Message from postmaster - genuine?

Discussion in 'NZ Computing' started by Geopelia, Dec 11, 2006.

  1. Geopelia

    Geopelia Guest

    I have received an odd message from Postmaster and don't know if it is
    genuine or spam. Is anyone else getting this message?

    I'm suspicious because it is to: none, not addressed to me.

    Subject Postmaster error 550. This IP address has been blacklisted.
    Postmaster error: your system is infected with W32.Novarg A.
    A file is attached W32.Novarg .A.Removal.Zip (47.5KB)

    There is a lot more in the email, but I think you would recognise it from
    the above.

    I've got a scan running, but my virus checker (pc-cillin) is up to date. I
    update every time I use the computer. There is nothing in the Logs.

    Should I ignore it, or open the file, please?

    Geopelia
     
    Geopelia, Dec 11, 2006
    #1
    1. Advertising

  2. Geopelia

    Mike Dee Guest

    Geopelia wrote:

    > Should I ignore it, or open the file, please?


    It's a virus. Do not open it.

    --
    dee
     
    Mike Dee, Dec 11, 2006
    #2
    1. Advertising

  3. Geopelia

    Geopelia Guest

    "Mike Dee" <> wrote in message
    news:...
    > Geopelia wrote:
    >
    >> Should I ignore it, or open the file, please?

    >
    > It's a virus. Do not open it.
    >
    > --
    > dee
    >

    Thank you. I suspected it might be, so asked here. I've been hunting around
    in PC-cillin for virus information, and found something about
    TROJ_SYMANFAKE.A which looks as though it might be that.

    I wonder why it wasn't picked up by xtra or PC-cillin as spam.
    These virus people make things look so genuine now.

    Thanks for your help.

    Geopelia
     
    Geopelia, Dec 11, 2006
    #3
  4. Geopelia

    David Empson Guest

    Geopelia <> wrote:

    > I have received an odd message from Postmaster and don't know if it is
    > genuine or spam. Is anyone else getting this message?
    >
    > I'm suspicious because it is to: none, not addressed to me.
    >
    > Subject Postmaster error 550. This IP address has been blacklisted.
    > Postmaster error: your system is infected with W32.Novarg A.
    > A file is attached W32.Novarg .A.Removal.Zip (47.5KB)


    It may be an attempt to send you a virus.

    It may be a rejection of an attempt by your computer to send a virus on
    to someone else.

    Given your use of anti-virus software, it is most likely to be a genuine
    bounce from a system which received a virus from a third party
    pretending to be you.

    The most common scenario is someone else's computer is infected with a
    virus which tries to spread itself by e-mailing a copy of itself to
    everyone in the address book. For each of these messages, it uses a fake
    "From" address, typically picking a different address out of the address
    book.

    In this case, the virus happened to pick your e-mail address to put in
    the "From" field, and sent itself to another computer. That computer is
    running anti-virus software, which recognised and rejected the virus. It
    then sent a bounce message back to the apparent sender of the virus
    (you, because your address was in the "From" field).

    I regard this as a bug in the receiving computer's anti-virus software.
    If the virus is known to send mail using a fake "From" address, what is
    the point sending an e-mail message to report the rejection? The
    recipient of the bounce has nothing to do with the virus, except having
    had e-mail contact with the infected computer (which cannot easily be
    identified).

    > There is a lot more in the email, but I think you would recognise it from
    > the above.
    >
    > I've got a scan running, but my virus checker (pc-cillin) is up to date. I
    > update every time I use the computer. There is nothing in the Logs.
    >
    > Should I ignore it, or open the file, please?


    Delete it. It probably contains the virus as an attachment.


    Incidentally, you should not regard all messages "Postmaster" as being
    viruses. Failure to deliver a message will result in the e-mail software
    on the receiving system returning an error message to the sender
    reporting the problem. These messages will be addressed from postmaster
    at the site which received the mail.

