New e-mail weirdness

Posted by Pierre Igot in: Technology
March 3rd, 2004 • 12:16 am

Two slightly weird things in my mailboxes this morning.

First of all, all of a sudden, for some strange reason, I have been receiving copies of really old e-mail messages. These are legitimate messages that were indeed sent to me by people I know a long time ago (and I already have copies of the same messages in my archived e-mail folders). But why on earth am I receiving new copies of these really old messages now? (Some of them date back to December 2002!)

They were all sent to the same e-mail account. So in fact I suspect that these are old e-mail messages of which a copy had, for some reason, stayed in my mailbox on the POP server for that account all that time, and all of a sudden today something that the ISP did caused the POP server to flush them out and send them to be one final time. Still, it’s rather strange.

The other thing was only weird initially, before I realized that it was obviously some new virus variant trying to be even more clever than the last one. Here’s what the message looked like:

From: staff@[my domain name].com
Subject: Warning about your e-mail account.
Date: 3 mars 2004 07:46:02 GMT-04:00
To: igot@[my domain name].com

Dear user, the management of mailing system wants to let you know that,

Your e-mail account has been temporary disabled because of unauthorized access.

Further details can be obtained from attached file.

For security purposes the attached file is password protected. Password is “27322”.

Best wishes,
The team

Needless to say, there was indeed an “.zip” file attachment attached to the message.

Interestingly enough, I am the management of — so the virus obviously picked the wrong guy to try and fool into believing in this trick :-). But the virus is obviously rather clever. It takes e-mail addresses in the Address Book of the infected computer, and assumes that, when an address is [user name]@[domain name].com, then in all likelihood that [user name] person has an e-mail account with an ISP whose domain name is precisely [domain name].com.

Then it uses a fake e-mail address called staff@[domain name].com as the sender of the infected e-mail message, so as to make it appear as if it is coming from the ISP staff. And it invites the user to open the “secure” attachment using the password provided.

It’s quite clever, I guess.

2 Responses to “New e-mail weirdness”

  1. brian w says:

    I got that little virus mail today, too. I’m worried about what will happen as virus writers get more savvy — this one probably would have tricked a few people in an office even if they were aware of the dangers of attachments.

    As for your POP problem, I keep a little utility around called Mail Siphon that lets me log into a mailbox and see what’s “stuck” there — malformed mails, munged headers, etc — and delete ’em.

  2. Pierre Igot says:

    Yes, MailSiphon is a good tool. Thanks for the link. I just never got around to checking that particular POP server. Still, I wonder what caused the server to “flush” them out today, all of a sudden.

Leave a Reply

Comments are closed.