Yahoo account sending e-mails with viruses - should I do anything?

TheRedWizard · 01-04-2007, 18:57

Just got a returned e-mail, that I hadn't sent, saying that an e-mail had been returned to sender (me) because of a dodgy attachment (pif):

" This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es)
failed:

tim@DELETED.co.uk
(generated from sales@DELETED.co.uk)
SMTP error from remote mailer after end of data:
host mail-in.freeserve.com [DELETED]: 550 Error:
Message content rejected

------ This is a copy of the message, including all the headers. ------

Return-path: <DELETED@yahoo.co.uk>
Received: from DELETED.com ([DELETED]
helo=DELETED.co.uk)
by DELETED.co.uk with esmtp (Exim 4.43)
id DELETED
for DELETED.co.uk; Sun, 01 Apr 2007 18:17:34 +0100
From: DELETED@yahoo.co.uk
To: sales@DELETED.co.uk
Subject: Re: Word file
Date: Sat, 31 Mar 2007 14:28:06 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0005_00002E9F.000072C9"
X-Priority: 3
X-MSMail-Priority: Normal
X-ACL-Warn: "Possible attachment detected. Delaying your SMTP session
by 30 seconds"
X-ACL-Warn: Your message does not conform to RFC2822 standard

This is a multi-part message in MIME format.

------=_NextPart_000_0005_00002E9F.000072C9
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit

See the attached file for details.

------=_NextPart_000_0005_00002E9F.000072C9
Content-Type: application/octet-stream;
name="document_word.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="document_word.pif"

I didn't send this, but should I do anything to stop it happening again?

Yours, from the technologically clueless Red.

Rich · 01-04-2007, 19:09

For starters I'd be VERY wary of what sites you give out your Yahoo email address to, especially if it's your main email address.. Spam bots harvest email addresses from several thousand sites per minute iirc.

as for the email itself, delete it IMMEDIATELY!

This is why I never use Yahoo any more, their email is about as secure and spam proof as well, something not very secure at all.

Ann* · 01-04-2007, 19:12

Usually, in these cases, it isn't you that has the virus, but somebody who has you as a contact in their address book, which has been infected by a virus.

If you can check the headers of the rogue emails, you might be able to get some idea who has the virus by the IP address, and using an IP finder. All you can do is hope that whoever it is realises they have a virus pretty soon, and the emails will stop.

Kingmaker2 · 01-04-2007, 20:32

Quote:

Originally Posted by Ann*

Usually, in these cases, it isn't you that has the virus, but somebody who has you as a contact in their address book, which has been infected by a virus.

Are you sure that's the cause?
Even if a friend who has you as one of their contacts has a virus how does that explain the e-mail being sent from your address?
I've also had a strange thing happen using Yahoo mail. I set up a brand new Yahoo account the other day and my Yahoo user name used 4 digits in it included with letters so that it would unlikely to be "guessed at".
When I logged in yesterday I was very suprised to see that I already had Spam in my bulk box. Given that I had not used or given out the e-mail address and that it was a particuarly hard one to randomly guess I was intrigued to say the least.
I looked in the Bulk folder only to find that this e-mail wasn't even adressed to me but someone else entirely.
To me it looks like Yahoo mail's server had probably the e-mail equivalent of "crossed lines" perhaps that's why Red Wizard also got his problem.

rich951 · 01-04-2007, 20:40

Spam emails can put anything as the "from" address, it could be randomly chosen from an address book or just one on the list that the mails are going to etc.

With the new Yahoo account, that's one of the problems with services like Hotmail, Yahoo etc - there's so many millions of users that it's worth putting in every possible combination of letters and numbers, as a decent number of them will be real addresses. Remember a computer can send millions of emails a day..

melthebell · 01-04-2007, 20:59

Quote:

Originally Posted by Kingmaker2

Are you sure that's the cause?
Even if a friend who has you as one of their contacts has a virus how does that explain the e-mail being sent from your address?

the virus scans the infected persons address book and finds people to "send" from, it also finds people to send to

Kingmaker2 · 01-04-2007, 21:25

Quote:

Originally Posted by melthebell

the virus scans the infected persons address book and finds people to "send" from, it also finds people to send to

Maybe I'm missing something but how does it "Send from" without the users password?

Kingmaker2 · 01-04-2007, 21:41

Quote:

Originally Posted by rich951

Spam emails can put anything as the "from" address, it could be randomly chosen from an address book or just one on the list that the mails are going to etc.

Yep that's true but if you examine the full header then you will know where the e-mail is truely coming from.
Most people (Not including SF users of course!) don't realise this simple fact and even less realise that even the fee email accounts allow you to see the full header if you wanted to see it.

Ann* · 01-04-2007, 22:15

Quote:

Originally Posted by Kingmaker2

Maybe I'm missing something but how does it "Send from" without the users password?

It's a worm that infects an address book, in which you are one of the contacts. The worm sends out emails from the addresses in the address book, to other addresses in the address book. There is no need for a password, because the emails are not actually being sent from your email account.

If you can't accept the explanations in this thread, which have been given on several occasions in previous threads, and these worms have been known about for years, then so be it.

neeeeeeeeeek · 01-04-2007, 22:33

Dont worry about it. run a virus checker, adaware, aSquared and fianlly spybot and your computer should be pretty clean.

Kingmaker2 · 01-04-2007, 23:03

Quote:

Originally Posted by Ann*

It's a worm that infects an address book, in which you are one of the contacts. The worm sends out emails from the addresses in the address book, to other addresses in the address book. There is no need for a password, because the emails are not actually being sent from your email account.

If you can't accept the explanations in this thread, which have been given on several occasions in previous threads, and these worms have been known about for years, then so be it.

Hey Anne, why the hostility?

I am just curious to see how a virus explains Red Wizard's problem.
I wouldn't have thought Red Wizard would get the "failure of delivery message" himself if it was a virus or worm problem of one of his e-mail contacts, that's all. Particuarly in light of the anomaly that I had with Yahoo mail the other day, that certainly wasn't due to a virus or worm but more due to a technical error on Yahoo's part. That could well mean Red Wizard's email may also have been due to a Yahoo mail technical problem.

TheRedWizard · 03-04-2007, 19:46

Thanks for the advice everybody. I've scanned everything and it seems ok - having said that I check my e-mails from a few different machines so I'll check them all and let you know what happens.

It might well be from my works machine - I'll check tomorrow.

Anne - I'm also a little confused by the hostility. I'm v.impressed with the replies on the thread, just haven't had a chance to pop on and read them before now.

Thanks everyone.

Ann* · 04-04-2007, 05:43

It wasn't hostility, but impatience. These worms have been around for yonks, and there are plenty of previous threads on SF about them, as well as their being well documented elsewhere on the internet.

The big giveaway about yours, TheRedWizard, is that the attachment is a .pif file.

Someone's computer contracts the virus (probably by opening an attachment such as this, which has been sent from someone else's infected address book), which plants itself in the computer's address book. It then uses all the contacts in that address book to send itself out to all the other contacts in the same address book. In some cases, those email addresses won't be available anymore. Also, and I'm not sure how this happens, non-delivery emails (such as yours TheRedWizard) are sent out. These are the ones that are more likely to be opened because people like to know who isn't available anymore. If you use an email client, the best way to look at anything you're not sure of is to not open it, but to view it in Properties, and Message Source.

Sorry if I did come over as hostile, but it's very irritating when someone questions sound advice that has been given many times (not just by me) over the years.