Worms for Entourage Mac???

[Henry Seiden]

I found a phishing type virus email attachment that's being distributed in
an interesting way.

First, a question about virus propagation on Mac. Despite recent
advertisements to the contrary, it's obvious to me that worms and other
nasties can be and are being foisted upon unsuspected Mac users.

Is this particularly so via Entourage? I think that has been exasperated
lately by Apple's claims of invulnerability, don't you?

Second question, what to do about it? I recently have received several
similar suspect emails proporting to be rejected messages from Danish server
(xxxx.xxxx.de), in particular, although there were others, rejecting an
email sent from my address with my name to their server but with some phony
addresses in the source code, like (e-mail address removed) with a reply to of my email
address.

There is an attachment entourage file enclosed which I think will do damage
to my entourage application and/or database as it is a 15K file that appears
with an Entourage icon. I simply trashed it. Then I ran database utility and
rebuilt my database.

Is there any safe way to burn that email or filter it to the trash in the
future? I'll save the next one I get and send to my favorite Spam filter
developer, SpamSieve to see about this. I just thought you folks would like
to know and maybe have some antidote to the Entourage poison pill
spammers...

Regards,

hms

 

[Chris Ridd]

I found a phishing type virus email attachment that's being distributed in
an interesting way.

First, a question about virus propagation on Mac. Despite recent
advertisements to the contrary, it's obvious to me that worms and other
nasties can be and are being foisted upon unsuspected Mac users.

Why is it obvious to you? (You might want to be careful and separate out
attacks involving executable code like worms, and emails trying to phish
your bank account details out of you.)

There is an attachment entourage file enclosed which I think will do damage
to my entourage application and/or database as it is a 15K file that appears
with an Entourage icon. I simply trashed it. Then I ran database utility and
rebuilt my database.

Why did you think it would damage things? Entourage will put its own
document icons on a whole bunch of filetypes, but that doesn't mean they'll
do anything/anything bad.

Cheers,

Chris

 

[Henry Seiden]

Hey it isn't paranoia, OK? And it's also not a joke. I tried deleting it
from the server and from the database but can't get rid of it!

The message follows. It has so far crashed my database three times. It seems
that every time I get it it crashes the database and forces a rebuild. I
didn't include the attached file because I don't want to pass on a suspect
virus.

If you or anyone has any actual solutions I'd like to hear them...

Or if this is a bother and it's waste of time, why subscribe to the
newsgroup?


****************************************************************************
Received: from mail13a.nshosts.com (unverified [69.80.208.46]) by
mail10.nshosts.com
(Vircom SMTPRS 5.3.232) with ESMTP id <[email protected]> for
<[email protected]>;
Thu, 11 May 2006 09:24:19 -0600
Received: from dedi18.your-server.de (213.133.106.18)
by mail13a.nshosts.com (Alligate(TM) SMTP Gateway v2.6.5.8)
with ESMPT id <[email protected]>
for <xxxx Received: from mail13a.nshosts.com (unverified [69.80.208.46]) by
mail10.nshosts.com
(Vircom SMTPRS 5.3.232) with ESMTP id <[email protected]> for
<[email protected]>;
Thu, 11 May 2006 09:24:19 -0600
Received: from dedi18.your-server.de (213.133.106.18)
by mail13a.nshosts.com (Alligate(TM) SMTP Gateway v2.6.5.8)
with ESMPT id <[email protected]>
for <[email protected]>; Thu, 11 May 2006 09:18:10 -0700
Received: from localhost ([127.0.0.1] helo=dedi18.your-server.de)
by dedi18.your-server.de with esmtp (Exim 4.50)
id 1FeClw-0001e1-VJ
for (e-mail address removed); Thu, 11 May 2006 17:08:14 +0200
Received: from mail by dedi18.your-server.de with local (Exim 4.50)
id 1FeClw-0001dy-Ru
for (e-mail address removed); Thu, 11 May 2006 17:08:12 +0200
X-Failed-Recipients: (e-mail address removed)
Auto-Submitted: auto-generated
From: Mail Delivery System <[email protected]>
To: (e-mail address removed)
Subject: Mail delivery failed: returning message to sender
Message-Id: <[email protected]>
Date: Thu, 11 May 2006 17:08:12 +0200
X-MXRate-Prob: 0
X-MXRate-Country: DE
X-MXRate-Action: NONE
X-Alligate-Grey: Skipped
X-Alligate-In: Passed* - Adult: 0 (Req: 190) Spam: 8 (Req: 190) Tot: 8 (Req:
190)
X-Alligate-QueueFile: 007440592.dta
X-Alligate-XFrom: <> [213.133.106.18] Germany (DE)
X-Alligate-XTo: <[email protected]> ([email protected])


