que.

    Anyone know what's going on?
    RB, Dec 5, 2004
    #1
    1. Advertising

  2. RB wrote:

    > I'll ask this one here, as I'm not sure there's a better place to direct
    > it.
    >
    > At least once and day, I receive an email with a totally blank line in the
    > address window. There is the usual little envelope over on the left, but
    > the rest of the line is blank.
    >
    > If I go to PROPERTIES, there's always an email address for the sender.
    > I'm pretty sure the address is spoofed.
    >
    > There are different senders of different blank emails. Doesn't seem to be
    > a pattern or repeats.
    >
    > A friend thinks it's some kind of hacking attempt. Could be. I now know
    > two other people who are getting them, too.
    >
    > Does anyone know what these are? To date, I've simply been deleting them
    > when I come to them in the que.
    >
    > Anyone know what's going on?


    What do you see when you view the email from source?

    Michael
    Michael J. Pelletier, Dec 5, 2004
    #2
    1. Advertising

  3. RB

    RB Guest

    I have the header and can post it. Would posting help?
    RB, Dec 5, 2004
    #3
  4. =?ISO-8859-1?Q?Samu=EBl_ML_Lison?=, Dec 5, 2004
    #4
  5. RB

    RB Guest

    Here's the header on the only one I have in my pc right now. It is shorter
    than many, and doesn't show a "TO:" email address in there:

    Return-Path: <>
    Received: from commons10k2.mo24.107.103.84.charter-stl.com
    ([24.107.103.84]) by imf08aec.mail.bellsouth.net
    (InterMail vM.5.01.06.11 201-253-122-130-111-20040605) with SMTP
    id
    <24.107.10
    3.84.charter-stl.com>;
    Sat, 4 Dec 2004 10:37:22 -0500
    X-Message-Info: C/z[1
    Message-Id:
    <24.107.10
    3.84.charter-stl.com>
    Date: Sat, 4 Dec 2004 10:37:22 -0500
    RB, Dec 5, 2004
    #5
  6. RB

    donnie Guest

    On Sun, 5 Dec 2004 12:40:48 -0600, "RB" <>
    wrote:

    >Here's the header on the only one I have in my pc right now. It is shorter
    >than many, and doesn't show a "TO:" email address in there:
    >
    >Return-Path: <>
    >Received: from commons10k2.mo24.107.103.84.charter-stl.com
    > ([24.107.103.84]) by imf08aec.mail.bellsouth.net
    > (InterMail vM.5.01.06.11 201-253-122-130-111-20040605) with SMTP
    > id
    ><24.107.10
    >3.84.charter-stl.com>;
    > Sat, 4 Dec 2004 10:37:22 -0500
    >X-Message-Info: C/z[1
    >Message-Id:
    ><24.107.10
    >3.84.charter-stl.com>
    >Date: Sat, 4 Dec 2004 10:37:22 -0500
    >

    #######################
    If there is no attachment, I wouldn't think it's a hacking attempt.
    The headers show that it's coming from charter.com
    I did a whois on the IP and the abuse address is
    if you think you need to contact them.
    The sender is using a maifreeway.com address which would be along the
    lines of a hotmail or something. I tried to telnet to both of them to
    attempt an expn or an vrfy on the name but it led nowhere. If you
    have any other headers that you want to post, we'll take a look at
    them.
    donnie
    donnie, Dec 5, 2004
    #6
  7. RB

    RB Guest

    OK. Thanks. I had a feeling the thing would lead nowhere.

    As far as I can determine, these blank emails are benign. I run Spybot,
    AdAware, and my A/V right after I open one.

    So, I have to ask myself: if they're benign, why bother sending the
    things????
    RB, Dec 6, 2004
    #7
  8. RB

    donnie Guest

    On Sun, 5 Dec 2004 19:31:12 -0600, "RB" <>
    wrote:

    >OK. Thanks. I had a feeling the thing would lead nowhere.
    >
    >As far as I can determine, these blank emails are benign. I run Spybot,
    >AdAware, and my A/V right after I open one.
    >
    >So, I have to ask myself: if they're benign, why bother sending the
    >things????
    >

    #########################
    I just found something.
    http://www.sdar.com/technology/AskJonathan/Q-BlankE-mail.htm
    donnie.
    donnie, Dec 6, 2004
    #8
  9. Samuël ML Lison wrote:

    > RB wrote:
    >> I have the header and can post it. Would posting help?

    >
    > That's what Michael seems to be asking for. Yes, post it here so it can
    > be analysed.
    >
    >
    >
    > Yours Sincerely,
    > Samuël ML Lison
    >

    Post the entire email...that would be the best way to look at it?

