Professional Web Applications Themes

a new kind of virus? - Mac Networking

Michelle Steiner <michellemichelle.org> writes: > Lately, I've been receiving mail with no "from" header, no "to" > header, no subject, and no content. > > What's the point of a virus or worm sending this? The main "point" of a virus or worm is to try to propagate itself as much as possible. -- David Magda <dmagda at ee.ryerson.ca>, [url]http://www.magda.ca/[/url] Because the innovator has for enemies all those who have done well under the old conditions, and lukewarm defenders in those who may do well under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI...

  1. #1

    Default Re: a new kind of virus?

    Michelle Steiner <michellemichelle.org> writes:
    > Lately, I've been receiving mail with no "from" header, no "to"
    > header, no subject, and no content.
    >
    > What's the point of a virus or worm sending this?
    The main "point" of a virus or worm is to try to propagate itself as
    much as possible.

    --
    David Magda <dmagda at ee.ryerson.ca>, [url]http://www.magda.ca/[/url]
    Because the innovator has for enemies all those who have done well under
    the old conditions, and lukewarm defenders in those who may do well
    under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
    David Magda Guest

  2. #2

    Default Re: a new kind of virus?

    In article <michelle-D3C1C1.16423624092003news.west.cox.net>,
    Michelle Steiner <michellemichelle.org> wrote:
    > In article <863cel3gzk.fsfnumber6.magda.ca>,
    > David Magda <dmagda+trace030918ee.ryerson.ca> wrote:
    >
    > > > What's the point of a virus or worm sending this?
    > >
    > > The main "point" of a virus or worm is to try to propagate itself as
    > > much as possible.
    >
    > There doesn't seem to be anything there for it to propagate.
    They are verifiying addresses. No bounce = an address they can sell for
    more.
    Brian Guest

  3. Moderated Post

    Default Re: a new kind of virus?

    Removed by Administrator
    Matthew Smith Guest
    Moderated Post

  4. #4

    Default Re: a new kind of virus?

    In article <matty_d-5CC7E2.19403225092003duster.adelaide.on.net>,
    Matthew Smith <matty_dmac.com> wrote:
    > In article <no-one-7EC504.22190524092003news06.west.earthlink.net>,
    > Brian <no-onehome.com> wrote:
    >
    > > In article <michelle-D3C1C1.16423624092003news.west.cox.net>,
    > > Michelle Steiner <michellemichelle.org> wrote:
    > >
    > > > In article <863cel3gzk.fsfnumber6.magda.ca>,
    > > > David Magda <dmagda+trace030918ee.ryerson.ca> wrote:
    > > >
    > > > > > What's the point of a virus or worm sending this?
    > > > >
    > > > > The main "point" of a virus or worm is to try to propagate itself as
    > > > > much as possible.
    > > >
    > > > There doesn't seem to be anything there for it to propagate.
    > >
    > > They are verifiying addresses. No bounce = an address they can sell for
    > > more.
    >
    > How can in bounce if there is no from address? Doesn't it need that to
    > send the return message?
    Good point! I have too been getting a few of these. Nothing compared to
    Swen, but odd nonetheless. Here's the entire contents of one I got today:

    From Thu Sep 25 17:34:08 2003
    X-Auth-No:
    Return-Path: <sskalkosplegma.gr>
    Received: from e-mailserver.plegma.gr not authenticated [193.92.44.20]
    by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision: 3.40
    $ on Novell NetWare;
    Wed, 24 Sep 2003 23:07:15 -0600

    It is a MTA gone bad?

    --
    Heath
    __________________________________________________ ______
    | *Nothing is foolproof to a sufficiently talented fool* |
    | _\|/_ |
    |________________________________________m(. .)m_________|
    Heath Raftery Guest

  5. #5

    Default Re: a new kind of virus?

    Matthew Smith wrote:
    > In article <no-one-7EC504.22190524092003news06.west.earthlink.net>,
    > Brian <no-onehome.com> wrote:
    >
    >> In article <michelle-D3C1C1.16423624092003news.west.cox.net>,
    >> Michelle Steiner <michellemichelle.org> wrote:
    >>
    >> > In article <863cel3gzk.fsfnumber6.magda.ca>,
    >> > David Magda <dmagda+trace030918ee.ryerson.ca> wrote:
    >> >
    >> > > > What's the point of a virus or worm sending this?
    >> > >
    >> > > The main "point" of a virus or worm is to try to propagate itself as
    >> > > much as possible.
    >> >
    >> > There doesn't seem to be anything there for it to propagate.
    >>
    >> They are verifiying addresses. No bounce = an address they can sell for
    >> more.
    >
    > How can in bounce if there is no from address? Doesn't it need that to
    > send the return message?
    It would need to have a valid from or reply-to in order to get a
    "bounce" but that is not really what it is checking.

