PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : Frage zu einem Bounce: [SPAM] Re: Excel file



webeinspunktnull
24.03.2004, 18:09
Ich bekomme, weil meine Mailaddy benutzt wird für den einen aktuellen Virus ja täglich ein paar Bounces. Die meisten kenne ich, da sie in dieser Form öfters auftreten, typische Mitteilungen eben. Die erste Zeile kenni ch schon vonm andern Bounces, aberd er Rest ist komplett neu, so ausführlich wurd noch nie gebounced
So einen Bounce hatte ich noch nie und ich frage mich da, was genau beinhaltet der Bounce. Hat da wer Ahnung von?
Header interpretieren geht ja schon ganz gut, mich würde mal Bounce interpretieren interessieren... Kanns wer mal ein bissel umreissen - auch warum da mehrere Absender mit drin sind?

Hi. This is the qmail-send program at upsilon.pair.com.
I`m afraID: [ID filtered]
This is a permanent error; I`ve given up. Sorry it didn`t work out.
<crenz-wekemann at web42.com>:

No executables, please.
Message rejected.

--- Below this line is a copy of the message.
Return-Path: <meinemailaddy>
Received: (qmail 73799 invoked from network); 24 Mar 2004 xx:xx:xx -0000
Received: from web12.manitu.net (217.11.48.112)
by upsilon.pair.com with SMTP; 24 Mar 2004 xx:xx:xx -0000
Received: from wekemann.dyndns.org (G7e67.g.pppool.de [80.185.126.103])
by web12.manitu.net (8.10.2-SOL3/8.10.2) with ESMTP ID: [ID filtered]
for <crenz-wekemann at web42.com>; Wed, 24 Mar 2004 xx:xx:xx +0100
Received: by wekemann.dyndns.org (Postfix)
ID: [ID filtered]
Delivered-To: crenz at wekemann.de
Received: by wekemann.dyndns.org (Postfix, from userID: [ID filtered]
ID: [ID filtered]
Received: from localhost (localhost [127.0.0.1])
by wekemann.dyndns.org (Postfix) with ESMTP ID: [ID filtered]
for <postmaster [at] localhost>; Wed, 24 Mar 2004 xx:xx:xx +0100 (CET)
Envelope-to: postmaster at rehamarkt.de
Delivery-date: Wed, 24 Mar 2004 xx:xx:xx +0100
Received: from mail.LF.net [212.9.160.2]
by localhost with POP3 (fetchmail-5.9.11)
for postmaster [at] localhost (multi-drop); Wed, 24 Mar 2004 xx:xx:xx +0100 (CET)
Received: from exim by mail.LF.net with spam-scanned (Exim 4.22)
ID: [ID filtered]
for postmaster at rehamarkt.de; Wed, 24 Mar 2004 xx:xx:xx +0100
Received: from localhost [127.0.0.1] by isc.lf.net
with SpamAssassin (2.60 1.212-2003-09-23-exp);
Wed, 24 Mar 2004 xx:xx:xx +0100
From: meineaddy
To: info at rehamarkt.de
Subject: [SPAM] Re: Excel file
Date: Wed, 24 Mar 2004 xx:xx:xx +0100
Message-ID: [ID filtered]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_40612EEA.8D174925"
X-UIDL: [UID filtered]
X-Spam-Status: No, hits=2.6 required=5.0
tests=MICROSOFT_EXECUTABLE,NO_REAL_NAME,UPPERCASE_25_50
version=2.55
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
This is a multi-part message in MIME format.
------------=_40612EEA.8D174925
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "isc.lf.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn`t spam) or block
similar future email. If you have any questions, see
support [at] LF.net for details.
Content preview: Your document is attached. [skipped
application/octet-stream attachment] [...]
Content analysis details: (6.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.2 NO_REAL_NAME From: does not include a real name
0.0 BAYES_50 BODY: Bayesian spam probability is 50 to 56%
[score: 0.5122]
0.1 MICROSOFT_EXECUTABLE RAW: Message includes Microsoft executable program
3.0 MSGID_FROM_MTA_SHORT Message-ID: [ID filtered]
0.5 RCVD_IN_NJABL_DIALUP RBL: NJABL: dialup sender dID: [ID filtered]
[80.128.119.30 listed in dnsbl.njabl.org]
0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
[80.128.119.30 listed in dnsbl.njabl.org]
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[80.128.119.30 listed in dnsbl.sorbs.net]
1.6 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
1.2 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.

------------=_40612EEA.8D174925
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Received: from p5080771e.dip.t-dialin.net ([80.128.119.30] helo=rehamarkt.de)
by mail.LF.net with esmtp (Exim 4.22)
ID: [ID filtered]
for info at rehamarkt.de; Wed, 24 Mar 2004 xx:xx:xx +0100
From: meineaddy
To: info at rehamarkt.de
Subject: Re: Excel file
Date: Wed, 24 Mar 2004 xx:xx:xx +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0011_00002436.0000177C"
X-Priority: 3
X-MSMail-Priority: Normal
Message-ID: [ID filtered]
This is a multi-part message in MIME format.
------=_NextPart_000_0011_00002436.0000177C
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Your document is attached.
------=_NextPart_000_0011_00002436.0000177C
Content-Type: application/octet-stream;
name="document_excel.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="document_excel.pif"

--
Wehret den Anfängen!

webeinspunktnull
24.03.2004, 18:20
noch so ein ausführlicher Bounce, die erste zeile ist auch wieder das Übliche, der ausführliche rest hatte ich so auch noch nie
der Virus benutzt wohl sehr viele real existierende Mailaddys deutscher User? Und Domaininhaber? Der Versender, wer oder was auch immer das auch generiert, scheint wohl einen Riesenpool zu haben? Das Ganze wird wohl zu einem Selbstläufer wenn erst mal in Umlauf geraten ist?

