Very Strange Email From Xtra.

Discussion in 'NZ Computing' started by E. Scrooge, May 17, 2004.

  1. E. Scrooge

    E. Scrooge Guest

    At least it looks like it's come from Xtra - It might also have a virus in
    the attachment that came with it. The headers make it look like it came
    from Xtra. The attachment which I haven't done anything with is named
    "xtra.TXT.com" - it's the size of a virus at 49.7 KB.

    Has anyone else had a similar email? Below are brief message and headers.
    I've had nothing to do with Xtra.

    Cheers,
    E. Scrooge


    Your password was changed successfully.


    ++++ User-Service: http://www.xtra.co.nz
    ++++ MailTo:


    +-+-+ X- Mail_Scanner: No Virus found
    +-+-+ SLINGSHOT.CO- AntiVirus Service
    +-+-+ http://www.slingshot.co.nz


    Return-path: <>
    Envelope-to: *my Slingshot address*
    Delivery-date: Mon, 17 May 2004 10:26:14 +1200
    Received: from 210-54-67-136.dialup.xtra.co.nz ([210.54.67.136]
    helo=account.nz)
    by mailsrv1.tranzpeer.net with smtp (Exim 4.12)
    id 1BPU4x-0003lA-01; Mon, 17 May 2004 10:25:55 +1200
    From:
    To:
    Date: Sun, 16 May 2004 22:19:58 GMT
    Subject: FwD: Your mail account <ID:****>
    Importance: Normal
    X-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    Message-ID: <>
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="===31248369e6.be6e86"
    Content-Transfer-Encoding: 7bit
    X-Envelope-To: *my Slingshot address*
    E. Scrooge, May 17, 2004
    #1
    1. Advertising

  2. E. Scrooge wrote:

    > At least it looks like it's come from Xtra - It might also have a virus in
    > the attachment that came with it. The headers make it look like it came
    > from Xtra. The attachment which I haven't done anything with is named
    > "xtra.TXT.com" - it's the size of a virus at 49.7 KB.
    >
    > Has anyone else had a similar email? Below are brief message and headers.
    > I've had nothing to do with Xtra.


    I got one too, from the same IP, and not to my usenet addy...

    It had Bugbear attached to mine.
    Dave - Dave.net.nz, May 17, 2004
    #2
    1. Advertising

  3. E. Scrooge

    paora Guest

    On Mon, 17 May 2004 11:19:58 +1200, "E. Scrooge" <scrooge@*shot.co.nz
    (*sling)> wrote:

    >At least it looks like it's come from Xtra - It might also have a virus in
    >the attachment that came with it. The headers make it look like it came
    >from Xtra. The attachment which I haven't done anything with is named
    >"xtra.TXT.com" - it's the size of a virus at 49.7 KB.
    >
    >Has anyone else had a similar email? Below are brief message and headers.
    >I've had nothing to do with Xtra.
    >
    >Cheers,
    >E. Scrooge
    >
    >
    >Your password was changed successfully.
    >

    I received a similar email with a 'pif' attachment.

    Your password was changed successfully.


    ++++ User-Service: http://www.paradise.net.nz
    ++++ MailTo:

    Attachment: paradise4509.eml.pif
    paora, May 17, 2004
    #3
  4. E. Scrooge

    E. Scrooge Guest

    "Dave - Dave.net.nz" <> wrote in message
    news:...
    > E. Scrooge wrote:
    >
    > > At least it looks like it's come from Xtra - It might also have a virus

    in
    > > the attachment that came with it. The headers make it look like it came
    > > from Xtra. The attachment which I haven't done anything with is named
    > > "xtra.TXT.com" - it's the size of a virus at 49.7 KB.
    > >
    > > Has anyone else had a similar email? Below are brief message and

    headers.
    > > I've had nothing to do with Xtra.

    >
    > I got one too, from the same IP, and not to my usenet addy...
    >
    > It had Bugbear attached to mine.


    Not very likely from Xtra then?
    The bit about being "anti virus scanned" looked more like a clever decoy.
    Thanks sharing your info about getting one.

