Email and internet access problems

[Highmac]

Having noticed the recent increase in the number of such posts, you might be interested in this notice ("click here" for pop-up) from my ISP explaining action taken by them and many other ISPs because of viruses. Could be worth checking your own ISP's service notices.

[kelly]

Yeah. I've been without Mail a few days at a time myself.

[Gregg]

I had a wierd one here at work. Happened twice. I received a "bounce back" about a message not being delivered. It doesn't tell me which message, so I looked for the address. Same address both times... one that I do not recognize. I suspected who had not received a previous message, noting that I had e-mailed this person twice recently, and got the bounce twice, and had not gotten a reponse to the first message. I checked with someone else, and sure enough, I was using .com with this person's address when the correct suffix is .net - but I still have no explanation for the mystery address, which has nothing in common with the incorrect one.

[jepinto]

Morning!  Gregg.  The bounce back and the the net vs com may be a coicidence.  With all this worm this and worm that going on, I'd hazard the bounce back was in reality one of the worms "spoofing" your address from someone else's machine that has been inactive.  (know someone who just got back from vacation?)

Check to see if the .com address resolves to a "true" account;  type the url into your browser.  Many have the incoming mail set up to have any unknown addys go to one person, for instance our office account has JoeBlow@xxx.com comes to me because there is no JoeBlow.

Diana could expalin it better than me, but on the Cobalt srver, one of my mail aliases is "@xxx.com" which allows the above.

And all that is to say....the person receiving the misdirected mail (.com vs .net) may do like me, and not anser mail that appears to have no reason, fearing spam, and not wanting to "verify" the address.

[Gregg]

Now that's weird! I did enter the e-mail address as a "www.com" and it turned up a web page! The name and company in the address is similar to the abbreviated name of the company on the web page that came up, but that name does not relate to the name given in the "bounced" e-mail I received. Coincidence?

(edit changed content)

[Diana]

Hi Gregg,

Without actually seeing the "bounce" you got, it sounds like it may be the SWEN virus. SWEN will actually create a message that looks like a bounce, addressing it and adding headers that would make one think it's a bounce. It's not, it is actually the virus masquarading as a bounce. The message you see in these is very sparce.

The Return-Path: header will have the real sender's address in it. If the two messages you received have the same address in that header, that affirms the sender even more. Sometimes it's not perfectly clear, but if that address domain is the same as the relaying/mailing domain that is the first hop of the message, then it's even a better bet that that was the sender. SWEN is the easiest virus to trace in a long time...the previous few did a better job of spoofing.

Hopefully I didn't overload or confuse you here. If you can discover who actually sent that if it was a fake bounce, you might be able to contact the ISP and tell them who is infected..

see ya

[June Drabek]

Today a message box  appeared out of nowhere, saying that my mail could not be delivered because my ISP  could not recognize my password..I entered it, and clicked O.K. This box kept popping back up five times, and I finally said.....forget it......and went  to the internet. Have  no idea why this took place.

[Gregg]

Is this a virus, as Highmac's warning points to? I don't know where to find the Return-Path header, so here is the message I received from "Mail Delivery Subsystem":

The original message was received at Mon, 6 Oct 2003 17:05:14 -0400
from imta05a2.registeredsite.com [64.225.255.14]

*** ATTENTION ***

This email is being returned to you because the remote server would not
or could not accept the message. The registeredsite servers are just
reporting to you what happened and are not the source of the problem.

The address which was undeliverable is in the section labeled:
  "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is in the section labeled:
  "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered.  The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--Registeredsite Postmaster

   ----- The following addresses had permanent fatal errors -----
<ronranc@hotmail.com>
    (reason: 550 Requested action not taken: mailbox unavailable)

   ----- Transcript of session follows -----
... while talking to mx2.hotmail.com.:
>>> DATA
<<< 550 Requested action not taken: mailbox unavailable
550 5.1.1 <ronranc@hotmail.com>... User unknown
<<< 503 Need Rcpt command.

[Diana]

Hi Gregg,

It sounds like you're dealing with a real bounce in that example. (SPAM that was being delivered to the bouncing address was sent back to you if the SPAMMER was faking the from/sender and used your domain to fake from/sender)

Here is an example of what a virus fake bounce might look like to a viewer:
***in the body of the message:

Message from aol.com



Undelivered mail to fcscinm@aol.com


Message follows:

***end message...there is no "Message follows:" part***

The virus fake bounce will come with the actual virus embedded or attached. If you're on a PC at work, antivirus should catch it, if you're on a Mac, then you're ok.

HTH,