[milenko11]

well the first one is this. I get it every couple of days.

From: Mail Delivery Subsystem <[email protected]>
Date: Sat Jan 11, 2003 9:30:33 AM US/Eastern
To: <[email protected]>
Subject: Returned mail: User unknown

The attachment rowspan.pif with this email was found to contain the W32.Klez.H@mm virus and could not be disinfected. The attachment has been removed from the email. Please ask the sender to repair and resend it.

This message has been processed by Brightmail(TM) Anti-Virus using
Symantec's Norton AntiVirus Technology.
From: Mail Delivery Subsystem <[email protected]>
Date: Sat Jan 11, 2003 9:30:33 AM US/Eastern
To: <[email protected]>
Subject: Returned mail: User unknown


The original message was received at Sat, 11 Jan 2003 09:30:13 -0500 (EST)
from logs-mtc-tk.proxy.aol.com [64.12.107.5]


*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster



----- The following addresses had permanent fatal errors -----
<[email protected]>

----- Transcript of session follows -----
... while talking to mx05.earthlink.net.:
RCPT To:<[email protected]>
<<< 550 [email protected]...User unknown
550 <[email protected]>... User unknown
Reporting-MTA: dns; rly-ip02.mx.aol.com
Arrival-Date: Sat, 11 Jan 2003 09:30:13 -0500 (EST)

Final-Recipient: RFC822; [email protected]
Action: failed
Status: 5.1.1
Remote-MTA: DNS; mx05.earthlink.net
Diagnostic-Code: SMTP; 550 [email protected]...User unknown
Last-Attempt-Date: Sat, 11 Jan 2003 09:30:33 -0500 (EST)

From: urza <[email protected]>
Date: Sat Jan 11, 2003 9:28:51 AM US/Eastern
To: [email protected]
Subject: Application

These second one is also strange. i keep getting the same email from [email protected]. It's from a different 'person' every time. The subject is always 'Of contents'. All that is in there is a pic of some HP thing that says click me.

this is all that is in the email. This pic is 1/3 the original size.


Can someone tell me what these are? Best way to stop them? Thanks!

[JLL]

The first one has been caught by .Mac's virus checker.

You can't really do anything to avoid getting these mails - they are sent by someone who has a virus on his Windows computer (you don't have a virus).

[milenko11]

So you think the first one is coming from the same person over and over that has a virus and is on Windows? Is there any way to find out who it is?

[msuper69]

If you're using Mail, you could set up a couple of rules to send these emails straight to the trash.

[Mediaman_12]

Someone who has you in there Address Book, they also must use A PC and be using Outlook/Outlook Express as a mail client. Unless whoever is sending you (and everybody else in his Address Book) these mails gets smart, and runs some sort of Anti-Virus App, these arn't going to stop.
The Attached files are just random files from his HD, there is nothing to stop one of these files being a personal letter for example.

This is a Very old and well publicised PC Virus, This guy must be as dumb as a brush not to realise he has got it (the much increased email activity would be a clue, don't you think?), and have done something about it.

[SupahCoolX]

Remember: As of right now, there are no viruses for OSX, so don't worry. It's someone else's problem.

[Millennium]

Originally posted by SupahCoolX:
Remember: As of right now, there are no viruses for OSX, so don't worry. It's someone else's problem.

That's not strictly true; Word/Excel macro viruses still work, and Entourage is still vulnerable to the Simpsons worm. But even with these, the damage they can do is greatly reduced.

However, these e-mails deal with a worm called Klez. Macs are immune to this worm, though if you get a Klez file you should still delete it (it cannot harm you, but if you unintentionally send it to someone else it could harm them).

In any case, no, you haven't caught Klez. Someone else has -someone running Windows who has you in their Outlook address book- and this is a symptom of that. Unfortunately, Klez forges its headers, so there's no way to tell who has it (that's the whole point; after all, if you know who has it, you can tell them, and they can then delete the worm).

A quick note: there are three types of malicious code out there: viruses, Trojan horses, and worms.

Viruses (you may also hear them called virii) are (usually) tiny bits of code which embed themselves into a file. They aren't files in themselves; this is the important distinction. They live in a file, and when that file is run, they attempt to spread to other files. They can only spread between machines if an infected file is copied over.

Worms are complete, independent programs. Rather than spreading from file to file, they spread from machine to machine. Typically they do this by scanning the computer they're on for lists of machines, and then try a variety of tricks to get onto those machines. The e-mail "viruses" we hear about in the media are actually a kind of worm; they use Outlook's address book as a convenient list of machines, and then they hide themselves in e-mail messages to get to those machines. In the past, they would try to use FTP or similar protocols, but these are very rare nowadays.

Trojan horses are, like worms, complete programs. However, they do not replicate themselves at all, as viruses and worms do. Rather, they simply perform some malicious action or other when run. In the past, these were called logic bombs, but because they typically disguise themselves as innocent programs -usually a game- and even function as that type of program in addition to their malicious aspect, they were named after the Trojan Horse of legend.

[Xeo]

On a sort of related note, I constantly get mails like the original poster that have worms in them. However, they are always disinfected or deleted first by my campus mail server. (Incidentally, it is not even my e-mail address, but one I acquired with the webmaster position at my job.)

What kind of disinfection software can I use for my own e-mail server running on OS X Server using Apple's built in mail server software? I'd like the same actions to be taken (auto-deletion, warning messages being sent, etc). I have family and friends on this e-mail server and I'd like to protect them from themselves, since they don't always know what to avoid.

They are all on OS X, so there isn't too much danger, but I'd still like to get something like this running.

[Subzero Diesel949]

Yeah, we don't really get viruses, but we are carriers.

[milenko11]

so does the klez one have to come from outlook?