wierd emails

Does exactly what it says on the tin. Some of the nonsense contained herein may be very loosely related to The Sisters of Mercy, but I wouldn't bet your PayPal account on it. In keeping with the internet's general theme nothing written here should be taken as Gospel: over three quarters of it is utter gibberish, and most of the forum's denizens haven't spoken to another human being face-to-face for decades. Don't worry your pretty little heads about it. Above all else, remember this: You don't have to stay forever. I will understand.
User avatar
Izzy HaveMercy
The Worlds Greatest Living Belgian
Posts: 8844
Joined: 29 Jan 2002, 00:00
Location: Long Dark Forties
Contact:

Well, it will all be over on September 10. The worm destroys itself then... Serves him right, the lil' nasty bugger...
.
.
For Greater Good - Ambient Music for the Masses...
.
.
User avatar
cocoamix
Amphetamine Filth
Posts: 139
Joined: 28 May 2002, 01:00
Location: Osama’s Homo-Abortion Pot & Commie Jizzporium

I use a Mac, so I open them up for a look-see, then I forward it to everyone I know.
My Linux friends get a kick out of them too.
User avatar
dead stars
Utterly Bastard Groovy Amphetamine Filth
Posts: 777
Joined: 15 Apr 2002, 01:00
Location: Lisbon

hallucienate wrote:yup, I had an inbox full of those bastards yesterday morning, which is a bit of a bugger when you receive mailer-daemon mail for a few hundred domains :(

Don't run the executable and make sure you have your Outlook patched with all the updates. I can't believe they released a mail client that runs executable attachments on receipt :urff:
Better still: don't use Outlook at all!
:von: :wink:
Panther

Don't use outlook! And no children either (urgh!). But hopefully whichever *friend* it was has figured it out as no crap mails overnight!!!
User avatar
hallucienate
Overbomber
Posts: 4602
Joined: 17 Apr 2002, 01:00
Location: /\/¯¯¯¯¯\/\
Contact:

May I just take this chance to that I use Pegasus Mail when I use Windows: www.pmail.com, and that I laugh at e-mail viruses. Except when I get a few hundred of them every morning, My delete key is wearing thin.
User avatar
dead stars
Utterly Bastard Groovy Amphetamine Filth
Posts: 777
Joined: 15 Apr 2002, 01:00
Location: Lisbon

hallucienate wrote:May I just take this chance to that I use Pegasus Mail when I use Windows: www.pmail.com, and that I laugh at e-mail viruses. Except when I get a few hundred of them every morning, My delete key is wearing thin.
I receive suspicious messages on hotmail but they're empty. The viruses are deleted.
User avatar
Serendipityhaven
Gonzoid Amphetamine Filth
Posts: 316
Joined: 05 Jul 2003, 19:23
Location: north,searching for Imagica,heading for Weaveworld

well,on the off chance i thought id run a virus scan earlier on.
make a point of never opening unsolicited emails etc anyway,but thought running check wuld do no harm anyway,and the pc had been running real slow lately.
sso this scan things currently half way thru now and annoyingly im looking at a long line of infected symbols flashing in front of every single file here.
so im not panicing.
i know nothing at all about viruses or how to rid them,but in the spirit of braving the new frontiers and not running to somebody else to come do whatever it is you do to rid yourself of it,im going to have a go on my own.
how hard can it be anyway?

but just out of curiosity tho,from the start there was an automatic scan check thing onstalled on this pc which ran every time the pc was started but had been mentioned that this can be a source for pc crashes on its own.
so it was uninstalled by someone.am wondering if this is really the case?
You know you're something special,
And you look like you're the best
User avatar
Serendipityhaven
Gonzoid Amphetamine Filth
Posts: 316
Joined: 05 Jul 2003, 19:23
Location: north,searching for Imagica,heading for Weaveworld

apparently i dont have this virus doing the rounds,but i have picked up a mass of spyware bits and bobs and one trojan thing too(which is a minor virus i think).
all those flashing red symbols for something which is relatively minor!
currently feeling exceptionally pround of myself having managed to sort it out myself(i think).
You know you're something special,
And you look like you're the best
User avatar
Dan
Overbomber
Posts: 2014
Joined: 25 Sep 2002, 01:00
Location: Leeds

I've been affected badly, not by the SoBig virus, but by the msblast worm. I didn't have the thing myself (I've been blocking port 135 for months), but it was causing so much extra traffic across my isp that everything was slowed right down.