This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

(e-mail address removed)
(ultimately generated from (e-mail address removed))
Unrouteable address

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from [212.58.4.174] (helo=amsterdammail.net)
by dedi18.your-server.de with smtp (Exim 4.50)
id 1FeCls-0001cv-G3
for (e-mail address removed); Thu, 11 May 2006 17:08:12 +0200
Received: from 62.252.0.7
(SquirrelMail authenticated user (e-mail address removed));
by amsterdammail.net with HTTP id J85Gz028157939;
Thu, 11 May 2006 15:07:47 +0000
Message-Id: <[email protected]>
Date: Thu, 11 May 2006 15:07:47 +0000
Subject: Quit being faceless, get your business an impressive identity
From: "Rossie" <[email protected]>
To: <[email protected]>
User-Agent: SquirrelMail/1.4.3a
X-Mailer: SquirrelMail/1.4.3a
MIME-Version: 1.0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Clear (ClamAV 0.88.1/1454/Wed May 10 13:58:43 2006)
X-Spam-Score: 20.4 (++++++++++++++++++++)
X-Spam-Flag: YES
X-Spam-Report: Spam detection software, running on the system
"spam10.your-server.de", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
(e-mail address removed) for details.
Content analysis details: (20.4 points, 5 required)
pts rule name description
---- ---------------------- -------------------------------------------
0.8 INFO_TLD URI: Contains an URL in the INFO top-level
domain
1.0 URI_NOVOWEL URI: URI hostname has long non-vowel sequence
0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[212.58.4.174 listed in sbl-xbl.spamhaus.org]
1.1 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: parlevas.info]
3.6 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
[URIs: parlevas.info]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
[URIs: parlevas.info]
2.6 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
blocklist
[URIs: parlevas.info]
3.3 URIBL_AB_SURBL Contains an URL listed in the AB SURBL
blocklist
[URIs: parlevas.info]
3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
[URIs: parlevas.info]

<HTML>
<STYLE>
BODY {background-color: #FFFFFF;font-family: arial;font-size: 12px;}
P {font-family: arial;font-size: 12px;}
</STYLE>
<BODY>
<P><B>You are about to launch a new business?<BR>
You intend to change you corporate identity in order to impress your target
audience?</B></P>
<P>Remember, the largest part of your success depends on whether you<BR>
are able to distinquish yourseIf from numerous competitors swamping the
market.<BR>
Do not hesitate! Perfect soIution is right here!</P>
<P>Loqoway has a hiqhly creative professionaI desiqners lonqing to
provide<BR>
your company with the most unigue ,sophisticated and modern Ioqo and<BR>
business identity .Hundreds of Ioqos ,and other branded materials have<BR>
been made for numerous customers representing aII types of businesses
worldwide.</P>
<P>If you are curious to know how to obtain a high-impact logo, follow the
link below<BR>
and let the team of professional designers assist you in your pursuit of a
future success.</P>
<P><A href="http://wsvggnhggedp.parlevas.info" target="_blank">Have a look
at our portfolio, check our prices and hot deals.</A></P>
______________________________________________________<BR>
<A href="http://vcdviedgbqnxiblrx.parlevas.info/">not
interested...</A><BR>______________________________________________________<
A href="http://J85Gz028157939.parlevas.info/">&nbsp;</A>
</BODY>
</HTML>
@techworksinc.com>; Thu, 11 May 2006 09:18:10 -0700
Received: from localhost ([127.0.0.1] helo=dedi18.your-server.de)
by dedi18.your-server.de with esmtp (Exim 4.50)
id 1FeClw-0001e1-VJ
for (e-mail address removed); Thu, 11 May 2006 17:08:14 +0200
Received: from mail by dedi18.your-server.de with local (Exim 4.50)
id 1FeClw-0001dy-Ru
for (e-mail address removed); Thu, 11 May 2006 17:08:12 +0200
X-Failed-Recipients: (e-mail address removed)
Auto-Submitted: auto-generated
From: Mail Delivery System <[email protected]>
To: (e-mail address removed)
Subject: Mail delivery failed: returning message to sender
Message-Id: <[email protected]>
Date: Thu, 11 May 2006 17:08:12 +0200
X-MXRate-Prob: 0
X-MXRate-Country: DE
X-MXRate-Action: NONE
X-Alligate-Grey: Skipped
X-Alligate-In: Passed* - Adult: 0 (Req: 190) Spam: 8 (Req: 190) Tot: 8 (Req:
190)
X-Alligate-QueueFile: 007440592.dta
X-Alligate-XFrom: <> [213.133.106.18] Germany (DE)
X-Alligate-XTo: <[email protected]> ([email protected])


