Email Question

[youneverknow]

When I go to Horde mail I see messages that I know contain a virus. They appear to be the updates microsoft has released. Why are these coming to my catchall email? The 'To' field does not contain my domain but when I look at the message source I get this:

Return-path: <youneve@server38.totalchoicehosting.com>

Envelope-to: youneve@server38.totalchoicehosting.com

Delivery-date: Fri, 19 Dec 2003 05:01:38 -0600

Received: from youneve by server38.totalchoicehosting.com with local-bsmtp (Exim 4.24)

id 1AXINx-00063K-1n

for youneve@server38.totalchoicehosting.com; Fri, 19 Dec 2003 05:01:38 -0600

Received: from [213.36.80.91] (helo=mail.libertysurf.net)

by server38.totalchoicehosting.com with esmtp (Exim 4.24)

id 1AXINw-000639-2d

for me@youneverknow.com; Fri, 19 Dec 2003 05:01:32 -0600

Received: from fiptqok (81.167.224.224) by mail.libertysurf.net (6.5.033)

id 3FD6BE8800C866CD; Fri, 19 Dec 2003 12:00:29 +0100

Date: Fri, 19 Dec 2003 12:00:29 +0100 (added by postmaster@libertysurf.fr)

Message-ID: <3FD6BE8800C866CD@mail02.pds.libertysurf.fr> (added by postmaster@libertysurf.fr)

FROM: "MS Corporation Technical Services" <xpgfdfswpmvo@newsletters_msn.com>

TO: "MS Customer" <ojmux.ujoosr@newsletters_msn.com>

SUBJECT: Latest Network Upgrade

Mime-Version: 1.0

Content-Type: multipart/mixed; boundary="bzvockzregzfdl"

X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on

server38.totalchoicehosting.com

X-Spam-Level: *

X-Spam-Status: No, hits=1.9 required=5.0 tests=HTML_MESSAGE,

MICROSOFT_EXECUTABLE,MIME_HTML_NO_CHARSET,NO_DNS_FOR_FROM

autolearn=no version=2.60

 

 

Secondly, is there a way I can block a email that has a certain file size? I notice that these unwanted emails usually contain an attachment file between say 145K to 156K. Can this be done...? Thanks, Doug

[TCH-JimE]

Hi,

 

This is a email which is basically some form of spam, or in your case, carries a virus.

 

You can see it here:

 

>FROM: "MS Corporation Technical Services" <xpgfdfswpmvo@newsletters_msn.com>
TO: "MS Customer" <ojmux.ujoosr@newsletters_msn.com>

 

As you can see, the "from" bit, is basically rubbish as its a newsletters_msn which is no doubt, a bogus .com name brought by someone else. The fact they sent it to themselves, and yet everyone else is not visible, is done via BCC (blank carbon copy) meaning no one else can see who is on the list, another trick used by people sending out mass email.

 

Other tail tell signs are:

>mail.libertysurf.net

Which indicates a possible ISP or webhosting company.

 

If you look at a real msn email or if your very lucky, a real microsoft email (they rarely get sent to anyone outside their own corporation with microsoft.com stuck on the end) you will see correct endings.

 

Also if you trace the ip address, it does not end up in Bill Gates back yard

 

Blocking certain sizes? Hmmm not sure.

 

Jim

[TCH-JimE]

As a seperate note, are you sure it has a virus in? The servers stop viruses coming through, so if you think you have a virus in your email, contact the help desk and one of the Techs will be able to sort you out

 

Jim

[youneverknow]

Thanks all, yes it is the Swen A virus.

I have just sent a ticket to the support staff at TCH. Thanks for letting me know that this should be filtered out by the TCH servers.

[TCH-Dick]

===Analysis=====================================================================

From: IP address 81.167.224.224, host name 'dyn-81-167-224-224.ppp.tiscali.fr'.

Location: France - For a detailed geographic trace, run VisualRoute.

Received Headers: DNS reports 'fiptqok' is not a known host name. in R3 (E11). 'fiptqok' may be the name of the

computer that sent the e-mail, providing a clue as to the true identity of the person sending the e-mail. in R3 (I20).

 

 

 

 

netnum: 81.167.0.0 - 81.167.255.255

netname: TISCALI-FRANCE

descr: Tiscali France

country: FR

admin-c: BG34

admin-c: LTAD1-RIPE

tech-c: TTFR1-RIPE

status: ASSIGNED PA

remarks: **********************************************

remarks: All abuse requests MUST be sent to 'abuse@tiscali.fr'

remarks: and the logs must include the timezone and GMT offset.

remarks: ripe-mnt@net.tiscali.fr IS NOT the mail to use to

remarks: report abuses.

remarks: Toute requete abuse DOIT etre envoyee a

remarks: 'abuse@tiscali.fr' et les logs doivent inclure l'heure

remarks: exacte et le decalage GMT.

remarks: ripe-mnt@net.tiscali.fr N'EST PAS le mail a utiliser

remarks: pour signaler un abus.

remarks: ***********************************************

notify: ripe-mnt@net.tiscali.fr

mnt-by: MNT-TISCALIFR

mnt-lower: MNT-TISCALIFR

changed: jerome.fleury@fr.tiscali.com 20030917

changed: ripe-mnt@net.tiscali.fr 20031217

remarks: Tag: Int

source: RIPE