    E. Scrooge
    E. Scrooge, May 17, 2004
    #4
  5. E. Scrooge

    Jonski Guest

    On Mon, 17 May 2004 11:19:58 +1200, "E. Scrooge" <scrooge@*shot.co.nz
    (*sling)> wrote:

    >At least it looks like it's come from Xtra - It might also have a virus in
    >the attachment that came with it. The headers make it look like it came
    >from Xtra. The attachment which I haven't done anything with is named
    >"xtra.TXT.com" - it's the size of a virus at 49.7 KB.
    >
    >Has anyone else had a similar email? Below are brief message and headers.
    >I've had nothing to do with Xtra.


    Run it through www.spamcop.net to get the real source IP.

    What does your virus scanner say about the attachment?

    Cheers
    Kpm
    Jonski, May 17, 2004
    #5
  6. E. Scrooge

    E. Scrooge Guest

    "Jonski" <!> wrote in message
    news:...
    > On Mon, 17 May 2004 11:19:58 +1200, "E. Scrooge" <scrooge@*shot.co.nz
    > (*sling)> wrote:
    >
    > >At least it looks like it's come from Xtra - It might also have a virus

    in
    > >the attachment that came with it. The headers make it look like it came
    > >from Xtra. The attachment which I haven't done anything with is named
    > >"xtra.TXT.com" - it's the size of a virus at 49.7 KB.
    > >
    > >Has anyone else had a similar email? Below are brief message and

    headers.
    > >I've had nothing to do with Xtra.

    >
    > Run it through www.spamcop.net to get the real source IP.
    >
    > What does your virus scanner say about the attachment?
    >
    > Cheers
    > Kpm


    Nothing as yet, as I haven't saved it or worse still tried to run it. I'm
    sure it can only be a virus. Clever to make it look like it's come from
    Xtra. Be easy for some people to be sucked into thinking that it's a safe
    email coming from Xtra.

    E. Scrooge
    E. Scrooge, May 17, 2004
    #6
  7. E. Scrooge

    KT Guest

    "Dave - Dave.net.nz" <> wrote in message
    news:...
    > E. Scrooge wrote:
    >
    > > At least it looks like it's come from Xtra - It might also have a virus

    in
    > > the attachment that came with it. The headers make it look like it came
    > > from Xtra. The attachment which I haven't done anything with is named
    > > "xtra.TXT.com" - it's the size of a virus at 49.7 KB.
    > >
    > > Has anyone else had a similar email? Below are brief message and

    headers.
    > > I've had nothing to do with Xtra.

    >
    > I got one too, from the same IP, and not to my usenet addy...
    >
    > It had Bugbear attached to mine.


    Me too, same virus, same IP but from jetstream.xtra.co.nz
    KT, May 17, 2004
    #7
  8. E. Scrooge

    paora Guest

    On Sun, 16 May 2004 23:39:00 GMT, (paora) wrote:

    >On Mon, 17 May 2004 11:19:58 +1200, "E. Scrooge" <scrooge@*shot.co.nz
    >(*sling)> wrote:
    >
    >>At least it looks like it's come from Xtra - It might also have a virus in
    >>the attachment that came with it. The headers make it look like it came
    >>from Xtra. The attachment which I haven't done anything with is named
    >>"xtra.TXT.com" - it's the size of a virus at 49.7 KB.
    >>
    >>Has anyone else had a similar email? Below are brief message and headers.
    >>I've had nothing to do with Xtra.
    >>
    >>Cheers,
    >>E. Scrooge
    >>
    >>
    >>Your password was changed successfully.
    >>

    >I received a similar email with a 'pif' attachment.
    >
    >Your password was changed successfully.
    >
    >
    >++++ User-Service: http://www.paradise.net.nz
    >++++ MailTo:
    >
    >Attachment: paradise4509.eml.pif
    >


    The attachment contains this virus

    http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39112

    I-Worm.Sober.g
    paora, May 17, 2004
    #8
  9. E. Scrooge

    joe_90 Guest

    E. Scrooge wrote:
    > Has anyone else had a similar email?


    Yup, had two similar emails yesterday - appeared to come from (or via)
    morenet.net.nz (can the 'Received: from' IP address be forged?).

    Quite clever and looks highly targeted using local knowledge - not your
    usual random garbage. I thought it was sufficiently different to report
    to their abuse dept. but probably wasting my time.

