Strange Email

[tmwes]

I'm assuming it is some kind of virus; but it seems strange. I update my definitions daily, but today I got the following:

 

Dear user of Portlandsoxfan.com,

 

Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to  keep your computer  safe, follow the instructions.

 

For  more information  see the attached file.

 

For security reasons attached file is  password protected. The password  is "01415".

 

Cheers,

    The Portlandsoxfan.com team

 

This came with an attatchment called text.zip that comes up clean when scanned. Now the funny thing is; there IS no staff@portlandsoxfan.com, as I am a one man operation. Here is the detail:

 

>Return-path: <portlan@server20.totalchoicehosting.com>
Envelope-to: psf@portlandsoxfan.com
Delivery-date: Tue, 02 Mar 2004 19:26:44 -0500
Received: from portlan by server20.totalchoicehosting.com with local-bsmtp (Exim 4.24)
id 1AyKDj-0003cv-Gs
for psf@portlandsoxfan.com; Tue, 02 Mar 2004 19:26:44 -0500
Received: from [141.211.138.55] (helo=michael-a7jfe9q)
by server20.totalchoicehosting.com with smtp (Exim 4.24)
id 1AyKDj-0003cp-4P
for psf@portlandsoxfan.com; Tue, 02 Mar 2004 19:26:43 -0500
Date: Tue, 02 Mar 2004 19:26:44 -0500
To: psf@portlandsoxfan.com
Subject: E-mail account disabling warning.
From: staff@portlandsoxfan.com
Message-ID: <qwtoysfeshkgqjginhy@portlandsoxfan.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
       boundary="--------ibjtinqlmvrsbmggfkgd"
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on 
server20.totalchoicehosting.com
X-Spam-Status: No, hits=-1.3 required=5.0 tests=BAYES_20,NO_REAL_NAME 
autolearn=no version=2.63
X-Spam-Level:

 

my concern is that portlan@server20.totalchoicehosting.com is my main account name...any ideas? My system still comes up clean.

 

EDIT: OK, I'm tired..it appears that this is a clever little virus that takes the domain of your email address, and makes it look like a custom email from the domain owner. IP goes back to University of Michigan....and I'm not even an Ohio State fan.

[MikeJ]

That looks like the headers of the email that is warning you. Do you have the headers of the email that caused the warning by chance?

 

Just saw your edit... if that's the headers from the email that caused the warning, the you are correct.

Edited March 3, 2004 by TCH-MikeJ

[tmwes]

Mike...the email is indeed warning me.

 

However, this is impossible as it would be ME warning ME. Portlandsoxfan.com is my domain, and I don't have a 'staff@portlandsoxfan.com' email set up.

 

Looks to me like somebody with my email in their address book got hit with this virus..and the virus strips 'abc.com' from somebody's email address and makes it look like a real email from a domain owner...

 

I know a dude who comes to my site who is a michagan alum..maybe he got hit.

[MikeJ]

oh... I understand now what you are saying. Yea... definitely looks like you received an email from someone infected.

[solspace]

I got the same email, although it had my domain in there and the attachement was called attach.zip and wasn't showing up as infected.

 

The email address staff@ my domain isn't even one I use. The to address is one that I use for a particular company.

 

Its odd to see that message and really disturbing that virus makers created these virus messages to appear that you sent them. Its got my domain name in there and everything.

 

I'm not going to worry too much about it as I know my machine isn't infected. I'm going to email the company and let them know they might have an infected computer that they want to check.

 

I can forward the message to the helpdesk if they want to see it, or post headers to see if they compare with the other person that received a similar message.

 

**EDIT**

 

I pulled it in originally through Yahoo webmail and scanned it with their system and it came up clean. When I got home and downloaded the message, my Nortan with the latest virus definitions found the new beagle virus in the message attachment and deleted it.