Canadian Mac Forums at ehMac banner
1 - 20 of 20 Posts

·
Premium Member
Joined
·
30,889 Posts
Discussion Starter · #1 ·
I sent this note off to our hosting site about the continuous messages we've been receiving about undeliverable mail. Anyone else seeing this activity.
••••••

to Verio tech support

"I am continually receiving notification of these undeliverable messages that purport to originate from our macdoc.com domain.

The names are always simple first names and sent towards other addresses also with simple first names and a domain. None of these names are legitimate macdoc addresses

This appears to be some sort of unauthorized activity and would like it controlled.
These are arriving every few minutes.

I have now set the spam filter up to intercept them but I would like an explanation as to the nature and origin.
We are an entirely Mac based setup here and 99% of our clients are as well so I can only think it is something occurring at the server end."

typical messages - they all had two attachments - a report and a .zip file
••••••
Forwarded Message
From: [email protected] Mail Delivery System)
Date: Sat, 7 Feb 2004 18:51:17 -0600 CST)
To: [email protected]
Subject: Undelivered Mail Returned to Sender

This is the Postfix program at host cmlapp400.van.ca.siteprotect.com.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

The Postfix program

<[email protected]>: unknown user: "[email protected]"


Reporting-MTA: dns; cmlapp400.van.ca.siteprotect.com
Arrival-Date: Sat, 7 Feb 2004 18:51:17 -0600 CST)

Final-Recipient: rfc822; [email protected]
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; unknown user: "[email protected]"


From: [email protected]
Date: Sat, 7 Feb 2004 19:33:25 -0500
To: [email protected]
Subject: Test

------ End of Forwarded Message

••••••

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

[email protected]



Reporting-MTA: dns;prometheus.lbccd.lbcc.cc.ca.us
Received-From-MTA: dns;macdoc.com
Arrival-Date: Sat, 7 Feb 2004 17:55:10 -0800

Final-Recipient: rfc822;[email protected]
Action: failed
Status: 5.1.1


From: [email protected]
Date: Sat, 7 Feb 2004 20:36:16 -0500
To: [email protected]
Subject: Hi

The message contains Unicode characters and has been sent as a binary attachment.
•••••

The original message was received at Sat, 7 Feb 2004 16:20:36 -0500 EST)
from [email protected]

----- The following addresses had permanent fatal errors -----
<[email protected]>
reason: 550 5.1.1 <[email protected]>... User unknown)
expanded from: <[email protected]>)

----- Transcript of session follows -----
... while talking to 127.0.0.1]:
>>> DATA
<<< 550 5.1.1 <[email protected]>... User unknown
550 5.1.1 <[email protected]>... User unknown
<<< 503 5.0.0 Need RCPT recipient)


Reporting-MTA: dns; mail.nonline.net
Arrival-Date: Sat, 7 Feb 2004 16:20:36 -0500 EST)

Final-Recipient: RFC822; [email protected]
Action: failed
Status: 5.1.1
Remote-MTA: DNS; 127.0.0.1]
Diagnostic-Code: SMTP; 550 5.1.1 <[email protected]>... User unknown
Last-Attempt-Date: Sat, 7 Feb 2004 16:20:36 -0500 EST)


From: [email protected]
Date: Thu, 5 Feb 2004 23:16:28 -0500
To: [email protected]
Subject: wwncruu
 

·
Registered
Joined
·
535 Posts
Hi Dave,
I had the same thing happen to me about a week or two ago with a total of maybe 6 email notifications Very strange and offputting especially since it had a recorded time like 3 or 4am and with the same attachments and zips. I'm sleeping at that time!! They also had origins from Australia and such. User names also one named. Currently running 10.3 on mail with rogers high speed cable.
 

·
Premium Member
Joined
·
4,626 Posts
I am also getting the same thing with my Rogers account. Last week I got maybe 1 or 2 a day. I am also getting many of those stupid MS Security update ones, all of course have viruses attached... lucky I have Norton, but it certainly is annoying. All this because I made ONE post in a newsgroup with my Rogers account.. never had any problems before.. :mad:
 

·
Left The Building
Joined
·
8,381 Posts
Couldn't this be connected to MyDoom (or similar) spoofing of legitimate e-mail addresses? I haven't had any problems like this, at any rate.
 

·
Registered
Joined
·
630 Posts
I believe that this is one of the ways that "My Doom" disguises itself. I probably recieved at least 150+ email messages over the past two weeks with: "Hello", "TEST", "Hi" or an error message about a returned email (people I don't even know). I'm using Telus ADSL. All these messages had a 22 KB file attached. I was and still am getting REALLY sick of receiving this emails!
 

·
Premium Member
Joined
·
30,889 Posts
Discussion Starter · #6 ·
Yes I suspect it's either aresult of the myDoom directly or some odd combination of a spammer attempting random hits then that being multiplied by the virus or being intercepted as a virus carrier.
It's just annoying as it's random enough that Spamsieve is not catching them right now.
 

