Puzzling??????

Discussion in 'malware problems & news' started by Peaches4U, Apr 6, 2003.

Thread Status:
Not open for further replies.
  1. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    o_O I received an email which I thought was from my friend to my private addy and in the subject line it said: "Important Server Update." I opened it and the following message was inside. However, when I emailed my friend, she said she did not send me such an email and knows nothing about it. She never addresses me as "Dear J." nor does she sign as "M". Yet my initial is "J" and her's is "M". She is the only user on her computer as I am on mine. Details of original sender was from nobody@wildersecurity.com. What are your opinions? Thanks ........

    Message-Id: <E18vphV-0005f9-00@security.wildersecurity.com>
    Date: Wed, 19 Mar 2003 20:22:37 -0600
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - security.wildersecurity.com
    X-AntiAbuse: Original Domain - shaw.ca
    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [99 99]
    X-AntiAbuse: Sender Address Domain - security.wildersecurity.com

    Dear J,

    I want you to check out the following topic: IMPORTANT SERVER UPDATE, on Wilders Security Forums. To view it, please click the link below:

    http://www.wilderssecurity.com/showthread.php?t=7963


    Thanks,
    M
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,838
    Location:
    New England
    Well, that is very odd indeed. I can only imagine that someone is playing around in some way, but I don't understand to what end? First of all, we are at "wilderssecurity.com" (notice the two "s" characters together in the middle there).

    Secondly, why in the world would they link to our announcement posting at http://www.wilderssecurity.com/archive/index.php?board=11&action=display&threadid=7963?

    Most of the time, people send messages as either spam, which this doesn't appear to be, or to send a virus, but, you didn't say the message contained an attached virus, either? Odd indeed.

    I'm sure Paul will be interested. Thanks,
    LowWaterMark
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    M,

    It's spoofed. This is how it should be:

    X-AntiAbuse: Original Domain - wilders.org

    Please forward the email to webmaster@wilders.org - coming with the fullheader if possible.

    regards,

    paul
     
  4. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    Hmmm, thats a bit naughty, I expect Pauls heavies will be suiting up pretty soon.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    From: webmaster@wilders.org
    Message-Id: <E191mWh-0002Vt-00@security.wildersecurity.com>
    Date: Sat, 05 Apr 2003 06:12:03 -0600
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - security.wildersecurity.com
    X-AntiAbuse: Original Domain - hotmail.com
    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [99 99]
    X-AntiAbuse: Sender Address Domain - security.wildersecurity.com
    Return-Path: nobody@security.wildersecurity.com
    X-OriginalArrivalTime: 05 Apr 2003 12:11:09.0380 (UTC) FILETIME=[712FE840:01C2FB6C]


    This is one of my received headers.
    Look very carefully at the
    security.wildersecurity.com with just one s in the middle, and my email really came from here; checked with various headers.
    The hotmail.com account is right, as i don't have a wilders.org email account now but using a hotmail one at the moment.

    Peaches did it only reach you as an email or was it a forum notification of an IM waiting for you here?
    That would explain the J and the M
    Your email would have said in the "from"
    From: webmaster@wilders.org
    and the subjectline someting like this:
    New Wilders Security Forums-Message: (Re:Test)
    (or for "test" your subjectline you wrote above)

    I just IM-ed you here a few moments ago, which should result in such a forum notification.
    Please look carefully at the appearance and full headers.
    You might like to post both those full headers for comparison, i would only ask you to cut out your personal email account from them.
     
  6. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Hi everyone - will try to answer all questions posed in this one post.

    1. The email was neither a forum notification nor was it an IM. This forum only has my MSN addy and not my private addy. The email definitely was from my friend's private addy. Had the mail come from direct Wilders to my private addy then I would have been suspicious and never opened it. Although, I should have twigged as my friend never ever puts in the subject line (from M). My friend does not even know who Wildersecurity is and had she received an email from such a source, she in all probability would not have opened it ..... rule, I have tried to impress upon her "never open mail from sources you are unfamiliar with".
    2. The subject line said "Topic: IMPORTANT SERVER UPDATE (From M)
    3. To Webmaster - your last paragraph - I never use IM so have no idea how I am to pick up your message. Sorry if I sound dumb but I am a willing learner... :)) Email me to my MSN addy and tell me how this is done. Tx.
    4. Now if I can get some help in how to send that email in text form [have never done so therefore don't know how], will be happy to comply.

    I will help with answering whatever questions as best as I can that you deem to be helpful. Also, I do not mind if you also communicate with me through my MSN addy which Wilders have on file. It may well be my friend's computer that is compromised as she does not practise good security measures inspite of my urging that she do so. I am pretty sure she would allow me to use her computer to do any checks you would like done.
     
  7. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    :D Gads the lightbulb just lit up and when all else fails go to help ........... :rolleyes: patience and this peach will find the way slow but sure........... found the IM and read it ... next step but it is "din-din" time so have to put it off for a wee bit. Be back, you can count on it.
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Great how you're learning Peaches, sorry i was not back here to help you telling to click on top of the page where it says "Hi Peaches4u, you have X messages, Y are new"
    It brings you instantly in your Instant Messages.

    From your other forum thread i remember you used Outlook Express.
    rightclick once on the header of the message and see the little menu > Properties > tab Details > button down right "Source"
    The Details tab only gives the full header, the "source" give that including the whole message source.
    Rightclick in the text > select all > copy
    This copied thing you can paste in a new email for instance or in a posting here.
    As the source is TXT format, your copy is TXT format too.
    If i have a suspicious email, and don't want to close the preview window, i look at the sender name or subjectline and do a search for it: in that search tool in OE you can do the same, click and see the source via the steps i just described and check the source without actually opening the email and possible attachments, as you can scroll in the source and check if it is ok or not.