    Header from one follows -

    Return-Path: <>
    Delivered-To: /my_email_address/
    X-Envelope-To: /my_email_address/
    Received: (qmail 29380 invoked from network); 15 May 2004 01:23:25 -0000
    Received: from ip-210-185-5-77.internet.co.nz (HELO remailer.nz)
    (210.185.5.77)
    by pop3-3.paradise.net.nz with SMTP; 15 May 2004 01:23:25 -0000
    From:
    To:
    Date: Sat, 15 May 2004 01:17:01 GMT
    Subject: Delivery failure notice (Nr.:5164)
    Importance: Normal
    X-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    Message-ID: <>
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="1ae8c7.c162762f8335ec59"
    Content-Transfer-Encoding: 7bit
    This is a multi-part message in MIME format.

    --1ae8c7.c162762f8335ec59

    This e-mail was generated automatically.
    Information about -XTRA- under: http://www.xtra.co.nz

    -----
    Errors:

    90.50.227.20_does_not_like_recipient.
    % 447: This_account_has_been_discontinued_[#244].
    % 449: MAILBOX NOT FOUND
    % 224: mailbox_unavailable
    % 390: Remote_host_said:_delivery_error
    % 250: Giving_up_on_90.50.227.20.

    End
    -----

    The corrected mail is attached.

    Auto-ReMail.System#: [xtra]


    +-+-+ X- Mail_Scanner: No Virus found
    +-+-+ PARADISE.NET- AntiVirus Service
    +-+-+ http://www.paradise.net.nz
    --1ae8c7.c162762f8335ec59
    Content-Type: application/octet-stream; name=xtra8059.doc.scr
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="xtra8059.doc.scr"
    joe_90, May 17, 2004
    #9
  10. E. Scrooge

    Divine Guest

    On Mon, 17 May 2004 11:19:58 +1200, E. Scrooge wrote:

    > At least it looks like it's come from Xtra - It might also have a virus in
    > the attachment that came with it. The headers make it look like it came
    > from Xtra. The attachment which I haven't done anything with is named
    > "xtra.TXT.com" - it's the size of a virus at 49.7 KB.
    >
    > Has anyone else had a similar email? Below are brief message and headers.
    > I've had nothing to do with Xtra.


    It's a virus - note what extension would be showing if you hadn't unset
    your system from hide common file extensions.

    And note what the real file type is.


    Divine

    --
    The Queen's Mother: "Well I don't know what all you queens are doing,
    but this old Queen wants a drink."
    Divine, May 17, 2004
    #10
  11. E. Scrooge

    E. Scrooge Guest

    "joe_90" <joe_90_invalid@_invalid.com> wrote in message
    news:R2Zpc.2545$...
    > E. Scrooge wrote:
    > > Has anyone else had a similar email?

    >
    > Yup, had two similar emails yesterday - appeared to come from (or via)
    > morenet.net.nz (can the 'Received: from' IP address be forged?).
    >
    > Quite clever and looks highly targeted using local knowledge - not your
    > usual random garbage. I thought it was sufficiently different to report
    > to their abuse dept. but probably wasting my time.
    >
    > Header from one follows -


    Thanks for that. I'm pretty sure that some bastard must be manually
    creating these emails and sending them to addresses found in NZ newsgroups.
    No program could create such detail, including the anti virus scan check
    tactic just to make it look as safe as. My email in the newsgroups needs to
    be altered, which a scavenger program wouldn't notice.
    A virus going from PC to PC from overseas wouldn't worry about the NZ crap
    to make it look like it was only directly from main NZ ISPs - IMO.

    E. Scrooge
    E. Scrooge, May 17, 2004
    #11
  12. E. Scrooge

    Gordon Smith Guest

    "joe_90" <joe_90_invalid@_invalid.com> wrote in message
    news:R2Zpc.2545$...
    > E. Scrooge wrote:
    > > Has anyone else had a similar email?

    >
    > Yup, had two similar emails yesterday - appeared to come from (or via)
    > morenet.net.nz (can the 'Received: from' IP address be forged?).
    >
    > Quite clever and looks highly targeted using local knowledge - not your
    > usual random garbage. I thought it was sufficiently different to report
    > to their abuse dept. but probably wasting my time.
    >
    > Header from one follows -
    >
    > Return-Path: <>
    > Delivered-To: /my_email_address/
    > X-Envelope-To: /my_email_address/
    > Received: (qmail 29380 invoked from network); 15 May 2004 01:23:25 -0000
    > Received: from ip-210-185-5-77.internet.co.nz (HELO remailer.nz)
    > (210.185.5.77)


    <snip>

    That address is actually used by ICONZ. Morenet handed that range back about
    6 months ago. Give the ICONZ abuse desk a shout
    Gordon Smith, May 17, 2004
    #12
  13. E. Scrooge

    zed Guest

    E. Scrooge wrote:
    > "joe_90" <joe_90_invalid@_invalid.com> wrote in message
    > news:R2Zpc.2545$...
    >
    >>E. Scrooge wrote:
    >>
    >>>Has anyone else had a similar email?