This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

(e-mail address removed)
(ultimately generated from (e-mail address removed))
Unrouteable address

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from [212.58.4.174] (helo=amsterdammail.net)
by dedi18.your-server.de with smtp (Exim 4.50)
id 1FeCls-0001cv-G3
for (e-mail address removed); Thu, 11 May 2006 17:08:12 +0200
Received: from 62.252.0.7
(SquirrelMail authenticated user (e-mail address removed));
by amsterdammail.net with HTTP id J85Gz028157939;
Thu, 11 May 2006 15:07:47 +0000
Message-Id: <[email protected]>
Date: Thu, 11 May 2006 15:07:47 +0000
Subject: Quit being faceless, get your business an impressive identity
From: "Rossie" <[email protected]>
To: <[email protected]>
User-Agent: SquirrelMail/1.4.3a
X-Mailer: SquirrelMail/1.4.3a
MIME-Version: 1.0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Clear (ClamAV 0.88.1/1454/Wed May 10 13:58:43 2006)
X-Spam-Score: 20.4 (++++++++++++++++++++)
X-Spam-Flag: YES
X-Spam-Report: Spam detection software, running on the system
"spam10.your-server.de", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
(e-mail address removed) for details.
Content analysis details: (20.4 points, 5 required)
pts rule name description
---- ---------------------- -------------------------------------------
0.8 INFO_TLD URI: Contains an URL in the INFO top-level
domain
1.0 URI_NOVOWEL URI: URI hostname has long non-vowel sequence
0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[212.58.4.174 listed in sbl-xbl.spamhaus.org]
1.1 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: parlevas.info]
3.6 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
[URIs: parlevas.info]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
[URIs: parlevas.info]
2.6 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
blocklist
[URIs: parlevas.info]
3.3 URIBL_AB_SURBL Contains an URL listed in the AB SURBL
blocklist
[URIs: parlevas.info]
3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
[URIs: parlevas.info]

<HTML>
<STYLE>
BODY {background-color: #FFFFFF;font-family: arial;font-size: 12px;}
P {font-family: arial;font-size: 12px;}
</STYLE>
<BODY>
<P><B>You are about to launch a new business?<BR>
You intend to change you corporate identity in order to impress your target
audience?</B></P>
<P>Remember, the largest part of your success depends on whether you<BR>
are able to distinquish yourseIf from numerous competitors swamping the
market.<BR>
Do not hesitate! Perfect soIution is right here!</P>
<P>Loqoway has a hiqhly creative professionaI desiqners lonqing to
provide<BR>
your company with the most unigue ,sophisticated and modern Ioqo and<BR>
business identity .Hundreds of Ioqos ,and other branded materials have<BR>
been made for numerous customers representing aII types of businesses
worldwide.</P>
<P>If you are curious to know how to obtain a high-impact logo, follow the
link below<BR>
and let the team of professional designers assist you in your pursuit of a
future success.</P>
<P><A href="http://wsvggnhggedp.parlevas.info" target="_blank">Have a look
at our portfolio, check our prices and hot deals.</A></P>
______________________________________________________<BR>
<A href="http://vcdviedgbqnxiblrx.parlevas.info/">not
interested...</A><BR>______________________________________________________<
A href="http://J85Gz028157939.parlevas.info/">&nbsp;</A>
</BODY>
</HTML>

****************************************************************************

 

[Henry Seiden]

BTW, in case it's still not clear:
1. I didn't originate the email in the first place.
2. Don't know why or who did it.
3. Attached files didn't originate or attach from here.
4. Have received other email from similar, yet not exact same addresses
recently.
5. Take steps to protect and not answer suspicious email, also filter it out
to a great degree.
6. Up to the first occurrence, recently, have not received this kind of
stuff.

Spoof mail? Phishing? Virus? I have no idea.

Hey it isn't paranoia, OK? And it's also not a joke. I tried deleting it
from the server and from the database but can't get rid of it!