    --
    David Empson
     
    David Empson, Dec 11, 2006
    #4
  5. Geopelia

    Geopelia Guest

    "David Empson" <> wrote in message
    news:1hq7l9l.1gf1whwakx7vtN%...
    > Geopelia <> wrote:
    >
    >> I have received an odd message from Postmaster and don't know if it is
    >> genuine or spam. Is anyone else getting this message?
    >>
    >> I'm suspicious because it is to: none, not addressed to me.
    >>
    >> Subject Postmaster error 550. This IP address has been blacklisted.
    >> Postmaster error: your system is infected with W32.Novarg A.
    >> A file is attached W32.Novarg .A.Removal.Zip (47.5KB)

    >
    > It may be an attempt to send you a virus.
    >
    > It may be a rejection of an attempt by your computer to send a virus on
    > to someone else.
    >
    > Given your use of anti-virus software, it is most likely to be a genuine
    > bounce from a system which received a virus from a third party
    > pretending to be you.
    >
    > The most common scenario is someone else's computer is infected with a
    > virus which tries to spread itself by e-mailing a copy of itself to
    > everyone in the address book. For each of these messages, it uses a fake
    > "From" address, typically picking a different address out of the address
    > book.
    >
    > In this case, the virus happened to pick your e-mail address to put in
    > the "From" field, and sent itself to another computer. That computer is
    > running anti-virus software, which recognised and rejected the virus. It
    > then sent a bounce message back to the apparent sender of the virus
    > (you, because your address was in the "From" field).
    >
    > I regard this as a bug in the receiving computer's anti-virus software.
    > If the virus is known to send mail using a fake "From" address, what is
    > the point sending an e-mail message to report the rejection? The
    > recipient of the bounce has nothing to do with the virus, except having
    > had e-mail contact with the infected computer (which cannot easily be
    > identified).
    >
    >> There is a lot more in the email, but I think you would recognise it from
    >> the above.
    >>
    >> I've got a scan running, but my virus checker (pc-cillin) is up to date.
    >> I
    >> update every time I use the computer. There is nothing in the Logs.
    >>
    >> Should I ignore it, or open the file, please?

    >
    > Delete it. It probably contains the virus as an attachment.
    >
    >
    > Incidentally, you should not regard all messages "Postmaster" as being
    > viruses. Failure to deliver a message will result in the e-mail software
    > on the receiving system returning an error message to the sender
    > reporting the problem. These messages will be addressed from postmaster
    > at the site which received the mail.
    >
    > --
    > David Empson
    >


    Thank you. I'll save your email for future reference. It is good of you to
    explain things so well.

    Geopelia
     
    Geopelia, Dec 11, 2006
    #5
  6. Geopelia

    Fred Dagg Guest

    On Tue, 12 Dec 2006 01:44:49 +1300, (David
    Empson) exclaimed:

    >
    >Given your use of anti-virus software, it is most likely to be a genuine
    >bounce from a system which received a virus from a third party
    >pretending to be you.


    No, it is a virus.
     
    Fred Dagg, Dec 11, 2006
    #6
  7. Geopelia

    Fred Dagg Guest

    On Tue, 12 Dec 2006 00:57:53 +1300, "Geopelia" <>
    exclaimed:

    >I have received an odd message from Postmaster and don't know if it is
    >genuine or spam. Is anyone else getting this message?
    >
    >I'm suspicious because it is to: none, not addressed to me.
    >
    >Subject Postmaster error 550. This IP address has been blacklisted.
    >Postmaster error: your system is infected with W32.Novarg A.
    >A file is attached W32.Novarg .A.Removal.Zip (47.5KB)
    >
    >There is a lot more in the email, but I think you would recognise it from
    >the above.
    >
    >I've got a scan running, but my virus checker (pc-cillin) is up to date. I
    >update every time I use the computer. There is nothing in the Logs.
    >
    >Should I ignore it, or open the file, please?


    It is almost definately a virus.

    The reason your virus software hasn't picked it up is that it will be
    a new variant. There's always a period of time between when a new
    virus hits, and when definitions are released that protect your
    machine from them (different antivirus vendors have different response
    rates. eg Symantec spends a great deal of money attempting to be first
    with protection for 0-day viruses).

    Incidentally, Novarg.A was a relatively large virus back in about
    2004.
     
