Date: Mon, 1 Jul 2002 14:51:10 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Mystery Mail Delivery Error Reports ----------------------------------- MYSTERY MAIL DELIVERY ERROR REPORTS ----------------------------------- In recent weeks we have received a lot of e-mail and phone calls from customers who are receiving mail delivery error reports for messages they know they didn't send. There are three things that commonly cause this. 1. Spoofed "From:" address in spam messages ------------------------------------------- When a spammer's mass-mail software sends out thousands of junk e-mail messages, the address shown on the "From:" line is almost never the spammer's real address. Sometimes it is a completely phony address, but often it is a real address chosen at random from the list of addresses to which the spam is being sent. If your address is on a spammer's list, and if your address just happens to be chosen for the "From:" line, and if some of the messages sent by the spammer are undeliverable, then you (not the spammer) will receive the delivery error reports for those undeliverable messages. Most mail delivery error reports include the text of the undeliverable message. Take a look at it. If it looks like spam, then you probably received the error report because somewhere out on the Internet a spammer's mass-mail software used your address on the "From:" line on a batch of junk mail it sent out. Until recently this was the most common reason for receiving mail delivery error reports for e-mail you didn't send. Then along came a rather nasty virus called the Klez Worm... 2. Spoofed "From:" address in infected messages sent by the Klez Worm --------------------------------------------------------------------- I described the Klez Worm in BCPL.NET News on April 21 (see http://www.bcpl.net/news/news.20020421a.klez ) and mentioned it again on June 20 (see http://www.bcpl.net/news/news.20020620a.epidemic ). When the Klez Worm infects a PC, it compiles a list of all e-mail addresses found on the infected PC's hard disk. Most are found in the address book and in saved e-mail, but addresses can be taken from any file. The Klez Worm then sends infected e-mail to all of those addresses, often multiple times. Sometimes the "From:" lines of the infected messages show the infected PC's owner's address, but more often the "From:" address is chosen at random from the list of target addresses compiled by Klez. If your address is on the hard disk of some Klez-infected PC out on the Internet, and if the Klez Worm on that PC selects your address to use in the "From:" line, and if some of the messages sent by the Klez Worm are undeliverable, then you will receive the delivery error reports for those undeliverable messages. Most infected messages sent by the Klez Worm do not include any message text. If the delivery error report doesn't include any message text, or if it is just a lot of gibberish, then you probably received the error report because somewhere out on the Internet a Klez-infected PC sent out infected e-mail with your address on the "From:" line. Currently this is the most common cause of mail delivery error reports for messages you didn't send, but there is one more possibility. 3. Actual "From:" address in infected messages sent by the Klez Worm -------------------------------------------------------------------- As I mentioned in scenario #2 above, sometimes the Klez Worm uses the infected PC's owner's address on the "From:" line of the infected messages it sends. Therefore if you receive delivery error reports that seem to be the result of undeliverable Klez-infected messages, there is a possibility that your PC is the infected PC. Not as strong a possibility as the scenario described in #2 above, but still a possibility. If you have anti-virus software on your PC, and if you keep it up to date, and if your version of Internet Explorer is not one that contains the "auto-open bug", and if you never open unexpected file attachments, then chances are slim that your PC has a Klez Worm infection. See the Anti-Virus section of the BCPL.NET FAQ at http://www.bcpl.net/faq/#virus for more detailed information about these precautions. If you have questions about any of the above, please contact the BCPL.NET Help Desk at 410-887-3297 or help@bcpl.net. -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091