    >>
    >>Yup, had two similar emails yesterday - appeared to come from (or via)
    >>morenet.net.nz (can the 'Received: from' IP address be forged?).
    >>
    >>Quite clever and looks highly targeted using local knowledge - not your
    >>usual random garbage. I thought it was sufficiently different to report
    >>to their abuse dept. but probably wasting my time.
    >>
    >>Header from one follows -

    >
    >
    > Thanks for that. I'm pretty sure that some bastard must be manually
    > creating these emails and sending them to addresses found in NZ newsgroups.
    > No program could create such detail, including the anti virus scan check
    > tactic just to make it look as safe as. My email in the newsgroups needs to
    > be altered, which a scavenger program wouldn't notice.
    > A virus going from PC to PC from overseas wouldn't worry about the NZ crap
    > to make it look like it was only directly from main NZ ISPs - IMO.
    >
    > E. Scrooge
    >
    >

    No I don't think so.
    These worms scan your HD for files containing email addresses, and are
    coded with their own SMTP engine, so spoofed headers are np. Chances
    are that they will be from someone local, who - somewhere on their HD -
    has your email address. So, they grab the name of random (but probably
    local) ISP to spoof sender, and tend to send themselves out to local
    people, 'cause those addresses are in the local machine's files. It
    seems that maybe they also have the language thing sorted, as earlier
    versions of the sober worm that I got have been in German as well as
    english, but Sober.G only in english. I guess not that hard to check
    language setting in Windows, and send itself out in the language of the
    infected machine.

    A bloody annoying thing is that a .pif file extension isn't shown by
    Windows when the file is on your desktop, even though explorer is set up
    to show all file extensions.

    Note that H&BEDV Free-AV will detect Sober.G (has done for several days).
    zed, May 17, 2004
    #13
  14. E. Scrooge

    E. Scrooge Guest

    "zed" <> wrote in message
    news:...
    > E. Scrooge wrote:
    > > "joe_90" <joe_90_invalid@_invalid.com> wrote in message
    > > news:R2Zpc.2545$...
    > >
    > >>E. Scrooge wrote:
    > >>
    > >>>Has anyone else had a similar email?
    > >>
    > >>Yup, had two similar emails yesterday - appeared to come from (or via)
    > >>morenet.net.nz (can the 'Received: from' IP address be forged?).
    > >>
    > >>Quite clever and looks highly targeted using local knowledge - not your
    > >>usual random garbage. I thought it was sufficiently different to report
    > >>to their abuse dept. but probably wasting my time.
    > >>
    > >>Header from one follows -

    > >
    > >
    > > Thanks for that. I'm pretty sure that some bastard must be manually
    > > creating these emails and sending them to addresses found in NZ

    newsgroups.
    > > No program could create such detail, including the anti virus scan check
    > > tactic just to make it look as safe as. My email in the newsgroups

    needs to
    > > be altered, which a scavenger program wouldn't notice.
    > > A virus going from PC to PC from overseas wouldn't worry about the NZ

    crap
    > > to make it look like it was only directly from main NZ ISPs - IMO.
    > >
    > > E. Scrooge
    > >
    > >

    > No I don't think so.
    > These worms scan your HD for files containing email addresses, and are
    > coded with their own SMTP engine, so spoofed headers are np. Chances
    > are that they will be from someone local, who - somewhere on their HD -
    > has your email address. So, they grab the name of random (but probably
    > local) ISP to spoof sender, and tend to send themselves out to local
    > people, 'cause those addresses are in the local machine's files. It
    > seems that maybe they also have the language thing sorted, as earlier
    > versions of the sober worm that I got have been in German as well as
    > english, but Sober.G only in english. I guess not that hard to check
    > language setting in Windows, and send itself out in the language of the
    > infected machine.
    >
    > A bloody annoying thing is that a .pif file extension isn't shown by
    > Windows when the file is on your desktop, even though explorer is set up
    > to show all file extensions.
    >
    > Note that H&BEDV Free-AV will detect Sober.G (has done for several days).