    Fred Dagg, Dec 11, 2006
    #7
  8. Geopelia

    thingy Guest

    Fred Dagg wrote:
    > On Tue, 12 Dec 2006 00:57:53 +1300, "Geopelia" <>
    > exclaimed:
    >
    >> I have received an odd message from Postmaster and don't know if it is
    >> genuine or spam. Is anyone else getting this message?
    >>
    >> I'm suspicious because it is to: none, not addressed to me.
    >>
    >> Subject Postmaster error 550. This IP address has been blacklisted.
    >> Postmaster error: your system is infected with W32.Novarg A.
    >> A file is attached W32.Novarg .A.Removal.Zip (47.5KB)
    >>
    >> There is a lot more in the email, but I think you would recognise it from
    >> the above.
    >>
    >> I've got a scan running, but my virus checker (pc-cillin) is up to date. I
    >> update every time I use the computer. There is nothing in the Logs.
    >>
    >> Should I ignore it, or open the file, please?

    >
    > It is almost definately a virus.
    >
    > The reason your virus software hasn't picked it up is that it will be
    > a new variant. There's always a period of time between when a new
    > virus hits, and when definitions are released that protect your
    > machine from them (different antivirus vendors have different response
    > rates. eg Symantec spends a great deal of money attempting to be first
    > with protection for 0-day viruses).
    >
    > Incidentally, Novarg.A was a relatively large virus back in about
    > 2004.


    and lots of virus writers use Symantec and other big anti-virus
    companies to test how well their new code gets through un-scanned. So
    there is considerable argument to use a smaller anti-virus company,
    and/or several products. You lucky windows people you....

    regards

    Thing
     
    thingy, Dec 11, 2006
    #8
  9. Geopelia

    thingy Guest

    Fred Dagg wrote:
    > On Tue, 12 Dec 2006 01:44:49 +1300, (David
    > Empson) exclaimed:
    >
    >> Given your use of anti-virus software, it is most likely to be a genuine
    >> bounce from a system which received a virus from a third party
    >> pretending to be you.

    >
    > No, it is a virus.


    yep, looks like it....genuine postmaster bounces would be plain
    text...there would be and usually are no attachments.

    having someone un-known send you an un-invited "friendly" fix should be
    sending huge alarm bells.

    regards

    Thing
     
    thingy, Dec 11, 2006
    #9
  10. Geopelia

    Geopelia Guest

    Thanks to all.

    I expect PC-cillin will soon start picking this one up as spam. These virus
    people are getting crafty.

    Geopelia
     
    Geopelia, Dec 11, 2006
    #10
  11. Geopelia

    E. Scrooge Guest

    "Geopelia" <> wrote in message
    news:eljh3j$jp6$...
    >I have received an odd message from Postmaster and don't know if it is
    >genuine or spam. Is anyone else getting this message?
    >
    > I'm suspicious because it is to: none, not addressed to me.
    >
    > Subject Postmaster error 550. This IP address has been blacklisted.
    > Postmaster error: your system is infected with W32.Novarg A.
    > A file is attached W32.Novarg .A.Removal.Zip (47.5KB)
    >
    > There is a lot more in the email, but I think you would recognise it from
    > the above.
    >
    > I've got a scan running, but my virus checker (pc-cillin) is up to date. I
    > update every time I use the computer. There is nothing in the Logs.
    >
    > Should I ignore it, or open the file, please?
    >
    > Geopelia


    Never open anything you're not sure about.
    A Google search on what you know about anything looking dodgy can help to
    find info about it.

    Xtra should be scanning your emails as well, but it looks like the bastards
    have let that one slip by.

    E. Scrooge
     
    E. Scrooge, Dec 11, 2006
    #11
  12. Geopelia

    Geopelia Guest

    "E. Scrooge" <scrooge@*shot.co.nz (*sling)> wrote in message
    news:1165873099.598726@ftpsrv1...
    >
    > "Geopelia" <> wrote in message
    > news:eljh3j$jp6$...
    >>I have received an odd message from Postmaster and don't know if it is
    >>genuine or spam. Is anyone else getting this message?
    >>
    >> I'm suspicious because it is to: none, not addressed to me.
    >>
    >> Subject Postmaster error 550. This IP address has been blacklisted.
    >> Postmaster error: your system is infected with W32.Novarg A.
    >> A file is attached W32.Novarg .A.Removal.Zip (47.5KB)
    >>
    >> There is a lot more in the email, but I think you would recognise it from
    >> the above.
    >>
    >> I've got a scan running, but my virus checker (pc-cillin) is up to date.
    >> I update every time I use the computer. There is nothing in the Logs.
    >>
    >> Should I ignore it, or open the file, please?
    >>
    >> Geopelia

    >
    > Never open anything you're not sure about.
    > A Google search on what you know about anything looking dodgy can help to
    > find info about it.
    >
    > Xtra should be scanning your emails as well, but it looks like the
    > bastards have let that one slip by.
    >
    > E. Scrooge
    >

    xtra gets rid of them before I see them. PC-cillin also picks up a lot that
    get past xtra, and doesn't Windows XP remove some?