    -- Michael
    Michael J. Pelletier, Dec 6, 2004
    #9
  10. RB

    RB Guest

    Are Outlook and Outlook Express close enough that the article explanation
    would cover both? Sounds very logical to me. Maybe that's what I'm seeing.
    RB, Dec 6, 2004
    #10
  11. In article <PBIsd.102908$>, on Sun, 5 Dec 2004 12:40:48 -0600, "RB"
    <> wrote:

    | Here's the header on the only one I have in my pc right now. It is shorter
    | than many, and doesn't show a "TO:" email address in there:
    |
    | Return-Path: <>
    | Received: from commons10k2.mo24.107.103.84.charter-stl.com
    | ([24.107.103.84]) by imf08aec.mail.bellsouth.net
    | (InterMail vM.5.01.06.11 201-253-122-130-111-20040605) with SMTP
    | id
    | <24.107.10
    | 3.84.charter-stl.com>;
    | Sat, 4 Dec 2004 10:37:22 -0500
    | X-Message-Info: C/z[1
    | Message-Id:
    | <24.107.10
    | 3.84.charter-stl.com>
    | Date: Sat, 4 Dec 2004 10:37:22 -0500

    I've had similar mails and assumed they were sent by spammers who were
    even more stupid than normal and unable to configure their spamware properly.

    No subject, and no contents. How do they expect anyone to contact them?

    Your address would have been in a "Bcc:" header (probably together with
    many other spammer victims email addresses). This gets removed during the mail
    routing by the sending server so you don't see everyone elses email addresses.

    Some isp mailer servers will add an extra header called something like
    "X-Envelope-To:" which will then show what email address actually recieved
    the mail and will correspond your email address portion of the "Bcc:" header.

    <davidp />

    --
    David Postill
    David Postill, Dec 6, 2004
    #11
  12. "RB" <> wrote in message
    news:YAusd.40055$...
    > I'll ask this one here, as I'm not sure there's a better place to direct

    it.
    >
    > At least once and day, I receive an email with a totally blank line in the
    > address window. There is the usual little envelope over on the left, but
    > the rest of the line is blank.


    It's a standard probe - someone performing a dictionary "attack" (hardly
    worthy of the word!) on your ISP's email server.

    I find they usually come on bunches of four or five on my work server, as
    I'm in several groups that are accessible from the outside world.

    HTH

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
    Hairy One Kenobi, Dec 6, 2004
    #12
  13. RB

    Moe Trin Guest

    In article <PBIsd.102908$>, RB wrote:

    >Here's the header on the only one I have in my pc right now. It is shorter
    >than many, and doesn't show a "TO:" email address in there:


    Mail is sent from one computer to another using the SMTP (Simple Mail
    Transport Protocol). The sending computer starts the transaction by
    saying hello, and the receiving computer returning the greeting while
    looking up the address. Here, the conversation went:

    Hello imf08aec.mail.bellsouth.net, this is
    commons10k2.mo24.107.103.84.charter-stl.com

    Hello commons10k2.mo24.107.103.84.charter-stl.com, pleased to meet you.
    (remote host was at 24.107.103.84, at Sat, 4 Dec 2004 10:37:22 -0500)

    That creates the first (and in this case, only) Received: line. Some
    mail servers carry this one step further, and look up the address that belongs
    to the remote hostname, and put that in the header too.

    Mail from <>

    Sender OK

    That created the "Return-Path:" line - it's called the 'Envelope Sender'

    Deliver to <Mumble>

    Recipient OK

    Deliver to <Mumble2>

    Recipient OK

    This information does NOT make it into the mail - this is the 'Envelope
    Recipient'. Now, I know there were two OR MORE _valid_ recipients because
    this information was not put into the Received: header (mail to a single
    recipient would have your address included between the 'SMTP id' and
    date). The above are the "Envelope" headers, put there by the receiving
    server. You can probably trust the headers put there by your mail server
    (or the mail server of your ISP).

    DATA

    Start mail input; end with <CRLF>.<CRLF>

    This kicks the mail servers into the transfer mode - everything sent
    from now on is put into the delivered mail following the top 'Received:'
    line. Briefly, this is the rest of the headers, a blank line, then the
    "body" of the mail. This mode ends when the sender sends a line of text
    that ONLY contains a dot. At that point, the receiving server sends a "OK,
    I got it", or an error message, and this transaction ends.

    Note: Mail may have multiple "Received:" headers. The mail may have been
    _forwarded_ from one server to another, and each tacks on it's Received
    headers. At the following stage, these follows the DATA command, and may
    not be trustworthy. (Did the mail "originate in Los Angeles", get sent
    to a server in "Paris", but get delivered to your ISP from a server in
    "Hong Kong"?? Wait a minute - how did it get from Paris to Hong Kong, and
    why did it go to either place, when you are in San Diego? This doesn't
    smell good!!!). Another thing to watch for is mail that claims to have
    originated at your ISP (or even from you), but is being delivered to it
    from some server in South Korea or Finland. Do you _really_ think mail
    would be sent from here, to there, and back again? Why?

    Notice that the 'To:', 'From:', 'Subject:', Date:" and all the other
    headers are internal to the mail - AND IN NO WAY SHOULD BE TRUSTED.
    See RFC2821 and RFC2822 (replaces RFC821 and RFC822) for more details.
    See also http://www.stopspam.org/email/headers.html

    OK, now that we got that out of the way - what's with this mail? The
    'Return-Path:' is useless unless your mail server is one of the rare ones
    that only accepts envelope senders that match the Received: line - something
    that rarely works in practice.

