Searching \ for '[OT]: Worrysome emails' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/index.htm?key=worrysome+emails
Search entire site for: 'Worrysome emails'.

Exact match. Not showing close matches.
PICList Thread
'[OT]: Worrysome emails'
2002\08\14@164358 by Pic Dude

flavicon
face
Been getting some odd emails lately, with a subject, an unknown
sender and no body.  Whereas I usually brush this off as spam
and just delete it, I've got reason to question them...

- One interesting email a couple days had the subject "Stuff
you're selling".  This was soon after I put up a bunch of stuff
for sale on a local discussion forum.  So I questioned that if
it could really be some automated spam system.

- Most have some unrecognized subject like "ACCESSKEY".

- None have attachments.

- They all come to different email addresses, but ones that I
had actually used in the past.

Am I being spammed?  Should I worry that someone is sending
viruses which would exploit some Outlook security hole?  Are
this legit emails that are losing the body due to some bug?
Are there some coincidences here, and perhaps a mixture of
the above?

Cheers,
-Worried Neil.

--
http://www.piclist.com hint: To leave the PICList
spam_OUTpiclist-unsubscribe-requestTakeThisOuTspammitvma.mit.edu


2002\08\14@165233 by David Harris

picon face
I've seen a couple of these too.  Big mystery.
David

Pic Dude wrote:

{Quote hidden}

--
David Harris
 OmniPort Home Page:  http://www3.telus.net/OmniPort1/
   Discussion egroup: http://groups.yahoo.com/group/OmniPort
   Swiki:  http://omniport.swiki.net/1

--
http://www.piclist.com hint: To leave the PICList
piclist-unsubscribe-requestspamKILLspammitvma.mit.edu


2002\08\14@165647 by Matthew Fries

flavicon
face
I recall getting some klez returns with the same subject lines, so it
probably wasn't intended directly for you and probably is a virus.

Just to be safe though, if you have an entry for me in your personal
address book, remove it.  :)




On Wed, 14 Aug 2002, Pic Dude wrote:

{Quote hidden}

--
http://www.piclist.com hint: To leave the PICList
EraseMEpiclist-unsubscribe-requestspam_OUTspamTakeThisOuTmitvma.mit.edu


2002\08\14@170847 by Barry Gershenfeld

face picon face
Dude,

 You should worry anytime Outlook is running.

 If you have a pulse, you get spam.  Wait, no, you don't need one...

 I see messages like you described in my html-enabled mail
 program, but never in my text-only one.  So I think it
 does have to do with badly formed html.  I don't have it
 figured out yet.  Looking at headers and "source" can help.

Barry

--
http://www.piclist.com hint: To leave the PICList
piclist-unsubscribe-requestspamspam_OUTmitvma.mit.edu


2002\08\15@100758 by Josh Koffman

flavicon
face
I've been getting them too. Always with no body, only on my html reader
account. Sometimes they seem to be from random addresses, sometimes from
people I know. I have no clue where they are coming from, I just delete
them.

Josh
--
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
       -Douglas Adams

Pic Dude wrote:
{Quote hidden}

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads


2002\08\15@102025 by Dale Botkin

flavicon
face
Josh,

If you take a look at your PICList errors, you'll see messages like this
fairly often.  Specifically, there is one in my error box now identified
with the subject line "PICLIST: error report from ASTRONOMICS.COM".
There is an HTML header with no content but an iframe tag.  There's also a
virus payload attached, it's a .PIF file Base64 encoded with an
audio/x-wav type identifier.  I suspect what you guys are seeing is
messages like that which have had the virus payload stripped by a mail
virus scanner at your ISP...  in my case, anything with an executable
attachment gets dropped into a quarantine mailbox even though we also use
Norton on the desktop machine to scan email as it's downloaded.

Dale
---
We are Dyslexia of Borg.
Fusistance is retile.
Your ass will be laminated.

On Thu, 15 Aug 2002, Josh Koffman wrote:

> I've been getting them too. Always with no body, only on my html reader
> account. Sometimes they seem to be from random addresses, sometimes from
> people I know. I have no clue where they are coming from, I just delete
> them.

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads


2002\08\15@103111 by Jennifer L. Gatza

flavicon
face
They're Klez variants.  A *properly patched* version of Outlook will
automatically strip all executable code (I had to check just to make sure)
:)  A good real-time A/V program with updated signatures should take care of
whatever gets through.