    I tried to report it to xtra, there used to be somewhere for forwarding spam
    messages, but it seems to have disappeared.

    Geopelia
     
    Geopelia, Dec 11, 2006
    #12
  13. Geopelia

    Mark C Guest

    "Geopelia" <> wrote in
    news:eljjd4$oo1$:

    > "Mike Dee" <> wrote in message
    > news:...
    >> Geopelia wrote:
    >>
    >>> Should I ignore it, or open the file, please?

    >>
    >> It's a virus. Do not open it.

    >
    > I wonder why it wasn't picked up by xtra or PC-cillin as spam.
    > These virus people make things look so genuine now.


    The safest thing it to delete it.

    If you are curious, and CAREFUL, you can submit it to online websites
    that will scan it for you.

    Detach (save) the ZIP file to a folder somewhere.
    DO NOT open the ZIP file!

    Visit these sites, and use the Browse button to upload the ZIP file:

    http://scanner.virus.org/
    http://virusscan.jotti.org/

    Send an email according to the instructions on this site:

    http://www.virustotal.com/en/indexf.html

    HTH,
    Mark
     
    Mark C, Dec 11, 2006
    #13
  14. Geopelia

    ~misfit~ Guest

    Geopelia wrote:
    > I have received an odd message from Postmaster and don't know if it is
    > genuine or spam. Is anyone else getting this message?
    >
    > I'm suspicious because it is to: none, not addressed to me.
    >
    > Subject Postmaster error 550. This IP address has been blacklisted.
    > Postmaster error: your system is infected with W32.Novarg A.
    > A file is attached W32.Novarg .A.Removal.Zip (47.5KB)
    >
    > There is a lot more in the email, but I think you would recognise it
    > from the above.
    >
    > I've got a scan running, but my virus checker (pc-cillin) is up to
    > date. I update every time I use the computer. There is nothing in the
    > Logs.
    > Should I ignore it, or open the file, please?
    >
    > Geopelia


    Can't you right-click the file and select 'scan for viruses'?
    --
    Shaun.
     
    ~misfit~, Dec 11, 2006
    #14
  15. Geopelia

    Mark C Guest

    "Geopelia" <> wrote in
    news:eljjd4$oo1$:

    > "Mike Dee" <> wrote in message
    > news:...
    >> Geopelia wrote:
    >>
    >>> Should I ignore it, or open the file, please?

    >>
    >> It's a virus. Do not open it.

    >
    > I wonder why it wasn't picked up by xtra or PC-cillin as spam.
    > These virus people make things look so genuine now.


    The safest thing is to delete it.

    If you are curious, and CAREFUL, you can submit it to online
    websites that will scan it for you.

    Detach (save) the ZIP file to a folder somewhere.
    DO NOT open the ZIP file!

    Visit these sites, and use the Browse button to upload the ZIP
    file:

    http://scanner.virus.org/
    http://virusscan.jotti.org/

    Send an email according to the instructions on this site:

    http://www.virustotal.com/en/indexf.html

    HTH,
    Mark
     
    Mark C, Dec 11, 2006
    #15
  16. In message <1hq7l9l.1gf1whwakx7vtN%>, David Empson
    wrote:

    > Incidentally, you should not regard all messages "Postmaster" as being
    > viruses.


    This is true enough, but ...

    > Failure to deliver a message will result in the e-mail software
    > on the receiving system returning an error message to the sender
    > reporting the problem. These messages will be addressed from postmaster
    > at the site which received the mail.


    .... I though they were supposed to come from "MAILER-DAEMON" (commonly
    uppercase). Part of the idea being that, if the non-delivery notification
    itself doesn't get through, it will be bounced back to MAILER-DAEMON, which
    otherwise would not get any mail.
     
