[OT] Strange Spam

These are results of a variant of the Klez virus, W32.Klez.gen@mm. It is a mass-mailing worm that searches the Windows address book for email addresses and sends messages to all recipients that it finds. The worm uses its own SMTP engine to send the messages. A cleanup procedure/fix and a more complete and thorough explaination can be found at http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@...

Best regards,
Nik
All American Products <miket@...> wrote: I received a few of these messages myself on around May the ninth.
I use At&T WorldNet service and our website is located on ISP site. I have no idea how they got our e-mail address.

Mike Tonoyan / All American Products Co.
miket@...

----- Original Message -----
From: "Todd Caughey" <caugheyt@...>
To: <vantage@yahoogroups.com>
Sent: Friday, May 31, 2002 1:13 PM
Subject: [Vantage] [OT] Strange Spam


> I just just the strangest spam I've (yet) seen. Wondering if maybe an
> expert here could explain.
>
> Received a message from our Exchange server stating that a message I had
> sent could not be delivered. Funny thing was I had not sent any. Nothing
> in my "sent items" folder for it either. It was addressed to
> <mailto:Webmaster@...> Webmaster@... which is not
> even an account here (hence the failed delivery). While checking it out I
> received another email with same subject (You're Paying too Much) from
> myself (huh!) in my Junk Email folder. This one lists me as the sender and
> Postmaster@... <mailto:Postmaster@...> (didn't know
> I had this name set up). The Internet headers indicate a spam outfit in
> Australia ( aasw.asn.au by OR214O5V.aasw.asn.au ) but who knows where it
> really originated.
>
> Sort of curious how they could make it look like I sent the message to the
> Postmaster account. Enough so that when the Webmaster version failed
> delivery our Exchange server really thought it had been sent from here and
> notified me. I have SMTP relay turned off and we are behind a firewall.
> Also the one that got through had the purple "S" script icon in the corner.
> I'm hoping that by previewing it I did not activate something. I have
> scripting set to always prompt and I saw no prompt when I opened preview the
> message so I don't think anything ran.
>
> But this is by far the weirdest email I've seen.
>
> -Todd Caughey
> Harvey Vogel Mfg. Co.
>
>
> [Non-text portions of this message have been removed]
>
>
>
> Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have already linked your email address to a yahoo id to
enable access. )
> (1) To access the Files Section of our Yahoo!Group for Report Builder and Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
> (2) To search through old msg's goto: http://groups.yahoo.com/group/vantage/messages
> (3) To view links to Vendors that provide Vantage services goto: http://groups.yahoo.com/group/vantage/links
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>


Yahoo! Groups SponsorADVERTISEMENT

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and Crystal Reports and other 'goodies', please goto: http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto: http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto: http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



---------------------------------
Do You Yahoo!?
Sign-up for Video Highlights of 2002 FIFA World Cup

[Non-text portions of this message have been removed]
I just just the strangest spam I've (yet) seen. Wondering if maybe an
expert here could explain.

Received a message from our Exchange server stating that a message I had
sent could not be delivered. Funny thing was I had not sent any. Nothing
in my "sent items" folder for it either. It was addressed to
<mailto:Webmaster@...> Webmaster@... which is not
even an account here (hence the failed delivery). While checking it out I
received another email with same subject (You're Paying too Much) from
myself (huh!) in my Junk Email folder. This one lists me as the sender and
Postmaster@... <mailto:Postmaster@...> (didn't know
I had this name set up). The Internet headers indicate a spam outfit in
Australia ( aasw.asn.au by OR214O5V.aasw.asn.au ) but who knows where it
really originated.

Sort of curious how they could make it look like I sent the message to the
Postmaster account. Enough so that when the Webmaster version failed
delivery our Exchange server really thought it had been sent from here and
notified me. I have SMTP relay turned off and we are behind a firewall.
Also the one that got through had the purple "S" script icon in the corner.
I'm hoping that by previewing it I did not activate something. I have
scripting set to always prompt and I saw no prompt when I opened preview the
message so I don't think anything ran.

But this is by far the weirdest email I've seen.

-Todd Caughey
Harvey Vogel Mfg. Co.


[Non-text portions of this message have been removed]
Well, my first guess was the message was being or trying to use your server
as a relay. The other thought is the Klez virus. Was there any
attachements? This virus will send emails to yourself.
Hope this helps a little
Nancy

-----Original Message-----
From: Todd Caughey [mailto:caugheyt@...]
Sent: Friday, May 31, 2002 4:14 PM
To: 'vantage@yahoogroups.com'
Subject: [Vantage] [OT] Strange Spam


I just just the strangest spam I've (yet) seen. Wondering if maybe an
expert here could explain.

