bbs.spamgourmet.com

[Not really]

Hi and thanks for your invaluable service !

I got the mail below from my email provider (target email to which I redirect my SG account). I'm wondering what happened exactly ? Particularly :

1. Does the virus'ed email come really from a SG account as displayed ? How to know ?
2. If yes, why did I got this email directlly in my target inbox (not through a SG disposable email as the header suggests; I also don't know the supposed SG sender, and all of my disposable SG emails have an exclusive sender...)
3. If yes, does that mean SG has been abused by a virus or worm ?
4. If yes, how to warn the original sender, because my warning will be killed by SG... What a well working system
5. If not, does that necessarily mean my target email has been catched by spammers (in spite of all my efforts...) ?

Lot of questions, but basically this email confuses me. I don't see the "hole" through which it reached me : I'm trying to figure out where this "hole" is.... (SG side ? My side ? A friend side ? Newsletter side ?)

PS: the virus seems to be a variant of I-Worm.Dumaru.a (fyi: http://www.viruslibrary.com/virusinfo/I ... maru.a.htm)

PPS: Message below: (note the ".exe" after the spaces...). I've hidden the private information for... well, privacy reason

8<---- start of message
From - Mon Jan 26 09:21:14 2004
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <postmaster@myprovider.com>
Received: from frontend1.myprovidercom (mysql.internal [xx.xxx.xx.xxx])
by myprovider.com (Cyrus v2.1.9) with LMTP; Sun, 25 Jan 2004 06:18:25 -0500
X-Sieve: CMU Sieve 2.2
X-Resolved-to: me@TargetEmail
X-Delivered-to: me@TargetEmail
X-Mail-from: postmaster@myprovider.com
Received: by mail.myprovider.com (Postfix, from userid xxx)
id D33C74B6806; Sun, 25 Jan 2004 06:18:25 -0500 (EST)
From: <postmaster@myprovider.com>
To: me@TargetEmail
Date: Sun, 25 Jan 2004 11:18:25 UT
Subject: Infected file rejected
Message-Id: <20040125111825.D33C74B6806@mail.myprovider.com>

We have just rejected a message to you from "username_hidden"@gourmet.spamgourmet.com
because it tested as positive to a virus
using Kaspersky Anti-virus (http://www.kaspersky.com).

If you do not wish to use anti-virus protection, [myprovider.com blablabla...]

The virus scanner output was:
----
From "Elene" <FUCKENSUICIDE@HOTMAIL.COM>][Date Sun, 25 Jan 2004 12:17:49 +0100 (CET)]/myphoto.zip/myphoto.jpg .exe Infected by virus: I-Worm.Dumaru.j
8<---- end of message

[Nor really]

Whoops, the spaces have been removed after the string "myphoto.jpg_______________________.exe".

Just to make the things a little bit clearer...

[SysKoll]

This message has never transited through the SG system. Look at the "Received:" headers. There are no "spamgourmet.com" lines.

Whatever happened, the SG servers are not involved.

If the message is authentic (hard to know witht the "received:" fields mangled), it seems that someone attempted to send a virus-carrying message to your spamgourmet address and that your ISP is warning you. The virus-carrying email would have been sent to an SG disposable.

If you can identify the person to whom you gave the disposable, please do so. That person has been infected by the virus. Since your disposable is somewhere in his PC, the virus found it and attempted to propagate itself to you (see the I-Worm.Dumaru virus description). Tell that person to stop using IE and Outlook! Use Mozilla and Pegasus Mail instead!

If this disposable address doesn't match any of the disposable you gave, then a spammer is trying a dictionary attack. Or mistyped your address from a hard copy (happened to me once, a Nigerian in a Dutch cybercafe mistyped the disposable address I gave to a magazine's reader letters section!!)

Bottom line: No, we haven't been infected. We don't run Windows so we're safe from Win32 Trojans.

[Not Really]

Hi,

I got again a "virus detected message". But this time, not from my email provider, but from the mail server of a mailing-list I've subscribed to (btw, guess what : it has been detected by "ScanMail for Microsoft Exchange"...)

The bad news (for the other subscribers) is that the virus came from the list administrator, and there is a lot of other lists being managed on this server. (and I'm a bit surprised a mailing admin is able to run Outlook...)

So yes, sg is innocent (of course)
I'm feeling so sorry to be such a paranoiac idiot !

Thank you for your help, I understood what really happened.
--
Not really.

PS: more info on virus "I-Worm.Dumaru.j":
http://www.kaspersky.com/news.html?id=3614205
http://www.viruslist.com/eng/viruslist.html?id=836347 (last update today)

PPS: I'm not even sure it is the only point of propagation, since the last warning I've got is about "Dumaru.y", not "Dumaru.j". But chances are it is the same virus/worm (see http://www.us.sophos.com/virusinfo/anal ... maruy.html).

[SysKoll]

You're very welcome.

I'm feeling so sorry to be such a paranoiac idiot !

Don't be. You're learning.

In computing, there is no such thing as a paranoid idiot. The paranoids survive, the trustful idiots are getting bamboozled. Our field exposes us to, ahem, a wide gamut of human behavior. What passed for paranoia in other, more civilized fields (such as collection agencies, drug trafficking and injury law), we call "elementary precautions".