-------

There is a way (sortof) to find out what idiot is sending you viruses. If you examine the full header of the email you'll see something like this-

Received: from [123.45.67.89]
Sometimes theres 2 different Received from's. It's usually the 2nd one.

Now go to samspade.org and type those 4 numbers just as they appear there, without the brackets, into the box that says "do stuff", then click the button. (Or if you use mirc just type /dns 123.45.67.89) Although this one won't work cos I made it up.)

This will resolve the senders ip, then all you need to think is "Do I know someone on that isp?". If it's something common like btopenworld or freeserve you're screwed, as it's too common, but if it's something more unusual then you may recognise it immediately.
User avatar
Serendipityhaven
Gonzoid Amphetamine Filth
Posts: 316
Joined: 05 Jul 2003, 19:23
Location: north,searching for Imagica,heading for Weaveworld

hmm.so begins my induction into the wonderful world of worms,trojans and weird ass terminology.
as it turned out ,i had some trojan thing which ive since been told is also known as a worm.
and this was why my pc was running super slow.
so apprently i can install the auto scan thing and this time it wont make the pc crash.
for all this protection of viruses and software available to combat it,even the best protected people i know seemed to have been caught one way or the other...
You know you're something special,
And you look like you're the best
User avatar
pikkrong
Overbomber
Posts: 3929
Joined: 19 Aug 2002, 01:00
Location: Estonia

I'm in trouble :urff: :evil:
I got an e-mail to my hotmail account from somebody called "quiffboy"( :!: )
I know and tell to anybody else: "NEVER OPEN SUSPICIOUS ATTACHMENTS, EVEN FROM YOUR FRIENDS' ADDRESSES!"
and I didn't open attachment.
Actually: THERE WASN'T ANY ATTACHMENT,
there was nothing but 2 sentences which sounded approximately that:
"This is a new good tool. Hope you enjoy (or "like") it."
I deleted it (because I remember some virus letters have such a line) and let Norton Antivirus control my PC. No viruses were founded.
But I still worry.
Could anybody explain me 2 things:
1. HOW COULD A VIRUS PROGRAM ADD THE NAME "QUIFFBOY" TO A STARNGE GERMAN E-MAIL ADDRESS WHICH HAD SENT IT TO ME?
2. WHY THE CAPACITY OF THE E-MAIL WAS MORE THAN 10 K ALTHOUGH THERE WAS ONLY 2 SENTENCE IN A NORMAL SHRIFT, NO ATTACHEMNTS, PICS, LINKS ETC?
COULD THERE BE ANY HIDDEN THING WHICH OPENED AS SOON AS I OPENED THE E-MAIL :?: :evil: :urff: :?
and:
WHAT SHOULD I DO KNOW :?: :?: :?: :?: :?:
best regards,
PikkRong
User avatar
Serendipityhaven
Gonzoid Amphetamine Filth
Posts: 316
Joined: 05 Jul 2003, 19:23
Location: north,searching for Imagica,heading for Weaveworld

just thought,if you moved all addressess from your main email address book to another email account+just flicked back to it whe need be,then this kind of spamming of your fiends+collegues cudnt happen could it?

