OT: Inundated with bogus(?) warnings I'm infected

Thu Sep 14 20:31:03 UTC 2006

On Thu, 2006-09-14 at 13:05 -0500, Mike McCarty wrote:
> Ok, here's an example. I turned on all headers. The actual message
> in this case is one that my ISP caught, and clobbered the attachment
> which the ISP claims contains a copy of a virus. In cases like this,
> the attachment is 0 bytes long. The message sent to me purports
> to be a delivery failure. I know for a fact that I did not send
> any such message. As pointed out by others, this may be the results
> of yet another party who is infected, and who is unknowingly spoofing my
> e-mail address. It has been more than a year since I last booted
> Windows XP on my machine, and when I do boot it I am never connected
> to the net. I have never set up XP on this machine to be able to
> send or receive email.
> 
> -M-E-S-S-A-G-E---B-E-G-I-N-S-
> Your AT&T Yahoo! Mail Virus Protection detected the virus 
> 'W32.Mydoom.M at mm' in the file 'Document.pif', attached to the enclosed 
> email message. We scanned the file using Norton AntiVirus but were 
> unable to clean it. Therefore, we removed the content of the attachment 
> from the message. Please contact the message sender if you want to 
> receive the attachment. They must clean the file and resend it before we 
> can deliver it to you safely.
> 
> 
> 
> AT&T Yahoo! Mail successfully cleans most infected attachments, which 
> protects you from viruses.
> 
> 
> 
> 
> Subject: Delivery reports about your e-mail
> From: "Mail Administrator" <MAILER-DAEMON at sbcglobal.net>
> Date: Wed, 13 Sep 2006 14:23:40 +0000
> To: mike.mccarty at sbcglobal.net
> X-Apparently-To: mike.mccarty at sbcglobal.net via 216.252.101.37; Wed, 13 
> Sep 2006 11:07:33 -0700
> X-Originating-IP: [162.39.117.147]
> Authentication-Results:
> mta101.sbc.mail.mud.yahoo.com from=sbcglobal.net; domainkeys=neutral (no 
> sig)
> Received: from 207.115.57.79 (EHLO ylpvm48.prodigy.net) (207.115.57.79) 
> by mta101.sbc.mail.mud.yahoo.com with SMTP; Wed, 13 Sep 2006 11:07:33 -0700

I'm guessing that SBC are outsourcing some of their mail handling to
Yahoo! - is that right?

207.115.57.79 is within the network that SBC's inbound mail servers use,
so since the mail was addressed to you at sbcglobal.net, it looks like a
valid Received: header and that the mail is then forwarded to Yahoo! for
virus scanning etc.

So this one looks genuine to me.

> X-Originating-IP: [162.39.117.147]
> Received: from sbcglobal.net (h147.117.39.162.ip.alltel.net 
> [162.39.117.147]) by ylpvm48.prodigy.net (8.13.6 inb/8.13.6) with ESMTP 
> id k8DI7NKK019802 for <mike.mccarty at sbcglobal.net>; Wed, 13 Sep 2006 
> 14:07:31 -0400

This is the only remaining Received: header so it stands to reason that
the source identified here (h147.117.39.162.ip.alltel.net
[162.39.117.147]) is where the infection is. A further giveaway is that
the sender pretended to be sbcglobal.net (i.e. your domain), in order to
try to throw people off the scent when identifying the source; this is a
typical trick employed by spammers, yet it gives them away so easily to
people that understand Received: headers.

Since this is almost certainly a dynamic IP address, there's not a lot
further you can do to identify the actual person that's infected short
of forwarding the message to abuse at alltel.net and let them figure out
who was connected at that time.

Paul.