    It makes an SMTP connection to the mail server and tries to send
    a message to a certain email address - if the server does not
    accept email for that address then the sender learns of this during
    the SMTP negotiation - it doesn't need to receive a return email.

    Ian Gregory
    Systems and Applications Manager
    Learning and Information Services
    University of Hertfordshire
    Ian Gregory Guest

  6. #6

    Default Re: a new kind of virus?

    Matthew Smith <matty_dmac.com> writes:
    > Brian <no-onehome.com> wrote:
    > > Michelle Steiner <michellemichelle.org> wrote:
    > > > There doesn't seem to be anything there for it to propagate.
    > >
    > > They are verifiying addresses. No bounce = an address they can sell for
    > > more.
    >
    > How can in bounce if there is no from address? Doesn't it need that to
    > send the return message?
    "bounce" cannot ever be done at the mail client level anyway.
    A bounce never uses the "From" address which is in the headers,
    but, rather, the SMTP "envelope" data - which is not accessible
    at the client level - only at the smtp server level. Unless
    you have mx records set up to point your mail at a sendmail
    (or equivalent) that you are operating, don't even think about
    "bouncing" e-mail.

    The "Bounce to sender" function in Mail.app is both misnamed
    and insanely idiotic. It's not a "bounce" but, rather, a
    "resend to whatever crap is in the From" line" function and
    as such should never _ever_ be used on spam.



    --
    Plain Bread alone for e-mail, thanks. The rest gets trashed.
    No HTML in E-Mail! -- [url]http://www.expita.com/nomime.html[/url]
    Are you posting responses that are easy for others to follow?
    [url]http://www.greenend.org.uk/rjk/2000/06/14/quoting[/url]
    BreadWithSpam@fractious.net Guest

  7. #7

    Default Re: a new kind of virus?

    Heath Raftery wrote:
    > From Thu Sep 25 17:34:08 2003
    > X-Auth-No:
    > Return-Path: <sskalkosplegma.gr>
    > Received: from e-mailserver.plegma.gr not authenticated [193.92.44.20]
    > by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision: 3.40
    > $ on Novell NetWare;
    > Wed, 24 Sep 2003 23:07:15 -0600
    The return path goes to a server (193.92.44.20) that Kalkos may have
    set up, perhaps in order to receive bounced e-mails. The [email]sskalkosplegma.gr[/email]
    may be fake, but ripe.net has the server (193.92.44.20) listed as Plegma-SA,
    Consulting, Athens. Maybe there's some automatic way for Kalkos to review
    the e-mail server logs and compare the bounce list with the list of
    all no-subject, blank e-mails sent. Or maybe his e-mail server is infected
    or malfunctioning, and somebody who uses the Greek character set should let
    him know.
    George Williams Guest

  8. #8

    Default Re: a new kind of virus?

    In article <michelle-2CAC5F.15184824092003news.west.cox.net>,
    Michelle Steiner <michellemichelle.org> wrote:
    >Lately, I've been receiving mail with no "from" header, no "to" header,
    >no subject, and no content.
    >
    >What's the point of a virus or worm sending this?
    I can think of a couple of possibilities

    1) Stupid spammer with broken software.
    2) Worm, but with content stripped by an anti-virus program somewhere
    along the line.


    --
    Matthew T. Russotto [email]mrussottospeakeasy.net[/email]
    "Extremism in defense of liberty is no vice, and moderation in pursuit
    of justice is no virtue." But extreme restriction of liberty in pursuit of
    a modi of security is a very expensive vice.
    Matthew Russotto Guest

  9. #9

    Default Re: a new kind of virus?

    + [email]BreadWithSpamfractious.net[/email]:

    | [...] the SMTP "envelope" data - which is not accessible
    | at the client level - only at the smtp server level.

    Strictly speaking not true: My smtp server (qmail) puts the envelope
    sender in a Return-Path header field on final delivery. And in the
    usual unix mbox format, each message is preceded by a line with the
    word "From" followed by the envelope sender and a time stamp. But of
    course, well designed mail clients don't use the envelope sender for
    anything (though displaying it to the user on demand may be okay).
    And hopefully, the authors of badly designed mail clients don't even
    know it may be there. 8-)

    --
    * Harald Hanche-Olsen <URL:http://www.math.ntnu.no/~hanche/>
    - Debating gives most of us much more psychological satisfaction
    than thinking does: but it deprives us of whatever chance there is
    of getting closer to the truth. -- C.P. Snow
    Harald Hanche-Olsen Guest

  10. #10

    Default Re: a new kind of virus?