I have received countless emails of this nature over the past month or two.
The messages seem to extract keywords from the websites I maintain, then
e-mail them to me in the subject line at the webmaster@ address at the
bottom of each page.

Not much you can do to stop the messages from coming, but I'm sure everyone
on the PIClist that has to use Outlook makes sure they regularly check
http://office.microsoft.com/productupdates, right?  ;)

Jen, a.k.a. an obsessive security-conscious geek

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads


2002\08\15@111243 by Matthew Fries

flavicon
face
I don't claim to know much about mime headers, but I think I'm learning.

I suspect the KLEZ virus works like this:
You use outlook and get infected with klez. The virus randomly sends a
mail to someone in your address book, but makes it look like the email
came from someone else in your address book.

What this means to me is: I get a message from my mail server saying that
the message I sent could not be delivered. I never actually sent the
message that it claims I did. The infected person sent it with my address
as the return address.

Digging through the headers, I found that some of these seem to be coming
from someone using a dialup connection from the university of Pittsburg.
More recently, from AOL (what a surprise). I have been collecting headers
(unfortunately, my list is at home now) and have been intending to notify
an administrator. I would only hope that they would be willing to track
down the offending infected user.




On Thu, 15 Aug 2002, Jennifer L. Gatza wrote:

{Quote hidden}

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads


2002\08\15@113354 by Jennifer L. Gatza

flavicon
face
> I suspect the KLEZ virus works like this:

This is my viewpoint of one Klez propagation method (and, once again, I have
no factual basis, just reasoning based on the experiences of myself and my
colleagues):

1. Infected web servers spider other sites for keywords and/or e-mail
addresses.  If your e-mail address is not published anywhere online, and you
don't visit a site hosted on an infected server, you will never be affected
by Klez.

2. Klez has its own SMTP engine, so it is not limited to Outlook (ok, this
one I know for a fact)

3. To become infected, one typically views an HTML page that hosts the viral
code.  (This HTML may be via a web browser or HTML mail)

If someone has more accurate information, please share it!  The published
information that I read seems to leave some gaps (perhaps intentionally).
This has become a hot topic to several of my clients, not to mention a
personal curiosity.

Jen

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads


2002\08\15@115138 by 8859-9?B?1m1lciBZYWxo/Q==?=

FYI

I just received a worrysome email!!!  Nothing on the subject, nothing
anywhere.  I tried to open it and Norton AV said it has a virus.  Below
is the message from Norton AntiVirus:

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: W95.Hybris.worm
File:  NAPONONA.EXE
Location:  Mail System
Computer:  OYALHI
User:  Ömer Yalhý
Action taken:  Clean failed : Quarantine succeeded : Date found: Thu Aug 15 18:48:16 2002

Ömer YALHI
@spam@oyalhiKILLspamspamteksan.com.tr
http://www.teksan.com.tr
Tel : +90 212 613 22 00
Fax: +90 212 544 70 35

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads


2002\08\15@141515 by Brendan Moran

flavicon
face
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----- Original Message -----
From: "Jennifer L. Gatza" <KILLspamjenlKILLspamspamAUTO-SERV.COM>
To: <RemoveMEPICLISTTakeThisOuTspamMITVMA.MIT.EDU>
Sent: Thursday, August 15, 2002 8:31 AM
Subject: Re: [PICLIST] [OT]: Worrysome emails


{Quote hidden}

I found http://www.europe.f-secure.com/v-descs/klez.shtml to be very
helpful.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPVvvXwVk8xtQuK+BEQI95wCdHchktmnjW84eRFGKp4IxxyQIikkAmgLK
911LMHohy3EYgbWEnNp1DY+L
=UI6t
-----END PGP SIGNATURE-----

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads


2002\08\15@153650 by Peter L. Peres

picon face
On Thu, 15 Aug 2002, Jennifer L. Gatza wrote:

>They're Klez variants.  A *properly patched* version of Outlook will
>automatically strip all executable code (I had to check just to make sure)
>:)  A good real-time A/V program with updated signatures should take care of
>whatever gets through.

I also get these, and nothing runs anything made in Redmond, either here
or at any upstream ISP. So the messages come empty, period. Maybe it's a
buggy Klez version ? ;-)

Peter

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads


More... (looser matching)
- Last day of these posts
- In 2002 , 2003 only
- Today
- New search...