Received a message from our Exchange server stating that a message I had
sent could not be delivered. Funny thing was I had not sent any. Nothing
in my "sent items" folder for it either. It was addressed to
<mailto:Webmaster@...> Webmaster@... which is not
even an account here (hence the failed delivery). While checking it out I
received another email with same subject (You're Paying too Much) from
myself (huh!) in my Junk Email folder. This one lists me as the sender and
Postmaster@... <mailto:Postmaster@...> (didn't know
I had this name set up). The Internet headers indicate a spam outfit in
Australia ( aasw.asn.au by OR214O5V.aasw.asn.au ) but who knows where it
really originated.

Sort of curious how they could make it look like I sent the message to the
Postmaster account. Enough so that when the Webmaster version failed
delivery our Exchange server really thought it had been sent from here and
notified me. I have SMTP relay turned off and we are behind a firewall.
Also the one that got through had the purple "S" script icon in the corner.
I'm hoping that by previewing it I did not activate something. I have
scripting set to always prompt and I saw no prompt when I opened preview the
message so I don't think anything ran.

But this is by far the weirdest email I've seen.

-Todd Caughey
Harvey Vogel Mfg. Co.


[Non-text portions of this message have been removed]



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Todd,
�
I am by no means an expert, but it sounds like you have an open relay.
�
Check it at:
�
Have the sender's email administrator turn off the open relay on their
server.� This web site has excellent tips to secure an email system:
HYPERLINK
"http://www.mail-abuse.org/tsi/ar-fix.html"http://www.mail-abuse.org/tsi/ar-
fix.html. Then resubmit the server here: HYPERLINK
"http://www.ordb.org/removal"http://www.ordb.org/removal

�

Dan

-----Original Message-----
From: Todd Caughey [mailto:caugheyt@...]
Sent: Friday, May 31, 2002 4:14 PM
To: 'vantage@yahoogroups.com'
Subject: [Vantage] [OT] Strange Spam


I just just the strangest spam I've (yet) seen.� Wondering if maybe an
expert here could explain.

Received a message from our Exchange server stating that a message I had
sent could not be delivered.� Funny thing was I had not sent any.� Nothing
in my "sent items" folder for it either.� It was addressed to
<mailto:Webmaster@...> Webmaster@... which is not
even an account here (hence the failed delivery).� While checking it out I
received another email with same subject (You're Paying too Much) from
myself (huh!) in my Junk Email folder.� This one lists me as the sender and
Postmaster@... <mailto:Postmaster@...>� (didn't know
I had this name set up).� The Internet headers indicate a spam outfit in
Australia ( aasw.asn.au by OR214O5V.aasw.asn.au ) but who knows where it
really originated.

Sort of curious how they could make it look like I sent the message to the
Postmaster account.� Enough so that when the Webmaster version failed
delivery our Exchange server really thought it had been sent from here and
notified me.� I have SMTP relay turned off and we are behind a firewall.
Also the one that got through had the purple "S" script icon in the corner.
I'm hoping that by previewing it I did not activate something.� I have
scripting set to always prompt and I saw no prompt when I opened preview the
message so I don't think anything ran.

But this is by far the weirdest email I've seen.

-Todd Caughey
Harvey Vogel Mfg. Co.


[Non-text portions of this message have been removed]


Useful links for the Yahoo!Groups Vantage Board are: ( Note:� You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto: HYPERLINK
"http://groups.yahoo.com/group/vantage/files/."http://groups.yahoo.com/group
/vantage/files/.�
(2) To search through old msg's goto: HYPERLINK
"http://groups.yahoo.com/group/vantage/messages"http://groups.yahoo.com/grou
p/vantage/messages
(3) To view links to Vendors that provide Vantage services goto: HYPERLINK
"http://groups.yahoo.com/group/vantage/links"http://groups.yahoo.com/group/v
antage/links

Your use of Yahoo! Groups is subject to the HYPERLINK
"http://docs.yahoo.com/info/terms/"Yahoo! Terms of Service.



---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.365 / Virus Database: 202 - Release Date: 5/24/2002



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.365 / Virus Database: 202 - Release Date: 5/24/2002



[Non-text portions of this message have been removed]
Todd,

check this article:
http://www.slipstick.com/exs/relay.htm

Paul

-----Original Message-----
From: Todd Caughey [mailto:caugheyt@...]
Sent: Friday, May 31, 2002 4:14 PM
To: 'vantage@yahoogroups.com'
Subject: [Vantage] [OT] Strange Spam


I just just the strangest spam I've (yet) seen. Wondering if maybe an
expert here could explain.

Received a message from our Exchange server stating that a message I had
sent could not be delivered. Funny thing was I had not sent any. Nothing
in my "sent items" folder for it either. It was addressed to
<mailto:Webmaster@...> Webmaster@... which is not
even an account here (hence the failed delivery). While checking it out I
received another email with same subject (You're Paying too Much) from
myself (huh!) in my Junk Email folder. This one lists me as the sender and
Postmaster@... <mailto:Postmaster@...> (didn't know
I had this name set up). The Internet headers indicate a spam outfit in
Australia ( aasw.asn.au by OR214O5V.aasw.asn.au ) but who knows where it
really originated.

