spamgourmet 'send from address' used to distribute virus!?

Use this forum to get help.

spamgourmet 'send from address' used to distribute virus!?

Postby username » Wed Mar 03, 2004 1:30 am

i just received an e-mail containing a version of the "W32.Beagle.A@mm" virus. i was within an attachment called MoreInfo.pif. here are the headers:

X-Apparently-To: via; Tue, 02 Mar 2004 17:22:09 -0800
Return-Path: <>
Received: from (EHLO ( by with SMTP; Tue, 02 Mar 2004 17:22:09 -0800
Received: from (localhost []) by localhost (8.12.10/8.12.9) with ESMTP id i231M9BH017890 for <>; Tue, 2 Mar 2004 17:22:09 -0800
Received: (from jqh1@localhost) by (8.12.10/8.12.10/Submit) id i231M9xW017889 for; Tue, 2 Mar 2004 17:22:09 -0800
Received: from Teresa ( []) by (8.12.10/8.12.9) with SMTP id i231M7BI017859 for <>; Tue, 2 Mar 2004 17:22:08 -0800
Date: Tue, 02 Mar 2004 19:21:50 -0600
Subject: E-mail account disabling warning. (uberprofile: message 4 of 20)
From: +uberprofile+username+59fb74af74.admini ... Add to Address Book
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--------qqoqxugqymjmpdyfgvyi"
Content-Length: 11909

the body of the message:
Hello user of e-mail server,

Some of our clients complained about the spam (negative e-mail
outgoing from your e-mail account. Probably, you have been infected by
a proxy-relay trojan server. In order to keep your computer safe,
follow the instructions.

Further details can be obtained from attached file.

Kind regards,
The team

has anyone else received this? is this a solid spoof and a threat?

Postby josh » Wed Mar 03, 2004 1:33 am

We haven't sent anything like that. Looks like a virus that is a little smarter than average.
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Postby SysKoll » Wed Mar 03, 2004 4:09 am

This didn't come from SG. Here is the culprit:
Code: Select all
Received: from Teresa ( []) by

What I fing great is that the wording specifically targetted spamgourmet accounts. It means that SG is pissing off spammers so much they want to take revenge. Good!

As for the W32.Beagle.A@mm virus, it is not terribly dangerous, considering it should disable itself after Jan. 28, 04. That said, don't double-click on the attachment!
-- SysKoll
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

Postby ebuleheb » Wed Mar 03, 2004 12:47 pm

It's not targetted at Spamgourmet. It targets any e-mail service and puts the name of the service in the mail (i.e. The <anything> team). I have heard of it for at least and
Posts: 35
Joined: Thu Aug 28, 2003 6:31 pm
Location: Turkey

Postby SysKoll » Wed Mar 03, 2004 3:43 pm

Not targetting at SG specifically? Darn, there go my delusions.
-- SysKoll
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

more info

Postby username » Wed Mar 03, 2004 5:15 pm

i think this is even a little worse|malicious because the sender is trying to use the 'send from a disposable address' feature syntax. they seem to have screwed it up because it didn't format correctly and instead of showing a name as the sender it displayed:

if anyone at spamgourmet wants me to forward it to investigate further feel free to contact me. spamgourmet username is username

Postby mr.ska » Mon Mar 08, 2004 6:23 pm

I just received an e-mail that had the exact same wording, except the attachment was Document.pif. I was almost suckered, as it quoted a disposable e-mail address that I did generate, but the .PIF extension on the attachment tipped me off and I deleted it.

I sincerely hope no one else is fooled. Those damnable hacks are getting craftier all the time. I really wish there was a "zap sender" button... sigh.


Same here - a scam - but I guarentee you some will fall for

Postby Guest » Thu Mar 11, 2004 2:07 am

Here is the junk email I just now got. They got my SG addy from Google newsgroups. You all, SG, need to ASAP post a warning on your webpage!:

Date: Wed, 10 Mar 2004 10:12:07 -0800
From: <--------rurwosyqnnuavsmhiwnt@sPAMGOURMET.COM>
[ Add to Address Book | Block Address | Report as Spam ]

Subject: Email account utilization warning. (newgroups: message 3 of 10)

Dear user of e-mail server "SPAMGOURMET.COM",

Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information.

Pay attention on attached file.

For security reasons attached file is password protected. The password is "01743".


Attachment: (17 KB) [ Download ]

Postby SysKoll » Thu Mar 11, 2004 1:47 pm

I certainly hope that nobody is naive enough to think that the SG team would send this kind of messages. Not to mention that Josh speaks English, contrary to the guy who wrote the message text. He sounds like Piotr of (
-- SysKoll
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

Return to Support / Hilfe / ayuda / ondersteuning / ...

Who is online

Users browsing this forum: Bing [Bot] and 3 guests