    Someone has setup the message displayed to be local with NZ ref - Xtra and
    my ISP Slingshot with crap about being scanned with anti virus software all
    in the message display.
    Not many have my address. Also the virus would have to have found
    ...." on someone's computer, most likely in an address book.
    Still, there is someone on Xtra that contacted me recently, which could be
    worth looking at in case they have a virus on the PC they used.

    E. Scrooge
    E. Scrooge, May 18, 2004
    #14
  15. E. Scrooge

    zed Guest

    E. Scrooge wrote:

    > "zed" <> wrote in message
    > news:...
    >
    >>E. Scrooge wrote:
    >>
    >>>"joe_90" <joe_90_invalid@_invalid.com> wrote in message
    >>>news:R2Zpc.2545$...
    >>>
    >>>
    >>>>E. Scrooge wrote:
    >>>>
    >>>>
    >>>>>Has anyone else had a similar email?
    >>>>
    >>>>Yup, had two similar emails yesterday - appeared to come from (or via)
    >>>>morenet.net.nz (can the 'Received: from' IP address be forged?).
    >>>>
    >>>>Quite clever and looks highly targeted using local knowledge - not your
    >>>>usual random garbage. I thought it was sufficiently different to report
    >>>>to their abuse dept. but probably wasting my time.
    >>>>
    >>>>Header from one follows -
    >>>
    >>>
    >>>Thanks for that. I'm pretty sure that some bastard must be manually
    >>>creating these emails and sending them to addresses found in NZ

    >
    > newsgroups.
    >
    >>>No program could create such detail, including the anti virus scan check
    >>>tactic just to make it look as safe as. My email in the newsgroups

    >
    > needs to
    >
    >>>be altered, which a scavenger program wouldn't notice.
    >>>A virus going from PC to PC from overseas wouldn't worry about the NZ

    >
    > crap
    >
    >>>to make it look like it was only directly from main NZ ISPs - IMO.
    >>>
    >>>E. Scrooge
    >>>
    >>>

    >>
    >>No I don't think so.
    >>These worms scan your HD for files containing email addresses, and are
    >>coded with their own SMTP engine, so spoofed headers are np. Chances
    >>are that they will be from someone local, who - somewhere on their HD -
    >>has your email address. So, they grab the name of random (but probably
    >>local) ISP to spoof sender, and tend to send themselves out to local
    >>people, 'cause those addresses are in the local machine's files. It
    >>seems that maybe they also have the language thing sorted, as earlier
    >>versions of the sober worm that I got have been in German as well as
    >>english, but Sober.G only in english. I guess not that hard to check
    >>language setting in Windows, and send itself out in the language of the
    >>infected machine.
    >>
    >>A bloody annoying thing is that a .pif file extension isn't shown by
    >>Windows when the file is on your desktop, even though explorer is set up
    >>to show all file extensions.
    >>
    >>Note that H&BEDV Free-AV will detect Sober.G (has done for several days).

    >
    >
    > Someone has setup the message displayed to be local with NZ ref - Xtra and
    > my ISP Slingshot with crap about being scanned with anti virus software all
    > in the message display.
    > Not many have my address. Also the virus would have to have found
    > ...." on someone's computer, most likely in an address book.
    > Still, there is someone on Xtra that contacted me recently, which could be
    > worth looking at in case they have a virus on the PC they used.
    >
    > E. Scrooge
    >
    >


    If the worm has harvested the isp domain name, then it's easy for it to
    forge a from accounts/administrator or whatever @domain name. AFAIK the
    worm may not have had to have come from an xtra account user, could be
    anyone with an xtra email address stored on their PC in any of hundreds
    of files that it searches. That is probably just about everyone you know.
    zed, May 18, 2004
    #15
  16. E. Scrooge