    You wrote you have all security updates so with your careful ways you can use this last trick easily and look in the sources.
    Makes it all less "fearfull" isn't it?
    You've seen in my signature here i am one of the moderators for the DCS products which you see here on the forum too, and where you can really learn a lot.
    Can tell you, in the years i ever met DCS they taught me a lot of security and that it can even be FUN with the tools they build -- impressive and top notch, for sure-- and in using them. (TDS / WG / PE and a lot more!)

    For all the families here: Peaches and i have an email chain going on between us too, but there might be more people surfing along who did not know little details and did not ask.

    Hotmail/msn i receive the hotmail stuff in OE so use the same ways like described, on the web it's the "Options > advanced options > mail display settings > to get the full headers standard. On the web i don't see how to get the source, hmm probably overlooking a thing as i'm sure you don't want to get it via the browser > view > source which gives you all the hotmail code as well.

    I have a careful conclusion at the moment either the friend or a third party with both private email addresses and maybe a wilders message too had an infected computer mixing up things, like Klez could do for instance, Yaha, or something else. I'm puzzling about the "Dear J" and "M" in the message.

    To be continued :p
     
  9. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Hi Jooske. Just read your post - thanks for all the info. Just learned something new again. ;) With persistence & some thought I figured out how to get your IM after my request & before your reply - I feel really silly for having asked in the first place.
    1. Did another Housecall scan of my computer - no trojans or virus found so I successfully blocked, eliminated the Exploit mentioned in private emails.
    2. I did not receive anything from you to my private email addy so cannot do a comparison. You do have the correct addy?? It is there in the headers.
    3. If my friend, whose initial in fact is "M" and mine is "J" for the sake of argument did get such email - she would not forward it to me and if she did, she would not word the message as it was...... she would probably say something like..... Hi J....[using full name] I got this, what the heck is it all about? Completely out of character the way the email was written.
    4. She never signs messages with an initial, she would use either her full name or "Mad" which is why I suspect her computer is being used as a host using her email contacts as targets. My private addy being at the top end of the alphabet would be the an almost first target - righto_Oo_O We both use the same ISP so therefore the headers from her computer to mine would show that. However, where did it originate in order to be sent from my friend's IP addyo_O o_O
    5. She does not even know about this forum so there would be no reason for Wilders to send her a server update but I can see one being sent to me however, not to my private addy but my MSN addy.
    This is so interesting and hope it can be solved. :)
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Peaches4u, i wasn't around unexpectedly so that explains the delay -- i just hit finally the "send button" from my personal email to you.
    I have tried to test something which could be really so simple and been overlooked so simple too, if it works properly:

    See in every thread the "send topic" button.
    Take a nice and short topic to try it out: i do expect just to get the URL to look, but i don't want to take the risk the full thread would be sent with it!

    Lot of "topic" forwarding software has some automated options. I got them frequenstly from people who want me to look at so topic on a news site, and people fill in whatever they want: i mean for sender name let's take your received email,
    your friend could have filled in as her first name M and for you as a receiver J . Personal email addresses, as she knows that one from you.
    The forum software could add to a standard message those J and M in the proper places, added to the standard text
    Dear "J", i would like you to see this important subject, click "http blabla" to see it. "M"
    where the things between "" are added to the standard text.
    I tried this out myself, but even after almost an hour i still did not receive these postings, so i have no way (yet) to compare with your full header.
    If it works as i think it should, it could explain everything.
    Also the date 19 march is ok, as around that date all was functioning normal, several dys after some forum changes were made so if it doesn't function today, it could have before.
    So no infections, just a helpful friend either somebody knowing both your email accounts if your friend M doesn't know this good place here. (Time she does, you now know how to alert her via this forum if the "send topic" functions fine! :D)
     
  11. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Hi Jooske - well you came up with something but I assure you my friend would have no idea of how to send a topic off a forum because she has never visited a forum. Trust me, after about a year, her compter knowledge leaves a lot to be desired. However, I will send the topic to myself to my private email addy and report back to you with the headers via email for comparison. It is highly unlikely she found your site and sent me the topic - Besides, I already knew of the changes by going to your site and informed my contacts of the changes myself by private emails in the event they were going to do any downloads - that is why I am such a peach!! :D

    You know Jooske, I am Wilders greatest promoter of the site, software, etc. :D And, at the same time I explained if questions arose to visit your forums read, join & ask away ..... to my knowledge no one has cuz they know I do visit a variety of forums so my contacts find it simpler to ask me.
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You are a peach indeed :)
    Then you probably also know newsgroups and sites like www.hackfix.org and the several newslists for support. I like the ways they help users in understandable step-by-step ways
    (hackfix-virushelp, PCTECH-talk, A Helping Hand, 24hoursupport, etc, good to know them in your arsenal even though i generally spoken prefer forums over newsgroups; several are at www.freelists.org some at yahoogroups.com)
     
  13. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    :D Nope, I have not ventured into newsgroups yet. Thanks for the sites though as I will check them out but so far I get what I need out of forums. Sheesh, with all this stuff, when am I gonna start on my book .... family has been waiting 2 yrs. now. :oops: Thanks for all your help here in trying to solve the puzzle and have sent some ems to you with further details. Peaches
     
  14. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    :-* Thank you Jooske & others for all the time spent on this issue and solving things. Peaches
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're welcome, always glad to help, especially with digging for what's been happening.
    Hope you bring the people with you, so all can learn at least some security here. I mean: there is never one standard solution for everybody, so there are so many ways to learn here, and if your contacts are save and using some security to start with, it's good for you and all the internet community!
     
Thread Status:
Not open for further replies.