    In article <michelle-D3C1C1.16423624092003news.west.cox.net>,
    Michelle Steiner <michellemichelle.org> wrote:
    >In article <863cel3gzk.fsfnumber6.magda.ca>,
    > David Magda <dmagda+trace030918ee.ryerson.ca> wrote:
    >
    >> > What's the point of a virus or worm sending this?
    >>
    >> The main "point" of a virus or worm is to try to propagate itself as
    >> much as possible.
    >
    >There doesn't seem to be anything there for it to propagate.
    Hmm... Add one possibility, from Reproductive Biology: It's a polar body :-)

    --
    Matthew T. Russotto [email]mrussottospeakeasy.net[/email]
    "Extremism in defense of liberty is no vice, and moderation in pursuit
    of justice is no virtue." But extreme restriction of liberty in pursuit of
    a modi of security is a very expensive vice.
    Matthew Russotto Guest

  11. #11

    Default Re: a new kind of virus?

    In article <yob1xu4957e.fsfpanix2.panix.com>,
    <BreadWithSpamfractious.net> wrote:
    >
    >"bounce" cannot ever be done at the mail client level anyway.
    >A bounce never uses the "From" address which is in the headers,
    >but, rather, the SMTP "envelope" data - which is not accessible
    >at the client level - only at the smtp server level.
    Actually, some MTAs put the envelope data in the headers. Very
    useful.
    --
    Matthew T. Russotto [email]mrussottospeakeasy.net[/email]
    "Extremism in defense of liberty is no vice, and moderation in pursuit
    of justice is no virtue." But extreme restriction of liberty in pursuit of
    a modi of security is a very expensive vice.
    Matthew Russotto Guest

  12. #12

    Default Re: a new kind of virus?

    In my experience, they all have some 'clickable' text button in the
    message body, somewhere, and when you open or click on it, you open the
    virus or worm.
    All empty Subject line messages have turned out to be virii or worms.
    I don't know how you can do it in MT-Newswatcher, but in my NetCOMM,
    when I have the message in question on top (open and readable), I access
    the menu bar's View/Page Source.
    When that window opens, scroll down until you see a large mass of
    garbage text and symbols. That is the raw virus or worm.

    But, you did say no body in the message?
    That doesn't ring a bell, but I would open View Source anyhow. You might
    be surprised.
    Lot's of stuff that's actually there doesn't show up in the regular
    message display window, but WILL show up in View Source window.

    keith whaley

    Michelle Steiner wrote:
    >
    > Lately, I've been receiving mail with no "from" header, no "to" header,
    > no subject, and no content.
    >
    > What's the point of a virus or worm sending this?
    Keith Whaley Guest

  13. #13

    Default Re: a new kind of virus?

    Matthew Smith <matty_dmac.com> writes:
    > How can in bounce if there is no from address? Doesn't it need that
    > to send the return message?
    Not necessarily. You can think of it as having two levels of
    addresssing: one for the SMTP server, and the other for the mail
    reader.

    As an example, a mailing list can tell the SMTP server to deliver to
    [email]userexample.com[/email], but the "To:" that is displayed is
    "myMailingListlists.com".

    So the SMTP server can have an address to bounce back to (the "MAIL
    FROM" SMTP command), but no "From:" in the actual message 'header'.

    Read RFC 822 for more on SMTP/e-mail delivery.

    --
    David Magda <dmagda at ee.ryerson.ca>, [url]http://www.magda.ca/[/url]
    Because the innovator has for enemies all those who have done well under
    the old conditions, and lukewarm defenders in those who may do well
    under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
    David Magda Guest

  14. #14

    Default Re: a new kind of virus?

    Matthew Russotto wrote:
    > 2) Worm, but with content stripped by an anti-virus program somewhere
    > along the line.
    Easily believable that an ISP could so misconfigure
    a virus scanner. After all, these are the guys that
    thought we'd be pleased to get 300 boasts that they
    saved us from a virus.

    (Not to mention three hundred suggestions
    that we contact a forged address to tell him
    he has a virus)

    --
    Wes Groleau
    Heroes, Heritage, and History
    [url]http://freepages.genealogy.rootsweb.com/~wgroleau/[/url]

    Wes Groleau Guest

  15. #15

    Default Re: a new kind of virus?

    Keith Whaley wrote:
    > All empty Subject line messages have turned out to be virii or worms.
    For you, or in general. I have received plenty
    of non-virus messages from people who have no clue
    what a subject line is.

    --
    Wes Groleau
    Heroes, Heritage, and History
    [url]http://freepages.genealogy.rootsweb.com/~wgroleau/[/url]

    Wes Groleau Guest

  16. #16

    Default Re: a new kind of virus?

    In <yob1xu4957e.fsfpanix2.panix.com> [email]BreadWithSpamfractious.net[/email] wrote:
    > The "Bounce to sender" function in Mail.app is both misnamed
    > and insanely idiotic. It's not a "bounce" but, rather, a
    > "resend to whatever crap is in the From" line" function and
    > as such should never _ever_ be used on spam.
    Agreed, with one exception: when you receive junk mail where the only
    contact given is an email address in the body, and it's the same as the
    From address, then you _know_ it's valid. Admittedly I've only seen this
    about three times ever, but it does happen.