    E. Scrooge Guest

    "zed" <> wrote in message
    news:...
    > E. Scrooge wrote:
    >
    > > "zed" <> wrote in message
    > > news:...
    > >
    > >>E. Scrooge wrote:
    > >>
    > >>>"joe_90" <joe_90_invalid@_invalid.com> wrote in message
    > >>>news:R2Zpc.2545$...
    > >>>
    > >>>
    > >>>>E. Scrooge wrote:
    > >>>>
    > >>>>
    > >>>>>Has anyone else had a similar email?
    > >>>>
    > >>>>Yup, had two similar emails yesterday - appeared to come from (or via)
    > >>>>morenet.net.nz (can the 'Received: from' IP address be forged?).
    > >>>>
    > >>>>Quite clever and looks highly targeted using local knowledge - not

    your
    > >>>>usual random garbage. I thought it was sufficiently different to

    report
    > >>>>to their abuse dept. but probably wasting my time.
    > >>>>
    > >>>>Header from one follows -
    > >>>
    > >>>
    > >>>Thanks for that. I'm pretty sure that some bastard must be manually
    > >>>creating these emails and sending them to addresses found in NZ

    > >
    > > newsgroups.
    > >
    > >>>No program could create such detail, including the anti virus scan

    check
    > >>>tactic just to make it look as safe as. My email in the newsgroups

    > >
    > > needs to
    > >
    > >>>be altered, which a scavenger program wouldn't notice.
    > >>>A virus going from PC to PC from overseas wouldn't worry about the NZ

    > >
    > > crap
    > >
    > >>>to make it look like it was only directly from main NZ ISPs - IMO.
    > >>>
    > >>>E. Scrooge
    > >>>
    > >>>
    > >>
    > >>No I don't think so.
    > >>These worms scan your HD for files containing email addresses, and are
    > >>coded with their own SMTP engine, so spoofed headers are np. Chances
    > >>are that they will be from someone local, who - somewhere on their HD -
    > >>has your email address. So, they grab the name of random (but probably
    > >>local) ISP to spoof sender, and tend to send themselves out to local
    > >>people, 'cause those addresses are in the local machine's files. It
    > >>seems that maybe they also have the language thing sorted, as earlier
    > >>versions of the sober worm that I got have been in German as well as
    > >>english, but Sober.G only in english. I guess not that hard to check
    > >>language setting in Windows, and send itself out in the language of the
    > >>infected machine.
    > >>
    > >>A bloody annoying thing is that a .pif file extension isn't shown by
    > >>Windows when the file is on your desktop, even though explorer is set up
    > >>to show all file extensions.
    > >>
    > >>Note that H&BEDV Free-AV will detect Sober.G (has done for several

    days).
    > >
    > >
    > > Someone has setup the message displayed to be local with NZ ref - Xtra

    and
    > > my ISP Slingshot with crap about being scanned with anti virus software

    all
    > > in the message display.
    > > Not many have my address. Also the virus would have to have found
    > > ...." on someone's computer, most likely in an address

    book.
    > > Still, there is someone on Xtra that contacted me recently, which could

    be
    > > worth looking at in case they have a virus on the PC they used.
    > >
    > > E. Scrooge
    > >
    > >

    >
    > If the worm has harvested the isp domain name, then it's easy for it to
    > forge a from accounts/administrator or whatever @domain name. AFAIK the
    > worm may not have had to have come from an xtra account user, could be
    > anyone with an xtra email address stored on their PC in any of hundreds
    > of files that it searches. That is probably just about everyone you know.


    Only an Xtra user would need to contact accounts@Xtra and even then why
    would they bother putting that in their address book. The NZ message
    details would hardly come in from a virus overseas, someone has created the
    message adding the virus to it.

    E. Scrooge
    E. Scrooge, May 18, 2004
    #16
  17. E. Scrooge wrote:
    > Only an Xtra user would need to contact accounts@Xtra and even then why
    > would they bother putting that in their address book. The NZ message
    > details would hardly come in from a virus overseas, someone has created the
    > message adding the virus to it.


