Many "Undeliverable Mail" messages?

Discussion in 'Archived Threads 2001-2004' started by Jereme D, Aug 26, 2002.

  1. Jereme D

    Jereme D Stunt Coordinator

    Joined:
    Jan 29, 2002
    Messages:
    211
    Likes Received:
    0
    Over the past two days, I've gotten hundreds of "Undeliverable Mail" messages. A lot of the e-mails have this as the reason that the e-mails weren't delivered:

    "You appear to be sending this server emails infected with the KLEZ worm. Please update your virus software, or if you feel as though you have received this message in error, please contact your support desk."

    I thought that I actually might have the virus even though my checker is updated very regularly.

    I went through all of the messages, and none of the addresses that mails are being returned from are people that I know or have sent e-mails to before.
     
  2. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    Do the messages have a file attached? Sometimes the Klez worm will email itself masquerading as an "Undeliverable Mail" message.
    Also, Klez can send itself out with someone else's email address in the "From:" line, so if someone with your address in their address book is infected with Klez, they could send out a Klez email with your address in the From line. If the mail server bouncing the mail sends the bounce message to the From address instead of the Return-Path address, you might get the bounce message even if you're not infected.
    Last but not least, you could be infected and your virus scanner isn't catching it. What are you using for a virus scanner? BTW, if you do get infected, Klez can disable your virus scanner so you should download Symantec's Klez removal tool and run it; it'll tell you if you're infected and will remove it for you. Then you'll need to re-install your anti-virus program.
    If you use Outlook or Outlook Express and have IE 5.0 or 5.5, you should install the IE patches to prevent the worm from launching when you preview or open an infected email. Click here for the MS Security bulletin.
    KJP
     
  3. Andre F

    Andre F Screenwriter

    Joined:
    Dec 9, 2000
    Messages:
    1,486
    Likes Received:
    2
    Let me say from experience that Klez is nasty...
     
  4. Jereme D

    Jereme D Stunt Coordinator

    Joined:
    Jan 29, 2002
    Messages:
    211
    Likes Received:
    0
    Yes, Kevin. A lot of them do have attached files. They're screensavers and batch files. A lot of them have no files attached and appear to be regular undelivered mail messages.

    Some of the other reasons for the messages not being delivered are "No such user", "User unknown" and "No response".

    Today when I got home from work, I only had 20 of them. They had been arriving in batches of between 30 and 50 messages.

    I ran the Klez tool at that link you listed and it did find some infected files, but I know they were just the attachments from the e-mails. I'm using AVP as my checker.

    I don't think it's me that's infected because I don't know any of the e-mail addresses that are coming back to me. Some of the addresses look made up, while other appear to be legitimate. Maybe I'm being 'bombed' by someone for whatever reason?
     
  5. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    What email client are you using?

    Also, with Klez, note that the address in the "From" line isn't the actual sender, but is a randomly-selected address from the sender's address book. You'll have to view the headers in the message to determine the actual sender. Check for a "Return-Path" header. You should find an email address there. It's possible that they are all coming from the same sender, even though they appear to be coming from multiple addresses.

    KJP
     
  6. Jereme D

    Jereme D Stunt Coordinator

    Joined:
    Jan 29, 2002
    Messages:
    211
    Likes Received:
    0
    I use Eudora.

    I checked around the headers of the e-mails looking for any common info and there is none.
     
  7. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    If you view full headers (the Blah Blah toolbar button in Eudora) do you see a Return-Path header? That would be the actual sender.

    Does AVP have a real-time or email scanning feature? If it does, enable it and then you'll be notified immediately when you receive an infected message. If AVP isn't detecting Klez, you need to update it.

    KJP
     
  8. Jereme D

    Jereme D Stunt Coordinator

    Joined:
    Jan 29, 2002
    Messages:
    211
    Likes Received:
    0
    Oh, ok. I see now. This is what's in the return path "".

    AVP does scan in realtime. It notifies me right when the messages are downloaded. It does pick out Klez by name too.
     
  9. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    Dang, apparently Eudora doesn't retain return-path info very well. Someone else i know who uses Eudora has the same problem. I have Outlook Express and I always see an email address between the "".

    Perhaps if you forward the headers to the originating ISP's abuse address they can figure out who's sending them and notify them.

    KJP
     
  10. Jereme D

    Jereme D Stunt Coordinator

    Joined:
    Jan 29, 2002
    Messages:
    211
    Likes Received:
    0
    Ok. I will try forwarding some of the messages. In the meantime, I have just set a filter to make Eudora delete them from the server. I'm sure I have enough examples now. ;-)

    Thanks for all of your help.
     
  11. Dave F

    Dave F Cinematographer

    Joined:
    May 15, 1999
    Messages:
    2,885
    Likes Received:
    2
    It's likely that someone with an infected computer had you in his/her address book, and when their computer started spreading the virus, your email address was spoofed as the originator. [​IMG]
    Symantec's Klez info page. If you want to double-check, there are many free Klek removal tools, such as the one located at Symantec's page.
    -Dave
     

Share This Page