    Lawrence D'Oliveiro, Dec 11, 2006
    #16
  17. Geopelia

    Jonno Guest

    "Geopelia" <> wrote in message
    news:elklm7$9dg$...
    >
    > "E. Scrooge" <scrooge@*shot.co.nz (*sling)> wrote in message
    > news:1165873099.598726@ftpsrv1...
    >>
    >> "Geopelia" <> wrote in message
    >> news:eljh3j$jp6$...
    >>>I have received an odd message from Postmaster and don't know if it is
    >>>genuine or spam. Is anyone else getting this message?
    >>>
    >>> I'm suspicious because it is to: none, not addressed to me.
    >>>
    >>> Subject Postmaster error 550. This IP address has been blacklisted.
    >>> Postmaster error: your system is infected with W32.Novarg A.
    >>> A file is attached W32.Novarg .A.Removal.Zip (47.5KB)
    >>>
    >>> There is a lot more in the email, but I think you would recognise it
    >>> from the above.
    >>>
    >>> I've got a scan running, but my virus checker (pc-cillin) is up to date.
    >>> I update every time I use the computer. There is nothing in the Logs.
    >>>
    >>> Should I ignore it, or open the file, please?
    >>>
    >>> Geopelia

    >>
    >> Never open anything you're not sure about.
    >> A Google search on what you know about anything looking dodgy can help to
    >> find info about it.
    >>
    >> Xtra should be scanning your emails as well, but it looks like the
    >> bastards have let that one slip by.
    >>
    >> E. Scrooge
    >>

    > xtra gets rid of them before I see them. PC-cillin also picks up a lot
    > that get past xtra, and doesn't Windows XP remove some?
    >
    > I tried to report it to xtra, there used to be somewhere for forwarding
    > spam messages, but it seems to have disappeared.
    >
    > Geopelia
    >

    Geop whatever you do, DO NOT open the zip file. It is a known virus.
    http://www.symantec.com/security_response/writeup.jsp?docid=2004-012816-3647-99
    Delete the whole damn thing.
     
    Jonno, Dec 11, 2006
    #17
  18. Geopelia

    Jonno Guest

    "Jonno" <> wrote in message
    news:457ddcf0$...
    >
    > "Geopelia" <> wrote in message
    > news:elklm7$9dg$...
    >>
    >> "E. Scrooge" <scrooge@*shot.co.nz (*sling)> wrote in message
    >> news:1165873099.598726@ftpsrv1...
    >>>
    >>> "Geopelia" <> wrote in message
    >>> news:eljh3j$jp6$...
    >>>>I have received an odd message from Postmaster and don't know if it is
    >>>>genuine or spam. Is anyone else getting this message?
    >>>>
    >>>> I'm suspicious because it is to: none, not addressed to me.
    >>>>
    >>>> Subject Postmaster error 550. This IP address has been blacklisted.
    >>>> Postmaster error: your system is infected with W32.Novarg A.
    >>>> A file is attached W32.Novarg .A.Removal.Zip (47.5KB)
    >>>>
    >>>> There is a lot more in the email, but I think you would recognise it
    >>>> from the above.
    >>>>
    >>>> I've got a scan running, but my virus checker (pc-cillin) is up to
    >>>> date. I update every time I use the computer. There is nothing in the
    >>>> Logs.
    >>>>
    >>>> Should I ignore it, or open the file, please?
    >>>>
    >>>> Geopelia
    >>>
    >>> Never open anything you're not sure about.
    >>> A Google search on what you know about anything looking dodgy can help
    >>> to find info about it.
    >>>
    >>> Xtra should be scanning your emails as well, but it looks like the
    >>> bastards have let that one slip by.
    >>>
    >>> E. Scrooge
    >>>

    >> xtra gets rid of them before I see them. PC-cillin also picks up a lot
    >> that get past xtra, and doesn't Windows XP remove some?
    >>
    >> I tried to report it to xtra, there used to be somewhere for forwarding
    >> spam messages, but it seems to have disappeared.
    >>
    >> Geopelia
    >>