    There is a user who I do some work for who forwards all sorts of crap
    emails to all in her address book, two of them being accounts@xtra and
    help@xtra now, if someone who receives her crap emails all the time had
    a virus, then it may well find the address from looking through the DBX
    files... lovely virus's that they are.
    Dave - Dave.net.nz, May 18, 2004
    #17
  18. E. Scrooge

    zed Guest

    E. Scrooge wrote:
    > "zed" <> wrote in message
    > news:...
    >
    >>E. Scrooge wrote:
    >>
    >>
    >>>"zed" <> wrote in message
    >>>news:...
    >>>
    >>>
    >>>>E. Scrooge wrote:
    >>>>
    >>>>
    >>>>>"joe_90" <joe_90_invalid@_invalid.com> wrote in message
    >>>>>news:R2Zpc.2545$...
    >>>>>
    >>>>>
    >>>>>
    >>>>>>E. Scrooge wrote:
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>>Has anyone else had a similar email?
    >>>>>>
    >>>>>>Yup, had two similar emails yesterday - appeared to come from (or via)
    >>>>>>morenet.net.nz (can the 'Received: from' IP address be forged?).
    >>>>>>
    >>>>>>Quite clever and looks highly targeted using local knowledge - not

    >
    > your
    >
    >>>>>>usual random garbage. I thought it was sufficiently different to

    >
    > report
    >
    >>>>>>to their abuse dept. but probably wasting my time.
    >>>>>>
    >>>>>>Header from one follows -
    >>>>>
    >>>>>
    >>>>>Thanks for that. I'm pretty sure that some bastard must be manually
    >>>>>creating these emails and sending them to addresses found in NZ
    >>>
    >>>newsgroups.
    >>>
    >>>
    >>>>>No program could create such detail, including the anti virus scan

    >
    > check
    >
    >>>>>tactic just to make it look as safe as. My email in the newsgroups
    >>>
    >>>needs to
    >>>
    >>>
    >>>>>be altered, which a scavenger program wouldn't notice.
    >>>>>A virus going from PC to PC from overseas wouldn't worry about the NZ
    >>>
    >>>crap
    >>>
    >>>
    >>>>>to make it look like it was only directly from main NZ ISPs - IMO.
    >>>>>
    >>>>>E. Scrooge
    >>>>>
    >>>>>
    >>>>
    >>>>No I don't think so.
    >>>>These worms scan your HD for files containing email addresses, and are
    >>>>coded with their own SMTP engine, so spoofed headers are np. Chances
    >>>>are that they will be from someone local, who - somewhere on their HD -
    >>>>has your email address. So, they grab the name of random (but probably
    >>>>local) ISP to spoof sender, and tend to send themselves out to local
    >>>>people, 'cause those addresses are in the local machine's files. It
    >>>>seems that maybe they also have the language thing sorted, as earlier
    >>>>versions of the sober worm that I got have been in German as well as
    >>>>english, but Sober.G only in english. I guess not that hard to check
    >>>>language setting in Windows, and send itself out in the language of the
    >>>>infected machine.
    >>>>
    >>>>A bloody annoying thing is that a .pif file extension isn't shown by
    >>>>Windows when the file is on your desktop, even though explorer is set up
    >>>>to show all file extensions.
    >>>>
    >>>>Note that H&BEDV Free-AV will detect Sober.G (has done for several

    >
    > days).
    >
    >>>
    >>>Someone has setup the message displayed to be local with NZ ref - Xtra

    >
    > and
    >
    >>>my ISP Slingshot with crap about being scanned with anti virus software

    >
    > all
    >
    >>>in the message display.
    >>>Not many have my address. Also the virus would have to have found
    >>>...." on someone's computer, most likely in an address

    >
    > book.
    >
    >>>Still, there is someone on Xtra that contacted me recently, which could

    >
    > be
    >
    >>>worth looking at in case they have a virus on the PC they used.
    >>>
    >>>E. Scrooge
    >>>
    >>>

    >>
    >>If the worm has harvested the isp domain name, then it's easy for it to
    >>forge a from accounts/administrator or whatever @domain name. AFAIK the
    >>worm may not have had to have come from an xtra account user, could be
    >>anyone with an xtra email address stored on their PC in any of hundreds
    >>of files that it searches. That is probably just about everyone you know.

    >
    >
    > Only an Xtra user would need to contact accounts@Xtra and even then why
    > would they bother putting that in their address book. The NZ message
    > details would hardly come in from a virus overseas, someone has created the
    > message adding the virus to it.
    >
    > E. Scrooge
    >
    >

    My point was that it doesn't need the full address. It will harvest the
    xtra.co.nz bit from an infected user's PC. It will then send itself
    out from accounts@xtra..., administrator@xtra..., or whatever to try to
    fool users into thinking that it is for real. The swines that create
    these things make incremental improvements all the time. IMO the only
    one that deserves credit and condemnation is the clever bugger in South
    Africa who unleashed the original "happy99" - the first email worm. All
    the rest are just copycats. The possible exception is the the swine that
    came up with MSBlaster, which has been the only newly creative and
    effective (or more accurately destructive) effort for about 5 years or so.
    zed, May 18, 2004
    #18
  19. E. Scrooge

    Enkidu Guest

    A clue: Xtra doesn't usually mail out through a dialup address.