·
Premium Member
Joined
·
1,779 Posts
This"is" MyDoom virus. The mail to you is diguised as undeliverable mail from someone within the infected users address book. This is to throw you off as you would have remembered if you had sent the mail to the initial contact.
My question is this, How stupid are people to actually open an attachment under such suspicious circumstances?
Boggles what is left of my mind.
 

·
Premium Member
Joined
·
30,889 Posts
Discussion Starter · #8 ·
Well at least SpamSieve has figured it out now but I'm a big concerned it's over trained and might catch some legit incoming tho that's been exceedingly rare. :cool:
 

·
Resident Curmudgeon
Joined
·
86,945 Posts
While I have not experienced this, my daughter has. She has the same email address on my computer as well as her Lombard, at the same server as me.

She received 160 such emails when she opened her mail one morning last week. She deleted all, and in alarm changed her email address and sent a notice out to her address book, to approximately 20 people.

The new email address began receiving about 60 per hour again. I asked her to set up yet another email address, but not to notify those in her address book. This address has not received any mail other than from me and works fine.

My conclusion is one of her friends has a PC (well MOST of her friends have PCs) that is infected with the MyDoom worm.
I told her to try giving the new address to one friend at a time, and wait for a reply. She should be able to figure out which one is infected if the spam shows up after the reply, and advise her friend accordingly is my reasoning.

Will my theory work?

Cheers

 

·
Tritium Glow
Joined
·
7,141 Posts
At times like these I'm glad I use Mailsmith, it has a built in "POP Monitor", which allows me to view incoming mail on the remote server and delete those messages which are obviously spam or potential virus carriers without ever downloading any of them to my machine.

There used to be a stand alone app of the same name, but I have not been able to find it at Version Tracker.

Barebones has a trial version of Mailsmith if anyone is interested in this capability.
 

·
Premium Member
Joined
·
7,069 Posts
Novarg/MyDoom at work.

What makes these ones the worst, is because they show up as unreturnable mail, and as we saw, everyone gets very, very curious and so they will open the attachment to figure out what kind of email they sent. Opening that email and if you're on a PC (and your Anti-Virus hasn't caught it meaning your definitions are at least 3 weeks out of date) you'll be infected.

Like spam, the "criminals" are going to other avenues to spread their "message". Curiosity is very human, and there is always that saying "Curiosity killed the cat."

At least on the 12th, Novarg.A will end, though Novarg.B (the much less spread version) will end on March 1st. Until then, expect large amounts of spam.
 

·
Registered
Joined
·
2,812 Posts
I always associate these emails to these virus codes and am surprised really @ their reach. But I just send them in a bank shot to the trash bin. A dunk sometimes, depending in my mood. ;)

H!
 

·
Registered
Joined
·
296 Posts
Can anyone confirm if the Sympatico email server is down? I've had that good old password problem for at least 5 hours. Gene B. :(
 

·
Honourable Citizen?
Joined
·
4,853 Posts
kps - - POPmonitor is indeed alive and well, I just downloaded version 2.1.3 recently. You can find it here: http://www.vechtwijk.nl/dev/

I'd have to say it's my all-time favourite shareware app (with Tex-Edit coming a close second). It's well worth the tiny shareware fee he charges for it. I've used it for a couple of years now, both in OS9 and X. The only email I ever download from the server is email that I want, the rest is either deleted automatically by POPmonitors filters or I delete it and set POPmonitor to block it next time. The junk mail filter in Mail.app sits unused and untrained.

Something I don't understand is why hasn't Apple or one of the other makers of email programs incorporated this feature into their programs?
 

·
Registered
Joined
·
6 Posts
Me too, my sympatico mail ids not coming in, I guess they have been hit with a massive load of spam( MY DOOM)

anyone else?

Kirojira
 

·
Premium Member
Joined
·
30,889 Posts
Discussion Starter · #16 ·
Stopped entirely here - either our server got it sorted out or SpamSieve.
Nice to have my email back :D
 

·
Registered
Joined
·
137 Posts
Me too, my sympatico mail ids not coming in, I guess they have been hit with a massive load of spam( MY DOOM)

anyone else?

Kirojira
Yep, yesterday & today. Sympatico's mail server just keeps asking for my password. I had to log in using the web brower to clear out the spam that was piling up in that account, since "Mail" wasn't connecting to filter and trash the overflow.
 

·
Lifetime membership
Joined
·
9,265 Posts
I had some problems with Apple Mail as well yesterday and
after deleting "com.apple.mail.plist" it appeared to subside.

Although that may have been just a coincidence,
Because it's baaaaack.

It reminds me of the old problems I used to get in the 90's with
the authentication servers getting messed up.

Dave :cool:
 

·
Premium Member
Joined
·
1,435 Posts
I think I've been hammered by this virus about 100 times by now. The first time I got it I was like "uhh.. what?" - but left the attachment alone while I got distracted on something else. Then I got hit with similar messages twice in the same email check, and realized what it was.
 
1 - 20 of 20 Posts
Top