Afaik this fella sent me a virus?

[Edwin Knoppert]

Topic: Microsoft Corporation Public Bulletin

Odd, two mails on a totally unknown email for you guys.
Both return to frhache@wanadoo.fr

The 2nd mail shows, in the body, euyuesod@puremail.net

Ideas?

[Max.]

Ideas?

Watch the headers. There you see the originating IP address. Very unlikely that those mentioned email addresses got anything to do with it. You know that these most often are faked (I wouldn't appreciate if my email addy was posted publically because someone abused it).

[Edwin Knoppert]

Yes but it's odd since .fr and pure. can be related.
So it might be well that this is a pb user, i hate spam and maybe i can produce a 'red face' by this.

[Max.]

Yes but it's odd since .fr and pure. can be related.
So it might be well that this is a pb user, i hate spam and maybe i can produce a 'red face' by this.

I think, the pure in puremail is just a coincident. The puremail.net domain is handled by a domain selling company and wouldn't someone catching your attention with PureBasic not use the official addresses?

As I said, check the header and read them from bottom up to find out more:

Code: Select all

Received: from yahoo([unix socket])
     by qtcmx (Cyrus v2.1.14) with LMTP; Fri, 27 May 2005 20:22:01 +0200
X-Sieve: CMU Sieve 2.2
Received: from [61.154.125.19] (helo=hotmail.com)
     by mxeu1.yahoo.com with ESMTP (Nemesis),
     id 0MKpV6-1DbjQ72B2W-0004k6 for testthis@yahoo.com; Fri, 27 May 2005 20:18:55 +0200
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
     Fri, 27 May 2005 11:18:53 -0700
Message-ID: <BAY15-F29B576561E29FAC0346760CA000@phx.gbl>
Received: from 12.133.144.155 by by15fd.bay15.hotmail.msn.com with HTTP;
     Fri, 27 May 2005 18:18:53 GMT
X-Originating-IP: [12.133.144.155]
X-Originating-Email: [testme@hotmail.de]
X-Sender: testme@hotmail.de
From: "TestMe" <testme@hotmail.de>
To: TestThis@yahoo.com
Subject: FW: Test
Date: Fri, 27 May 2005 20:18:53 +0200
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_61f_1cbc_97"
X-OriginalArrivalTime: 27 May 2005 18:18:53.0983 (UTC) FILETIME=[8A2962F0:01C562E8]
 

[PB]

> the pure in puremail is just a coincident

Agreed. The word "pure" in English is extremely common, and it's not at all
surprising to see it everywhere, in both everyday text and brand names.

[Edwin Knoppert]

OK maybe it's not related, here is the header:
PS, *************** = me

Return-Path: <frhache@wanadoo.fr>
Delivered-To: ***************
Received: from msc-be01.qinip.net (msc-be01.qinip.net [195.18.121.98])
by olive.qinip.net (Postfix) with ESMTP id 932241E529
for <***************>; Sat, 28 May 2005 16:57:20 +0200 (MEST)
Received: from smtp10.wanadoo.fr (smtp10.wanadoo.fr [193.252.22.21])
by msc-fe01.qinip.net (Postfix) with ESMTP id 6C04DD527
for <***************>; Sat, 28 May 2005 16:56:30 +0200 (MEST)
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf1012.wanadoo.fr (SMTP Server) with ESMTP id 06E1F240018F
for <***************>; Sat, 28 May 2005 16:56:30 +0200 (CEST)
Received: from fegwkbjn (Mix-Velizy-108-1-47.w193-249.abo.wanadoo.fr [193.249.124.47])
by mwinf1012.wanadoo.fr (SMTP Server) with SMTP id 8AD472400193;
Sat, 28 May 2005 16:55:54 +0200 (CEST)
X-ME-UUID: 20050528145554568.8AD472400193@mwinf1012.wanadoo.fr
From: "Microsoft Corporation Public Bulletin" <sibnqhnxvahq@technet.ms.com>
To: "Microsoft Corporation Consumer" <xfvzls@technet.ms.com>
SUBJECT:

[Max.]

It can safely said, that this is a worm. Found 2 references to worms that send mails like that; Miniman & Swen - but they change so often, hardly to say without a complete look on email & attachement.

Either way, no malicious intent from the sender.

What makes it so sad: such worms most often use found email addresses on the infected PC as sender address.

In this case it appears as if the worm didn't use a built-in SMTP engine to spread itself, but uses an existing email connection to do so. If this is true (other possibility is that wanadoo doesn't prohibit mail relaying or just checks on the IP address), frhache is really the sender, but he is a victim as well.