The message follows. It has so far crashed my database three times. It seems
that every time I get it it crashes the database and forces a rebuild. I
didn't include the attached file because I don't want to pass on a suspect
virus.

If you or anyone has any actual solutions I'd like to hear them...

Or if this is a bother and it's waste of time, why subscribe to the
newsgroup?


****************************************************************************
Received: from mail13a.nshosts.com (unverified [69.80.208.46]) by
mail10.nshosts.com
(Vircom SMTPRS 5.3.232) with ESMTP id <[email protected]> for
<[email protected]>;
Thu, 11 May 2006 09:24:19 -0600
Received: from dedi18.your-server.de (213.133.106.18)
by mail13a.nshosts.com (Alligate(TM) SMTP Gateway v2.6.5.8)
with ESMPT id <[email protected]>
for <xxxx Received: from mail13a.nshosts.com (unverified [69.80.208.46]) by
mail10.nshosts.com
(Vircom SMTPRS 5.3.232) with ESMTP id <[email protected]> for
<[email protected]>;
Thu, 11 May 2006 09:24:19 -0600
Received: from dedi18.your-server.de (213.133.106.18)
by mail13a.nshosts.com (Alligate(TM) SMTP Gateway v2.6.5.8)
with ESMPT id <[email protected]>
for <[email protected]>; Thu, 11 May 2006 09:18:10 -0700
Received: from localhost ([127.0.0.1] helo=dedi18.your-server.de)
by dedi18.your-server.de with esmtp (Exim 4.50)
id 1FeClw-0001e1-VJ
for (e-mail address removed); Thu, 11 May 2006 17:08:14 +0200
Received: from mail by dedi18.your-server.de with local (Exim 4.50)
id 1FeClw-0001dy-Ru
for (e-mail address removed); Thu, 11 May 2006 17:08:12 +0200
X-Failed-Recipients: (e-mail address removed)
Auto-Submitted: auto-generated
From: Mail Delivery System <[email protected]>
To: (e-mail address removed)
Subject: Mail delivery failed: returning message to sender
Message-Id: <[email protected]>
Date: Thu, 11 May 2006 17:08:12 +0200
X-MXRate-Prob: 0
X-MXRate-Country: DE
X-MXRate-Action: NONE
X-Alligate-Grey: Skipped
X-Alligate-In: Passed* - Adult: 0 (Req: 190) Spam: 8 (Req: 190) Tot: 8 (Req:
190)
X-Alligate-QueueFile: 007440592.dta
X-Alligate-XFrom: <> [213.133.106.18] Germany (DE)
X-Alligate-XTo: <[email protected]> ([email protected])


This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

(e-mail address removed)
(ultimately generated from (e-mail address removed))
Unrouteable address

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from [212.58.4.174] (helo=amsterdammail.net)
by dedi18.your-server.de with smtp (Exim 4.50)
id 1FeCls-0001cv-G3
for (e-mail address removed); Thu, 11 May 2006 17:08:12 +0200
Received: from 62.252.0.7
(SquirrelMail authenticated user (e-mail address removed));
by amsterdammail.net with HTTP id J85Gz028157939;
Thu, 11 May 2006 15:07:47 +0000
Message-Id: <[email protected]>
Date: Thu, 11 May 2006 15:07:47 +0000
Subject: Quit being faceless, get your business an impressive identity
From: "Rossie" <[email protected]>
To: <[email protected]>
User-Agent: SquirrelMail/1.4.3a
X-Mailer: SquirrelMail/1.4.3a
MIME-Version: 1.0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Clear (ClamAV 0.88.1/1454/Wed May 10 13:58:43 2006)
X-Spam-Score: 20.4 (++++++++++++++++++++)
X-Spam-Flag: YES
X-Spam-Report: Spam detection software, running on the system
"spam10.your-server.de", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
(e-mail address removed) for details.
Content analysis details: (20.4 points, 5 required)
pts rule name description
---- ---------------------- -------------------------------------------
0.8 INFO_TLD URI: Contains an URL in the INFO top-level
domain
1.0 URI_NOVOWEL URI: URI hostname has long non-vowel sequence
0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[212.58.4.174 listed in sbl-xbl.spamhaus.org]
1.1 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: parlevas.info]
3.6 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
[URIs: parlevas.info]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
[URIs: parlevas.info]
2.6 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
blocklist
[URIs: parlevas.info]
3.3 URIBL_AB_SURBL Contains an URL listed in the AB SURBL
blocklist
[URIs: parlevas.info]
3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
[URIs: parlevas.info]

