Page 3 of 3
Posted: 25 Aug 2003, 17:04
by Quiff Boy
Quiff Boy wrote:i dont know what virus this is, but the maili mentioned above (the robF one) has these headers:
Return-path: <
Meier-Schloss@t-online.de>
Envelope-to:
quiffboy@myheartland.co.uk
Delivery-date: Sun, 24 Aug 2003 11:33:18 +0200
Received: from [
194.25.134.81] (helo=mailout03.sul.t-online.com)
by mxng12.kundenserver.de with esmtp (Exim 3.35 #1)
id 19qrFI-0006dj-00
for
quiffboy@myheartland.co.uk; Sun, 24 Aug 2003 11:33:12 +0200
Received: from
fwd07.aul.t-online.de
by
mailout03.sul.t-online.com with smtp
id 19qrFI-0008Lv-00; Sun, 24 Aug 2003 11:33:12 +0200
Received: from Lkfzlxcf (ZwAJWQZBgeCuTxGXLAhoy8txHd+tkduyPM8iMUEoYUxJ5E121buqgr@[
217.86.47.190]) by fwd07.sul.t-online.com
with smtp id 19qrEw-1psinI0; Sun, 24 Aug 2003 11:32:50 +0200
From:
Meier-Schloss@t-online.de (postmaster)
To:
quiffboy@myheartland.co.uk
Subject: Undeliverable mail--"onMouseout"
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=VCZ1291pm31yL3rim178qz70179iOLW
Date: Sun, 24 Aug 2003 11:32:50 +0200
Message-ID: <
19qrEw-1psinI0@fwd07.sul.t-online.com>
X-Seen: false
X-ID: ZwAJWQZBgeCuTxGXLAhoy8txHd+tkduyPM8iMUEoYUxJ5E121buqgr
--VCZ1291pm31yL3rim178qz70179iOLW
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<FONT>The following mail can't be sent to
robjfakes@hotmail.com:<br>
<br>
From:
quiffboy@myheartland.co.uk<br>
To:
robjfakes@hotmail.com<br>
Subject: onMouseout<br>
The file is the original mail</FONT></BODY></HTML>
mxng12.kundenserver.de is myheartland's mailserver...
i assume fwd07.aul.t-online.de is the senders' mailserver.
.de is german, yet a lookup on 194.25.134.81 and 217.86.47.190 seems to indicate they are dutch...
but i cant quite follow the flow of information - is the sender dutch, yet they were trying to use t-online.de's outgoing mailsever?
the email had an attachment which was a html page from the t-online.de website. the attached page had some javascript in it, but it was only image-rollover stuff - nothing dodgy.
now i'm confused...
just got another with almost identical headers that claimed to be from vicus!
Posted: 25 Aug 2003, 17:06
by Quiff Boy
had a look at my norton av "quarantined items" folder and they're both "klez h".
jeezus, is THAT thing still doing the rounds?!?!?
Posted: 25 Aug 2003, 20:59
by Big Si
1 email from "quiffboy" - a special funny website
Return-path: <
Meier-Schloss@t-online.de>
Envelope-to:
big_si@myheartland.co.uk
Delivery-date: Sun, 24 Aug 2003 21:56:58 +0200
Received: from [194.25.134.81] (helo=mailout03.sul.t-online.com)
by mxng15.kundenserver.de with esmtp (Exim 3.35 #1)
id 19r0yv-00024u-00
for
big_si@myheartland.co.uk; Sun, 24 Aug 2003 21:56:57 +0200
Received: from fwd03.aul.t-online.de
by mailout03.sul.t-online.com with smtp
id 19r0yv-0003oH-00; Sun, 24 Aug 2003 21:56:57 +0200
Received: from Rvuf (Z2-oToZLYeAey-UvGPnokiKI4WutVuvRYWwl5UG8ZvMOimIyMQIlZU@[217.86.46.21]) by fwd03.sul.t-online.com
with smtp id 19r0yX-06ekPQ0; Sun, 24 Aug 2003 21:56:33 +0200
From:
Meier-Schloss@t-online.de (quiffboy)
To:
big_si@myheartland.co.uk
Subject: A special funny website
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Te0AZ5sP8917433gq7E21702W288er5f0RSa
Date: Sun, 24 Aug 2003 21:56:33 +0200
Message-ID: <
19r0yX-06ekPQ0@fwd03.sul.t-online.com>
X-Seen: false
X-ID: Z2-oToZLYeAey-UvGPnokiKI4WutVuvRYWwl5UG8ZvMOimIyMQIlZU
Hello,This is a funny website
I expect you would like it.
and 1 from hallucienate - a excite game
Return-path: <
Meier-Schloss@t-online.de>
Envelope-to:
big_si@myheartland.co.uk
Delivery-date: Mon, 25 Aug 2003 17:36:51 +0200
Received: from [194.25.134.80] (helo=mailout01.sul.t-online.com)
by mxng18.kundenserver.de with esmtp (Exim 3.35 #1)
id 19rJOZ-0001zQ-00
for
big_si@myheartland.co.uk; Mon, 25 Aug 2003 17:36:39 +0200
Received: from fwd02.aul.t-online.de
by mailout01.sul.t-online.com with smtp
id 19rJOZ-0006IA-00; Mon, 25 Aug 2003 17:36:39 +0200
Received: from Ulxqxg (XVRqieZQreJKS+9e1RBSyLL1HP1TYERPrLOnzeT8BYX1yEvHSmBDY+@[62.157.38.97]) by fwd02.sul.t-online.com
with smtp id 19rJOF-081AQK0; Mon, 25 Aug 2003 17:36:19 +0200
From:
Meier-Schloss@t-online.de (hallucienate)
To:
big_si@myheartland.co.uk
Subject: A excite game
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=V7p5N4683G5e7x
Date: Mon, 25 Aug 2003 17:36:19 +0200
Message-ID: <
19rJOF-081AQK0@fwd02.sul.t-online.com>
X-Seen: false
X-ID: XVRqieZQreJKS+9e1RBSyLL1HP1TYERPrLOnzeT8BYX1yEvHSmBDY+
Posted: 25 Aug 2003, 21:02
by Quiff Boy
so who the hell is
Meier-Schloss@t-online.de ?
we should ALL email them and tell them to get a f*cking virus program!
Posted: 25 Aug 2003, 21:08
by Quiff Boy
just had a look and there are only 2 members of heartland with t-online.de email addresse, and one of those has never made a post.
i have exchanged emails with the other before now, but he's not been on here for a while now...
he's quite pc-literate, so i'd be surprised if it was him, but nontheless i will email him and ask if he's got some antivirus software...
Posted: 25 Aug 2003, 21:18
by Quiff Boy
actually, i was confused. its not the person i thought it was...
does anyone know "MrBlonde"?
http://www.myheartland.co.uk/profile.ph ... ofile&u=50
its not the same person as "john blonde" is it? he's called johan and is from sweden isn't he?
mrblonde has only ever made 2 posts, but judging by the ip addresses he has left, he would appear to be surfing the net from the same ISP as his email address suggests: t-online.de
maybe i'll drop him a mail
anyone here know him?