    Second - the mail was sent from commons10k2.mo24.107.103.84.charter-stl.com
    which looks to be a cable modem in Eastern Missouri. The probability says
    this is a zombie - some home user who can't be bothered with anti-virus,
    anti-trojan, anti-anything, and has it set to automatically click 'OK,
    go ahead and install this virus' (because reading all of those messages
    and moving the mouse to click the 'OK' is to hard) and as a result, the
    system is 0wn3d. It's a pity, but we are not allowed to shoot such computer
    owners, and smash their computers to bits - but what can I say?

    Third - I'd suggest that the mail server on the zombie crashed, because it
    didn't send a 'Message-Id:' or 'Date:' header (both of those were inserted
    by the bellsouth mail server because they were required, but missing). You
    can see this because the data is the same as that in the Received: header.

    Finally - sent from a dynamic address - mail administrators with clue (and
    that excludes Bellsouth, SWBell, Pacific Bell, Ameritech, and other members
    of SBC) are often refusing to accept mail from them because it's almost
    always spam. Some ISPs are finally getting around to blocking any outbound
    packets being sent to mail servers OTHER THAN THEIR OWN.

    Old guy
    Moe Trin, Dec 6, 2004
    #13
  14. RB

    RB Guest

    Moe Trin wrote a lengthy explanation of what was in the header of the blank
    email I received.

    Thanks. That was fascinating and enlightening. If I understood it right,
    we really don't know much about what was going on.

    But, it's interesting. Someone said it's probably a phishing thing where
    simply opening the email sends a confirmation that it reached a valid email
    address for puposes of further mischief of some sort. Sounds logical.
    RB, Dec 8, 2004
    #14
  15. RB

    Moe Trin Guest

    In article <etttd.40445$>, RB wrote:

    >Moe Trin wrote a lengthy explanation of what was in the header of the blank
    >email I received.


    Actually, that was drastically shortened. The two RFCs (2821 and 2822)
    that are the controlling documents for basic mail total 7300 lines of text
    (79 and 51 pages when printed).

    >Thanks. That was fascinating and enlightening. If I understood it right,
    >we really don't know much about what was going on.


    Other than you got a partial mail delivered from some zombie on charter
    net - no, there isn't much you can positively state. Opinions, of course,
    are another thing.

    >But, it's interesting. Someone said it's probably a phishing thing where
    >simply opening the email sends a confirmation that it reached a valid email
    >address for puposes of further mischief of some sort. Sounds logical.


    That would be mail with a URL inside (often a unique 'page' with a coded
    number to the right of the slash at the end of the hostname), and the
    victim using a web browser to read the mail that is configured to auto-
    open any URL. Outlook Express is notorious for this, but others can be
    configured that way. What that method does is not only confirms that the
    address is good, but also that the mail is being read by someone who's
    browser is wide open and begging to be exploited. Smart people don't
    accept mail in HTML (that's for web pages, not mail or news), and some
    don't even accept mail unless it is ONLY plain ASCII text. I don't know
    about you, but I really don't give a f*ck about animation or color or
    special fonts in my mail.

    However, the mere acceptance by your (ISP's) mail server usually means
    that the address is good. Remember, part of the SMTP dialog between
    the sending and receiving mail server went:

    ] Deliver to <Mumble>
    ]
    ] Recipient OK

    If <Mumble> were not a valid address, the dialog would be

    Deliver to <Mumble>

    Requested action not taken: mailbox unavailable

    The program on the sender merely has to note which response it gets for
    which name it tried. If the receiving server has the log level turned
    up, this would show in the SMTP log, but normally this is not the case
    because of the huge number of mails received. One of my ISPs tells me
    they see 300,000 mails a day on average - that's 3.5 mails per second.
    They believe that at least 98 percent of that is spam. And they are a
    small family-owned ISP with less than a thousand customers total.

    Old guy
    Moe Trin, Dec 8, 2004
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Adrian
    Replies:
    1
    Views:
    465
    Moz Champion
    Mar 19, 2005
  2. Guest

    email forwarding blank space?

    Guest, Oct 28, 2003, in forum: Computer Support
    Replies:
    4
    Views:
    2,245
  3. Blank email messages in Outlook?

    , Nov 2, 2005, in forum: Windows 64bit
    Replies:
    9
    Views:
    736
    =?Utf-8?B?TmVhbCBhdCBTcGVjdGRhciBDb21wdXRpbmc=?=
    Nov 4, 2005
  4. Replies:
    0
    Views:
    669
  5. =?Utf-8?B?R3JlZyBLaXJrcGF0cmljaw==?=

    blank CD-R and blank DVD-R not recognized by Vista 64 Ultimate

    =?Utf-8?B?R3JlZyBLaXJrcGF0cmljaw==?=, Sep 13, 2007, in forum: Windows 64bit
    Replies:
    13
    Views:
    1,165
    =?Utf-8?B?VGVsZXN0ZXM=?=
    Nov 7, 2007
Loading...

Share This Page