    > Geop whatever you do, DO NOT open the zip file. It is a known virus.
    > http://www.symantec.com/security_response/writeup.jsp?docid=2004-012816-3647-99
    > Delete the whole damn thing.
    >

    Also :
    http://www.symantec.com/security_response/writeup.jsp?docid=2004-012612-5422-99
     
    Jonno, Dec 11, 2006
    #18
  19. Geopelia

    Fred Dagg Guest

    On Tue, 12 Dec 2006 07:38:47 +1300, thingy <>
    exclaimed:
    >>> I have received an odd message from Postmaster and don't know if it is
    >>> genuine or spam. Is anyone else getting this message?
    >>>
    >>> I'm suspicious because it is to: none, not addressed to me.
    >>>
    >>> Subject Postmaster error 550. This IP address has been blacklisted.
    >>> Postmaster error: your system is infected with W32.Novarg A.
    >>> A file is attached W32.Novarg .A.Removal.Zip (47.5KB)
    >>>
    >>> There is a lot more in the email, but I think you would recognise it from
    >>> the above.
    >>>
    >>> I've got a scan running, but my virus checker (pc-cillin) is up to date. I
    >>> update every time I use the computer. There is nothing in the Logs.
    >>>
    >>> Should I ignore it, or open the file, please?

    >>
    >> It is almost definately a virus.
    >>
    >> The reason your virus software hasn't picked it up is that it will be
    >> a new variant. There's always a period of time between when a new
    >> virus hits, and when definitions are released that protect your
    >> machine from them (different antivirus vendors have different response
    >> rates. eg Symantec spends a great deal of money attempting to be first
    >> with protection for 0-day viruses).
    >>
    >> Incidentally, Novarg.A was a relatively large virus back in about
    >> 2004.

    >
    >and lots of virus writers use Symantec and other big anti-virus
    >companies to test how well their new code gets through un-scanned. So
    >there is considerable argument to use a smaller anti-virus company,
    >and/or several products. You lucky windows people you....


    Heh, true.

    Except you should NOT use more than one real-time scanner, or you end
    up with all sorts of race conditions and other problems, and it can
    slow your machine down to a crawl.
     
    Fred Dagg, Dec 11, 2006
    #19
  20. Geopelia

    Geopelia Guest

    "Mark C" <> wrote in message
    news:457ddaeb$0$28569$...
    > "Geopelia" <> wrote in
    > news:eljjd4$oo1$:
    >
    >> "Mike Dee" <> wrote in message
    >> news:...
    >>> Geopelia wrote:
    >>>
    >>>> Should I ignore it, or open the file, please?
    >>>
    >>> It's a virus. Do not open it.

    >>
    >> I wonder why it wasn't picked up by xtra or PC-cillin as spam.
    >> These virus people make things look so genuine now.

    >
    > The safest thing is to delete it.
    >
    > If you are curious, and CAREFUL, you can submit it to online
    > websites that will scan it for you.
    >
    > Detach (save) the ZIP file to a folder somewhere.
    > DO NOT open the ZIP file!
    >
    > Visit these sites, and use the Browse button to upload the ZIP
    > file:
    >
    > http://scanner.virus.org/
    > http://virusscan.jotti.org/
    >
    > Send an email according to the instructions on this site:
    >
    > http://www.virustotal.com/en/indexf.html
    >
    > HTH,
    > Mark


    Thank you, but I don't think I'll risk it.
    >
    >
     
    Geopelia, Dec 12, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phyloe

    What is this stuff from "Postmaster"?

    Phyloe, Sep 19, 2003, in forum: Computer Support
    Replies:
    11
    Views:
    610
  2. Michelle Fellows

    Postmaster@Townends

    Michelle Fellows, Apr 11, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    563
    Jeroen Wijnands
    Apr 13, 2004
  3. C

    postmaster

    C, May 12, 2005, in forum: Computer Support
    Replies:
    8
    Views:
    565
    Blinky the Shark
    May 12, 2005
  4. SS

    Is this a genuine message?

    SS, Aug 5, 2005, in forum: Computer Support
    Replies:
    5
    Views:
    568
    Buffalo
    Aug 9, 2005
  5. Lookout
    Replies:
    3
    Views:
    1,240
    Lookout
    Apr 9, 2006
Loading...

Share This Page