    --
    Roger Johnstone, Invercargill, New Zealand

    PS/2 Mouse Adapter for vintage Apple II or Mac
    order at [url]http://vintageware.orcon.net.nz[/url]
    Roger Johnstone Guest

  17. #17

    Default Re: a new kind of virus?

    In article <michelle-2CAC5F.15184824092003news.west.cox.net>,
    [email]michellemichelle.org[/email] says...
    > Lately, I've been receiving mail with no "from" header, no "to" header,
    > no subject, and no content.
    >
    > What's the point of a virus or worm sending this?
    >
    >
    Whether it's the sender's intent or not, these emails often choke Outlook.
    It won't download them, won't purge them, and can't get past them. It just
    gives me a completely erroneous error message that "connection to server
    was interrupted." The only way I can get back to normal email operation is
    to go to a webmail port, open my mailbox, and delete the offending email.
    That would have been a major pain if one had come in the middle of the
    swen virus flood over the weekend.

    Michelle is right, though. No body, no from, no to, and no subject.
    It's the smallest set of headers I've ever seen in email.

    I hadn't gotten one of these for many months, but there have been
    several in the last week.

    Diane
    Diane Wilson Guest

  18. #18

    Default Re: a new kind of virus?

    In article <MPG.19de0eaf6ba18ac5989732news.newsguy.com>,
    Diane Wilson <dianefirelily.com> wrote:

    > That would have been a major pain if one had come in the middle of the
    > swen virus flood over the weekend.
    The flood continues unabated as far as I can see. This is the only
    virus that has ever directly affected me (at home, where PCs don't
    concern me), and it is an extreme nuisance. I'm not sure what it is
    that has to happen to make the flood recede.
    Brian Hardy Guest

  19. #19

    Default Re: a new kind of virus?

    In article <bmhardy-40040C.08592426092003news.comcast.giganews.com>,
    Brian Hardy <bmhardyix.netcom.com> wrote:
    > In article <MPG.19de0eaf6ba18ac5989732news.newsguy.com>,
    > Diane Wilson <dianefirelily.com> wrote:
    >
    >
    > > That would have been a major pain if one had come in the middle of the
    > > swen virus flood over the weekend.
    >
    > The flood continues unabated as far as I can see. This is the only
    > virus that has ever directly affected me (at home, where PCs don't
    > concern me), and it is an extreme nuisance. I'm not sure what it is
    > that has to happen to make the flood recede.
    The people whose computers are infected have to dis-infect them.
    Simple as that...

    --
    Jerry Kindall, Seattle, WA <http://www.jerrykindall.com/>

    When replying by e-mail, use plain text ONLY to make sure I read it.
    Due to spam and viruses, I filter all mail with HTML or attachments.
    Jerry Kindall Guest

  20. #20

    Default Re: a new kind of virus?

    Yeah, but how do they know they are infected. I get over 100 on these
    nuisances a day. It would be easier to go back to faxing than for me to
    contanct all my typhoid Mary's.

    Jerry Kindall wrote:
    > In article <bmhardy-40040C.08592426092003news.comcast.giganews.com>,
    > Brian Hardy <bmhardyix.netcom.com> wrote:
    >
    >
    >>In article <MPG.19de0eaf6ba18ac5989732news.newsguy.com>,
    >> Diane Wilson <dianefirelily.com> wrote:
    >>
    >>
    >>
    >>>That would have been a major pain if one had come in the middle of the
    >>>swen virus flood over the weekend.
    >>
    >>The flood continues unabated as far as I can see. This is the only
    >>virus that has ever directly affected me (at home, where PCs don't
    >>concern me), and it is an extreme nuisance. I'm not sure what it is
    >>that has to happen to make the flood recede.
    >
    >
    > The people whose computers are infected have to dis-infect them.
    > Simple as that...
    >
    John Nestor Guest

Page 1 of 2 12 LastLast

Similar Threads

  1. Virus
    By Connie Upright in forum Macromedia Shockwave
    Replies: 9
    Last Post: February 23rd, 01:14 PM
  2. Virus alert (no, this is not a virus)
    By Aaron Bertrand - MVP in forum ASP Components
    Replies: 1
    Last Post: January 27th, 09:21 PM
  3. THIS IS A VIRUS!!!
    By Bob Powell [MVP] in forum ASP.NET Building Controls
    Replies: 1
    Last Post: September 27th, 02:02 PM
  4. Maybe a new virus
    By Earl Alexander in forum Adobe Photoshop Elements
    Replies: 7
    Last Post: September 24th, 02:54 PM
  5. Virus?
    By Jack in forum Windows Setup, Administration & Security
    Replies: 5
    Last Post: July 27th, 02:30 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139