    Cheers,

    Cliff

    On Mon, 17 May 2004 11:19:58 +1200, "E. Scrooge" <scrooge@*shot.co.nz
    (*sling)> wrote:

    >At least it looks like it's come from Xtra - It might also have a virus in
    >the attachment that came with it. The headers make it look like it came
    >from Xtra. The attachment which I haven't done anything with is named
    >"xtra.TXT.com" - it's the size of a virus at 49.7 KB.
    >
    >Has anyone else had a similar email? Below are brief message and headers.
    >I've had nothing to do with Xtra.
    >
    >Your password was changed successfully.
    >
    >
    >++++ User-Service: http://www.xtra.co.nz
    >++++ MailTo:
    >
    >
    >+-+-+ X- Mail_Scanner: No Virus found
    >+-+-+ SLINGSHOT.CO- AntiVirus Service
    >+-+-+ http://www.slingshot.co.nz
    >
    >
    >Return-path: <>
    >Envelope-to: *my Slingshot address*
    >Delivery-date: Mon, 17 May 2004 10:26:14 +1200
    >Received: from 210-54-67-136.dialup.xtra.co.nz ([210.54.67.136]
    >helo=account.nz)
    > by mailsrv1.tranzpeer.net with smtp (Exim 4.12)
    > id 1BPU4x-0003lA-01; Mon, 17 May 2004 10:25:55 +1200
    >From:
    >To:
    >Date: Sun, 16 May 2004 22:19:58 GMT
    >Subject: FwD: Your mail account <ID:****>
    >Importance: Normal
    >X-Priority: 3 (Normal)
    >X-MSMail-Priority: Normal
    >Message-ID: <>
    >MIME-Version: 1.0
    >Content-Type: multipart/mixed; boundary="===31248369e6.be6e86"
    >Content-Transfer-Encoding: 7bit
    >X-Envelope-To: *my Slingshot address*
    >
    >
    >
    Enkidu, May 18, 2004
    #19
  20. E. Scrooge

    Enkidu Guest

    On Tue, 18 May 2004 15:21:44 +1200, "E. Scrooge" <scrooge@*shot.co.nz
    (*sling)> wrote:
    >
    >Only an Xtra user would need to contact accounts@Xtra and even then why
    >would they bother putting that in their address book. The NZ message
    >details would hardly come in from a virus overseas, someone has created the
    >message adding the virus to it.
    >

    The crucial bit is this:

    >>Received: from 210-54-67-136.dialup.xtra.co.nz ([210.54.67.136]
    >>helo=account.nz)
    >> by mailsrv1.tranzpeer.net with smtp (Exim 4.12)
    >> id 1BPU4x-0003lA-01; Mon, 17 May 2004 10:25:55 +1200


    The first "Received:" header is usually accurate, and this seems to
    indicate an Xtra dialup user with a virus sending mail out through
    tranzpeer.net.

    I've had emails addressed to accounts@<mydomainname>. It's a common
    forgery.

    Cheers,

    Cliff
    Enkidu, May 18, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeff
    Replies:
    1
    Views:
    627
  2. geopelia

    Xtra customers - be VERY careful,

    geopelia, Nov 18, 2003, in forum: Computer Support
    Replies:
    7
    Views:
    473
    BuffNET Tech Support - MichaelJ
    Nov 20, 2003
  3. Thomas Reed

    Quick Book file access very very very slow

    Thomas Reed, Apr 9, 2004, in forum: Computer Support
    Replies:
    7
    Views:
    732
    Palindrome
    Apr 9, 2004
  4. Replies:
    1
    Views:
    835
    Plato
    Aug 26, 2006
  5. Matty F

    Xtra Webmail very slow

    Matty F, Oct 16, 2006, in forum: NZ Computing
    Replies:
    3
    Views:
    978
    Vista
    Oct 19, 2006
Loading...

Share This Page