Und was bedeutet sender is listed in sorbs, bin ich durch den Virenmist auf irgendeiner Black List, wofür ich dann ja wohl nix kann??
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
sk at legio.de
(ultimately generated from info at sebastian-kern.de)
SMTP error from remote mailer after end of data:
host mx0.legio.de [80.237.128.199]: 550 This messsage contains an unroutable file type of pif.
------ This is a copy of the message, including all the headers. ------
Return-path: <meineaddy>
Received: from delta.mc1.hosteurope.de ([80.237.128.251])
by fozzy.webpack.hosteurope.de with esmtp (TLSv1:DES-CBC3-SHA:168)
(Exim 4.30)
ID: [ID filtered]
for info at sebastian-kern.de; Tue, 23 Mar 2004 xx:xx:xx +0100
Received: from p3ee267c3.dip.t-dialin.net ([62.226.103.195] helo=sebastian-kern.de)
by delta.mc1.hosteurope.de with esmtp (Exim 4.30)
ID: [ID filtered]
for info at sebastian-kern.de; Tue, 23 Mar 2004 xx:xx:xx +0100
From:
To: info at sebastian-kern.de
Subject: Re: Your letter
Date: Tue, 23 Mar 2004 xx:xx:xx +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0001_0000105F.0000090C"
X-Priority: 3
X-MSMail-Priority: Normal
X-HE-Spam-Level: +++++
X-HE-Spam-Score: 5.6
X-HE-Spam-Report: Content analysis details: (5.6 points)
pts rule name description
---- ---------------------- --------------------------------------------------
0.3 NO_REAL_NAME From: does not include a real name
0.1 MICROSOFT_EXECUTABLE RAW: Message includes Microsoft executable program
0.5 RCVD_IN_NJABL_DIALUP RBL: NJABL: dialup sender dID: [ID filtered]
[62.226.103.195 listed in dnsbl.njabl.org]
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[62.226.103.195 listed in dnsbl.sorbs.net]
0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
[62.226.103.195 listed in dnsbl.njabl.org]
2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address
[62.226.103.195 listed in dnsbl.sorbs.net]
1.2 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
0.8 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer
X-HE-MXrcvd: yes
This is a multi-part message in MIME format.
------=_NextPart_000_0001_0000105F.0000090C
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Please read the attached file.
------=_NextPart_000_0001_0000105F.0000090C
Content-Type: application/octet-stream;
name="your_letter.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="your_letter.pif"
--
Wehret den Anfängen!

webeinspunktnull
24.03.2004, 18:22
diese Virenmail hab ich nur mit Mailwasher aufgemacht und gar nicht auf die Platte gezogen. Mein Norton greift da noch nicht ein, erst wenn ich via Mailclient die Mail holen würde,
wieso erweckt die Mail dann den Eindruck sie sei mit Norton gechecked und virenfrei??
Return-path: <zmihyar [at] yahoo.com>
Envelope-to:
Delivery-date: Tue, 23 Mar 2004 xx:xx:xx +0100
Received: from [213.178.224.98] (helo=trafficklau.de)
by mxng07.kundenserver.de with esmtp (Exim 3.35 #1)
ID: [ID filtered]
for
; Tue, 23 Mar 2004 xx:xx:xx +0100
From: zmihyar [at] yahoo.com
To: Subject: Re: Notify
Date: Tue, 23 Mar 2004 xx:xx:xx +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal
Message-ID: [ID filtered]
This is a multi-part message in MIME format.
------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit

Protected message is attached.

++++ Attachment: No Virus found
++++ Norton AntiVirus - http://www.symantec.de

------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: application/octet-stream;
name="readme.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="readme.zip"
--
Wehret den Anfängen!

Smurfy
24.03.2004, 21:34
Der Wurm will damit den Eindruck erwecken das die Datei sauber ist...
http://www.sophos.de/virusinfo/analyses/w32netskyo.html

crenz
26.10.2005, 13:48
Hallo PattyH,

habe gerade zufällig diesen Thread gefunden. Der oben angeführte bounce kam von meinem Mailaccount. Die oberste Meldung kam von qmail, der Text "No executables, please. Message rejected" aus meinem Filter (den habe ich selber so eingetippt ;-)). Der Rest kommt von den drei verschiedenen Servern, über die die Mail gelaufen ist (aufgrund der eingerichteten Mailweiterleitungen).

Entgegen der Vermutung von Smurfy wurde diese Angaben nicht vom Virus selbst generiert.