Strange email - virus?

Discussion in 'malware problems & news' started by Jonathan T, Mar 23, 2004.

Thread Status:
Not open for further replies.
  1. Jonathan T

    Jonathan T Guest

    I received this email today in the guise of an undeliverable email. i only recognise my email address in it, no others. I haven't corresponded with anyone listed in the header. I'm using XP, Pocomail, Kaspersky and Sygate and I seem to get a lot of infected emails recently, all of which are caught by Kaspersky AV and then deleted by me immediatley. Any ideas what it is?

    Mail Delivery System <>

    Undelivered Mail Returned to Sender

    Tue, 23 Mar 2004 07:38:34 -0700 (MST)


    This is the Postfix program at host

    I'm sorry to have to inform you that the message returned
    below could not be delivered to one or more destinations.

    For further assistance, please send mail to <postmaster>

    If you do so, please include this problem report. You can
    delete your own text from the message returned below.

                            The Postfix program

    <golda@localhost>: data format error

    A T T A C H E D   F I L E S   I N L I N E   D I S P L A Y

    Attached text follows, filename: att25.txt

    Reporting-MTA: dns;
    Arrival-Date: Tue, 23 Mar 2004 07:38:30 -0700 (MST)
    Final-Recipient: rfc822; golda@localhost
    Action: failed
    Status: 5.0.0
    Diagnostic-Code: X-Postfix; data format error

    Attached message follows, filename: Attached message31.eml

    Received: from (unknown [])
            by (Postfix) with ESMTP id BD2C4351158
            for <>; Tue, 23 Mar 2004 07:38:30 -0700 (MST)
    From: jonathan****@yahoo****
    Subject: Re: Re: Message
    Date: Tue, 23 Mar 2004 15:39:31 +0100
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    X-Priority: 3
    X-MSMail-Priority: Normal
    Message-Id: <>
    Your document is attached.

    PocoMail: Encoded attachments present, please open the messagefile:///C:\Program Files\PocoMail3\Attach\Attached message31.eml to view them:

  2. meneer

    meneer Registered Member

    Nov 27, 2002
    The Netherlands
    I would say this is a bounce from a mail sent to a postfix mailserver (linux...) with a forged sender e-mail address (yours). Probably originated from a worm that used your email address. I would not bother.
    It looks like the worm was caught by a mailscanner at iwhome, since the attachment looks like the text message the mailscanner inserts in th email.

    btw: bounce means that the worm sent the message to a non existing email account, the mailserver replies to the presumed sender (ie you).
  3. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea This IP is from a yugoslavian university, does it look familiar to you?
    Further the message says there is a message.txt attached, but it is not, a message_details.pif is attached.
    Might be the infection itself. So don't open that part by no means, you might like to look in the message source however and recognise the kind of code soon enough.
    Did you scan the message and attachment? You might like to carefully copy it outside the email and go to and submit it there online to have an answer in just a few seconds what it is. If i do such things i make sure the attachment is either renamed in something which can't run like adding .txt or .tmp to it or zip it.

    Do you get many from the same sender or domains? Might be somebody else who has you in the addressbook is infected or harvested her/himself etc etc. Guess we all get the kind of bounces. It will stop if the infected senders clean out or their systems crash if not cleaning soon enough. It might be the "golda" in the header is harvested as well and not responsible for the bounce either.
    Frustrating part you don't know who to block or to warn, only maybe the IP address might be real.
    Can only look at the things and try to keep clean, deleting them from your system as soon as possible and forward anything undetected but suspicious to the av/at developers to get expert advice where possible.
  4. Jonathan T

    Jonathan T Guest

    Thanks for the help. I don't recognise anything to do with the sender and upto now I haven't had an infected email from anyone I know, they've all been from strangers with an attachment named *something*.pif. My Kaspersky AV screams virus and it goes straight in the bin, as does any email from someone I don't know with subjects that have nothing to do with me and dodgy attachments.

    I assume if it's a bounced email with a forged address (mine) then it means I'm not infected?
  5. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands

    It does mean the bounced and forged email does not imply your system has been infected ;). Perform a full system scan nonetheless - it never hurts.


Thread Status:
Not open for further replies.