@Pikkrong-
one of my friends got worm which didnt show up straight away on virus scan.maybe its the same thing?dont know.he was convinced hed picked up a bug of some kind tho+kept running scans throughout the day+eventually it picked it up.
was no harm done,just inconvenianced a little running prog that got rid of bug.

cant do any harm being extra vigilant at the moment i think.
hope is ok for you+pc.
You know you're something special,
And you look like you're the best
User avatar
Serendipityhaven
Gonzoid Amphetamine Filth
Posts: 316
Joined: 05 Jul 2003, 19:23
Location: north,searching for Imagica,heading for Weaveworld

:lol:
umm,thats "friend+collegues",not fiends+collegues,b.t.w. :roll:
You know you're something special,
And you look like you're the best
User avatar
Dan
Overbomber
Posts: 2014
Joined: 25 Sep 2002, 01:00
Location: Leeds

pikkrong wrote:I'm in trouble :urff: :evil:
I got an e-mail to my hotmail account from somebody called "quiffboy"( :!: )
I know and tell to anybody else: "NEVER OPEN SUSPICIOUS ATTACHMENTS, EVEN FROM YOUR FRIENDS' ADDRESSES!"
and I didn't open attachment.
Actually: THERE WASN'T ANY ATTACHMENT,
there was nothing but 2 sentences which sounded approximately that:
"This is a new good tool. Hope you enjoy (or "like") it."
I deleted it (because I remember some virus letters have such a line) and let Norton Antivirus control my PC. No viruses were founded.
But I still worry.
Could anybody explain me 2 things:
1. HOW COULD A VIRUS PROGRAM ADD THE NAME "QUIFFBOY" TO A STARNGE GERMAN E-MAIL ADDRESS WHICH HAD SENT IT TO ME?
2. WHY THE CAPACITY OF THE E-MAIL WAS MORE THAN 10 K ALTHOUGH THERE WAS ONLY 2 SENTENCE IN A NORMAL SHRIFT, NO ATTACHEMNTS, PICS, LINKS ETC?
COULD THERE BE ANY HIDDEN THING WHICH OPENED AS SOON AS I OPENED THE E-MAIL :?: :evil: :urff: :?
and:
WHAT SHOULD I DO KNOW :?: :?: :?: :?: :?:
best regards,
PikkRong
Many viruses can have an attachment, but there's no paperclip icon.

You say the virus had the name Quiffboy in it. This means one of 2 things-
1) Quiffboy has a virus
2) Someone else who has Quiffboy in his address book has a virus. Some viruses take names from your address book, and as well as sending themselves to those addresses, they also use the addresses as the "from" address, so it looks as though one of those viruses came from that address when it didn't.

If you look at the full email header you can find the ip of the person who sent the virus, which might help who's sending it unless they have a common isp.
User avatar
pikkrong
Overbomber
Posts: 3929
Joined: 19 Aug 2002, 01:00
Location: Estonia

Dan wrote:
Many viruses can have an attachment, but there's no paperclip icon.
And how do they spread?
Open automatically while I open the e-mail?
User avatar
Dan
Overbomber
Posts: 2014
Joined: 25 Sep 2002, 01:00
Location: Leeds

pikkrong wrote:
Dan wrote:
Many viruses can have an attachment, but there's no paperclip icon.
And how do they spread?
Open automatically while I open the e-mail?
Yes, but you said you were using hotmail, so you're ok.

The "hidden attachment" only effects Internet Explorer, and if people with explorer are up to date with all the patches they get a message saying something like "run this attachment? (yes/no)".
User avatar
pikkrong
Overbomber
Posts: 3929
Joined: 19 Aug 2002, 01:00
Location: Estonia

Dan wrote:
pikkrong wrote:
Dan wrote:
Many viruses can have an attachment, but there's no paperclip icon.
And how do they spread?
Open automatically while I open the e-mail?
Yes, but you said you were using hotmail, so you're ok.