Sort of curious how they could make it look like I sent the message to the
Postmaster account. Enough so that when the Webmaster version failed
delivery our Exchange server really thought it had been sent from here and
notified me. I have SMTP relay turned off and we are behind a firewall.
Also the one that got through had the purple "S" script icon in the corner.
I'm hoping that by previewing it I did not activate something. I have
scripting set to always prompt and I saw no prompt when I opened preview the
message so I don't think anything ran.

But this is by far the weirdest email I've seen.

-Todd Caughey
Harvey Vogel Mfg. Co.


[Non-text portions of this message have been removed]



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Todd,

I got something extremely similar at my home last week. It looks like a
returned undeliverable message - I think mine looked like it was from
microsoft - it said postmaster@something. When I opened it, it did not look
familiar and there were two attachments. I deleted it right away without
opening the attachments. I just got done recovering from the happy time
virus and I don't want to have to start over yet again!

Diane Rowberry
Westwood Precision
-----Original Message-----
From: Todd Caughey [mailto:caugheyt@...]
Sent: Friday, May 31, 2002 1:14 PM
To: 'vantage@yahoogroups.com'
Subject: [Vantage] [OT] Strange Spam


I just just the strangest spam I've (yet) seen. Wondering if maybe an
expert here could explain.

Received a message from our Exchange server stating that a message I had
sent could not be delivered. Funny thing was I had not sent any. Nothing
in my "sent items" folder for it either. It was addressed to
<mailto:Webmaster@...> Webmaster@... which is not
even an account here (hence the failed delivery). While checking it out I
received another email with same subject (You're Paying too Much) from
myself (huh!) in my Junk Email folder. This one lists me as the sender
and
Postmaster@... <mailto:Postmaster@...> (didn't
know
I had this name set up). The Internet headers indicate a spam outfit in
Australia ( aasw.asn.au by OR214O5V.aasw.asn.au ) but who knows where it
really originated.

Sort of curious how they could make it look like I sent the message to the
Postmaster account. Enough so that when the Webmaster version failed
delivery our Exchange server really thought it had been sent from here and
notified me. I have SMTP relay turned off and we are behind a firewall.
Also the one that got through had the purple "S" script icon in the
corner.
I'm hoping that by previewing it I did not activate something. I have
scripting set to always prompt and I saw no prompt when I opened preview
the
message so I don't think anything ran.

But this is by far the weirdest email I've seen.

-Todd Caughey
Harvey Vogel Mfg. Co.


[Non-text portions of this message have been removed]


Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must
have already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



[Non-text portions of this message have been removed]
I read an article in Information week (I think that was it) recently about
www.WinWhatWhere.com <http://www.winwhatwhere.com/> . They have software
that tracks everything keystrokes, screenshots, passwords, IMs, chat, etc.
Silently.

I haven't personally tried their software though.

Jim Carnes
IS Administrator
Kenlee Precision Corp
jcarnes@...
1700 Morrell Park Ave
Baltimore, MD 21230

-----Original Message-----
From: Todd Caughey [mailto:caugheyt@...]
Sent: Friday, May 31, 2002 4:14 PM
To: 'vantage@yahoogroups.com'
Subject: [Vantage] [OT] Strange Spam

I just just the strangest spam I've (yet) seen. Wondering if maybe an
expert here could explain.

Received a message from our Exchange server stating that a message I had
sent could not be delivered. Funny thing was I had not sent any. Nothing
in my "sent items" folder for it either. It was addressed to
<mailto:Webmaster@...> Webmaster@... which is not
even an account here (hence the failed delivery). While checking it out I
received another email with same subject (You're Paying too Much) from
myself (huh!) in my Junk Email folder. This one lists me as the sender and
Postmaster@... <mailto:Postmaster@...> (didn't know
I had this name set up). The Internet headers indicate a spam outfit in
Australia ( aasw.asn.au by OR214O5V.aasw.asn.au ) but who knows where it
really originated.

Sort of curious how they could make it look like I sent the message to the
Postmaster account. Enough so that when the Webmaster version failed
delivery our Exchange server really thought it had been sent from here and
notified me. I have SMTP relay turned off and we are behind a firewall.
Also the one that got through had the purple "S" script icon in the corner.
I'm hoping that by previewing it I did not activate something. I have
scripting set to always prompt and I saw no prompt when I opened preview the
message so I don't think anything ran.

But this is by far the weirdest email I've seen.

-Todd Caughey
Harvey Vogel Mfg. Co.