The "hidden attachment" only effects Internet Explorer, and if people with explorer are up to date with all the patches they get a message saying something like "run this attachment? (yes/no)".
yes, THIS time it wasn't Internet Explorer.
but my other account is...
User avatar
Quiff Boy
Herr Administrator
Posts: 16795
Joined: 25 Jan 2002, 00:00
Location: Lurking and fixing
Contact:

Dan wrote:
pikkrong wrote:I'm in trouble :urff: :evil:
I got an e-mail to my hotmail account from somebody called "quiffboy"( :!: )
I know and tell to anybody else: "NEVER OPEN SUSPICIOUS ATTACHMENTS, EVEN FROM YOUR FRIENDS' ADDRESSES!"
and I didn't open attachment.
Actually: THERE WASN'T ANY ATTACHMENT,
there was nothing but 2 sentences which sounded approximately that:
"This is a new good tool. Hope you enjoy (or "like") it."
I deleted it (because I remember some virus letters have such a line) and let Norton Antivirus control my PC. No viruses were founded.
But I still worry.
Could anybody explain me 2 things:
1. HOW COULD A VIRUS PROGRAM ADD THE NAME "QUIFFBOY" TO A STARNGE GERMAN E-MAIL ADDRESS WHICH HAD SENT IT TO ME?
2. WHY THE CAPACITY OF THE E-MAIL WAS MORE THAN 10 K ALTHOUGH THERE WAS ONLY 2 SENTENCE IN A NORMAL SHRIFT, NO ATTACHEMNTS, PICS, LINKS ETC?
COULD THERE BE ANY HIDDEN THING WHICH OPENED AS SOON AS I OPENED THE E-MAIL :?: :evil: :urff: :?
and:
WHAT SHOULD I DO KNOW :?: :?: :?: :?: :?:
best regards,
PikkRong
Many viruses can have an attachment, but there's no paperclip icon.

You say the virus had the name Quiffboy in it. This means one of 2 things-
1) Quiffboy has a virus
2) Someone else who has Quiffboy in his address book has a virus. Some viruses take names from your address book, and as well as sending themselves to those addresses, they also use the addresses as the "from" address, so it looks as though one of those viruses came from that address when it didn't.

If you look at the full email header you can find the ip of the person who sent the virus, which might help who's sending it unless they have a common isp.
dan's right with point 2.

i got one last night that claimed to come from rob fakes :roll:

which kinda points to someone here having it. :urff:

i have also received some at work, so maybe its someone who also has my work email address...?!?

someone that has my work email address, rob fakes & pikkrong in their address books.

ring a bell with anyone? :?:
What’s the difference between a buffalo and a bison?
User avatar
Dan
Overbomber
Posts: 2014
Joined: 25 Sep 2002, 01:00
Location: Leeds

In explorer, turn your preview pane off (VIEW-LAYOUT-untick "show preview pane") - the virus can autorun simply by previewing it in the preview pane.

Now the preview pane is off, SINGLECLICK the virus email to select it but not open it. Rightclick it and select PROPERTIES. Click the DETAILS tab. Click MESSAGE SOURCE. Expand the little window to full screen to get a better look at it.

Now you have the complete mail header. Paste it here or pm me it and I can tell you the isp of the sender. As long as it's not a common one we can identify the sender.
User avatar
pikkrong
Overbomber
Posts: 3929
Joined: 19 Aug 2002, 01:00
Location: Estonia

Dan wrote:In explorer, turn your preview pane off (VIEW-LAYOUT-untick "show preview pane") - the virus can autorun simply by previewing it in the preview pane.
think, i've done it some times ago.
(i'm a very suspicious old man, don't trust that 'puter stuff).
does it mean that after doing that the last e-mail doesn't open without double-click? if so, i've done it.
User avatar
Quiff Boy
Herr Administrator
Posts: 16795
Joined: 25 Jan 2002, 00:00
Location: Lurking and fixing
Contact:

i dont know what virus this is, but the maili mentioned above (the robF one) has these headers:
Return-path: <Meier-Schloss@t-online.de>
Envelope-to: quiffboy@myheartland.co.uk
Delivery-date: Sun, 24 Aug 2003 11:33:18 +0200
Received: from [194.25.134.81] (helo=mailout03.sul.t-online.com)
by mxng12.kundenserver.de with esmtp (Exim 3.35 #1)
id 19qrFI-0006dj-00
for quiffboy@myheartland.co.uk; Sun, 24 Aug 2003 11:33:12 +0200
Received: from fwd07.aul.t-online.de
by mailout03.sul.t-online.com with smtp
id 19qrFI-0008Lv-00; Sun, 24 Aug 2003 11:33:12 +0200
Received: from Lkfzlxcf (ZwAJWQZBgeCuTxGXLAhoy8txHd+tkduyPM8iMUEoYUxJ5E121buqgr@[217.86.47.190]) by fwd07.sul.t-online.com
with smtp id 19qrEw-1psinI0; Sun, 24 Aug 2003 11:32:50 +0200
From: Meier-Schloss@t-online.de (postmaster)
To: quiffboy@myheartland.co.uk
Subject: Undeliverable mail--"onMouseout"
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=VCZ1291pm31yL3rim178qz70179iOLW
Date: Sun, 24 Aug 2003 11:32:50 +0200
Message-ID: <19qrEw-1psinI0@fwd07.sul.t-online.com>
X-Seen: false
X-ID: ZwAJWQZBgeCuTxGXLAhoy8txHd+tkduyPM8iMUEoYUxJ5E121buqgr

--VCZ1291pm31yL3rim178qz70179iOLW
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>

<FONT>The following mail can't be sent to robjfakes@hotmail.com:<br>
<br>
From: quiffboy@myheartland.co.uk<br>
To: robjfakes@hotmail.com<br>
Subject: onMouseout<br>
The file is the original mail</FONT></BODY></HTML>
mxng12.kundenserver.de is myheartland's mailserver...

i assume fwd07.aul.t-online.de is the senders' mailserver. :?:

.de is german, yet a lookup on 194.25.134.81 and 217.86.47.190 seems to indicate they are dutch... :?:

but i cant quite follow the flow of information - is the sender dutch, yet they were trying to use t-online.de's outgoing mailsever?

the email had an attachment which was a html page from the t-online.de website. the attached page had some javascript in it, but it was only image-rollover stuff - nothing dodgy.

now i'm confused... :roll:
What’s the difference between a buffalo and a bison?
User avatar
Dan
Overbomber
Posts: 2014
Joined: 25 Sep 2002, 01:00
Location: Leeds

The 2nd ip is the sender.
*** Resolved 217.86.47.190 to pD9562FBE.dip.t-dialin.net

I tried going to www.t-dialin.net and it redirects to www.t-online.de so it looks like it's just some normal spam from Meier-Schloss@t-online.de and not a virus. As to how he got your email address, you're probably one of thousands he spammed that day and your email address mush have found it's way onto an email/spam list.
User avatar
Quiff Boy
Herr Administrator
Posts: 16795
Joined: 25 Jan 2002, 00:00
Location: Lurking and fixing
Contact:

Dan wrote:The 2nd ip is the sender.
*** Resolved 217.86.47.190 to pD9562FBE.dip.t-dialin.net

I tried going to www.t-dialin.net and it redirects to www.t-online.de so it looks like it's just some normal spam from Meier-Schloss@t-online.de and not a virus. As to how he got your email address, you're probably one of thousands he spammed that day and your email address mush have found it's way onto an email/spam list.
cheers :)
What’s the difference between a buffalo and a bison?
User avatar
Dan
Overbomber
Posts: 2014
Joined: 25 Sep 2002, 01:00
Location: Leeds

In a mail header, it's almost always the last ip that's the sender. Even emails sent through hotmail (which some people think makes them anonymous) includes the persons real ip in it's headers.
User avatar
hallucienate
Overbomber
Posts: 4602
Joined: 17 Apr 2002, 01:00
Location: /\/¯¯¯¯¯\/\
Contact:

All the IPs should be timestamped, so take the oldest one, remember to include the time zones.

Hotmail put in a X-orginating IP, which is exactly what it says.

2198 deleted items since this morning :?
Post Reply