[Non-text portions of this message have been removed]


Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
<http://docs.yahoo.com/info/terms/> .


[Non-text portions of this message have been removed]
I received a few of these messages myself on around May the ninth.
I use At&T WorldNet service and our website is located on ISP site. I have no idea how they got our e-mail address.

Mike Tonoyan / All American Products Co.
miket@...

----- Original Message -----
From: "Todd Caughey" <caugheyt@...>
To: <vantage@yahoogroups.com>
Sent: Friday, May 31, 2002 1:13 PM
Subject: [Vantage] [OT] Strange Spam


> I just just the strangest spam I've (yet) seen. Wondering if maybe an
> expert here could explain.
>
> Received a message from our Exchange server stating that a message I had
> sent could not be delivered. Funny thing was I had not sent any. Nothing
> in my "sent items" folder for it either. It was addressed to
> <mailto:Webmaster@...> Webmaster@... which is not
> even an account here (hence the failed delivery). While checking it out I
> received another email with same subject (You're Paying too Much) from
> myself (huh!) in my Junk Email folder. This one lists me as the sender and
> Postmaster@... <mailto:Postmaster@...> (didn't know
> I had this name set up). The Internet headers indicate a spam outfit in
> Australia ( aasw.asn.au by OR214O5V.aasw.asn.au ) but who knows where it
> really originated.
>
> Sort of curious how they could make it look like I sent the message to the
> Postmaster account. Enough so that when the Webmaster version failed
> delivery our Exchange server really thought it had been sent from here and
> notified me. I have SMTP relay turned off and we are behind a firewall.
> Also the one that got through had the purple "S" script icon in the corner.
> I'm hoping that by previewing it I did not activate something. I have
> scripting set to always prompt and I saw no prompt when I opened preview the
> message so I don't think anything ran.
>
> But this is by far the weirdest email I've seen.
>
> -Todd Caughey
> Harvey Vogel Mfg. Co.
>
>
> [Non-text portions of this message have been removed]
>
>
>
> Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have already linked your email address to a yahoo id to
enable access. )
> (1) To access the Files Section of our Yahoo!Group for Report Builder and Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
> (2) To search through old msg's goto: http://groups.yahoo.com/group/vantage/messages
> (3) To view links to Vendors that provide Vantage services goto: http://groups.yahoo.com/group/vantage/links
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
The way I understand it, Klez steals your address info from an infected
machine, along with other addresses. Substitutes stolen addresses in the
"From:" and "To:" - sending out bogus emails about false infections, to you
or others. I got one of those, myself. Then, after spending a day
re-fortifying all my workstations, I found out about how it works.

Gary Polvinale
Denton ATD

-----Original Message-----
From: Diane Rowberry [mailto:diane.rowberry@...]
Sent: Friday, May 31, 2002 4:34 PM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] [OT] Strange Spam


Todd,

I got something extremely similar at my home last week. It looks like a
returned undeliverable message - I think mine looked like it was from
microsoft - it said postmaster@something. When I opened it, it did not look
familiar and there were two attachments. I deleted it right away without
opening the attachments. I just got done recovering from the happy time
virus and I don't want to have to start over yet again!

Diane Rowberry
Westwood Precision
-----Original Message-----
From: Todd Caughey [mailto:caugheyt@...]
Sent: Friday, May 31, 2002 1:14 PM
To: 'vantage@yahoogroups.com'
Subject: [Vantage] [OT] Strange Spam


I just just the strangest spam I've (yet) seen. Wondering if maybe an
expert here could explain.

Received a message from our Exchange server stating that a message I had
sent could not be delivered. Funny thing was I had not sent any. Nothing
in my "sent items" folder for it either. It was addressed to
<mailto:Webmaster@...> Webmaster@... which is not
even an account here (hence the failed delivery). While checking it out I
received another email with same subject (You're Paying too Much) from
myself (huh!) in my Junk Email folder. This one lists me as the sender
and
Postmaster@... <mailto:Postmaster@...> (didn't
know
I had this name set up). The Internet headers indicate a spam outfit in
Australia ( aasw.asn.au by OR214O5V.aasw.asn.au ) but who knows where it
really originated.

Sort of curious how they could make it look like I sent the message to the
Postmaster account. Enough so that when the Webmaster version failed
delivery our Exchange server really thought it had been sent from here and
notified me. I have SMTP relay turned off and we are behind a firewall.
Also the one that got through had the purple "S" script icon in the
corner.
I'm hoping that by previewing it I did not activate something. I have
scripting set to always prompt and I saw no prompt when I opened preview
the
message so I don't think anything ran.

But this is by far the weirdest email I've seen.

-Todd Caughey
Harvey Vogel Mfg. Co.


[Non-text portions of this message have been removed]


Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must
have already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



[Non-text portions of this message have been removed]



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/