<HTML>
<STYLE>
BODY {background-color: #FFFFFF;font-family: arial;font-size: 12px;}
P {font-family: arial;font-size: 12px;}
</STYLE>
<BODY>
<P><B>You are about to launch a new business?<BR>
You intend to change you corporate identity in order to impress your target
audience?</B></P>
<P>Remember, the largest part of your success depends on whether you<BR>
are able to distinquish yourseIf from numerous competitors swamping the
market.<BR>
Do not hesitate! Perfect soIution is right here!</P>
<P>Loqoway has a hiqhly creative professionaI desiqners lonqing to
provide<BR>
your company with the most unigue ,sophisticated and modern Ioqo and<BR>
business identity .Hundreds of Ioqos ,and other branded materials have<BR>
been made for numerous customers representing aII types of businesses
worldwide.</P>
<P>If you are curious to know how to obtain a high-impact logo, follow the
link below<BR>
and let the team of professional designers assist you in your pursuit of a
future success.</P>
<P><A href="http://wsvggnhggedp.parlevas.info" target="_blank">Have a look
at our portfolio, check our prices and hot deals.</A></P>
______________________________________________________<BR>
<A href="http://vcdviedgbqnxiblrx.parlevas.info/">not
interested...</A><BR>______________________________________________________<
A href="http://J85Gz028157939.parlevas.info/">&nbsp;</A>
</BODY>
</HTML>
@techworksinc.com>; Thu, 11 May 2006 09:18:10 -0700
Received: from localhost ([127.0.0.1] helo=dedi18.your-server.de)
by dedi18.your-server.de with esmtp (Exim 4.50)
id 1FeClw-0001e1-VJ
for (e-mail address removed); Thu, 11 May 2006 17:08:14 +0200
Received: from mail by dedi18.your-server.de with local (Exim 4.50)
id 1FeClw-0001dy-Ru
for (e-mail address removed); Thu, 11 May 2006 17:08:12 +0200
X-Failed-Recipients: (e-mail address removed)
Auto-Submitted: auto-generated
From: Mail Delivery System <[email protected]>
To: (e-mail address removed)
Subject: Mail delivery failed: returning message to sender
Message-Id: <[email protected]>
Date: Thu, 11 May 2006 17:08:12 +0200
X-MXRate-Prob: 0
X-MXRate-Country: DE
X-MXRate-Action: NONE
X-Alligate-Grey: Skipped
X-Alligate-In: Passed* - Adult: 0 (Req: 190) Spam: 8 (Req: 190) Tot: 8 (Req:
190)
X-Alligate-QueueFile: 007440592.dta
X-Alligate-XFrom: <> [213.133.106.18] Germany (DE)
X-Alligate-XTo: <[email protected]> ([email protected])


This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

(e-mail address removed)
(ultimately generated from (e-mail address removed))
Unrouteable address

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from [212.58.4.174] (helo=amsterdammail.net)
by dedi18.your-server.de with smtp (Exim 4.50)
id 1FeCls-0001cv-G3
for (e-mail address removed); Thu, 11 May 2006 17:08:12 +0200
Received: from 62.252.0.7
(SquirrelMail authenticated user (e-mail address removed));
by amsterdammail.net with HTTP id J85Gz028157939;
Thu, 11 May 2006 15:07:47 +0000
Message-Id: <[email protected]>
Date: Thu, 11 May 2006 15:07:47 +0000
Subject: Quit being faceless, get your business an impressive identity
From: "Rossie" <[email protected]>
To: <[email protected]>
User-Agent: SquirrelMail/1.4.3a
X-Mailer: SquirrelMail/1.4.3a
MIME-Version: 1.0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Clear (ClamAV 0.88.1/1454/Wed May 10 13:58:43 2006)
X-Spam-Score: 20.4 (++++++++++++++++++++)
X-Spam-Flag: YES
X-Spam-Report: Spam detection software, running on the system
"spam10.your-server.de", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
(e-mail address removed) for details.
Content analysis details: (20.4 points, 5 required)
pts rule name description
---- ---------------------- -------------------------------------------
0.8 INFO_TLD URI: Contains an URL in the INFO top-level
domain
1.0 URI_NOVOWEL URI: URI hostname has long non-vowel sequence
0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[212.58.4.174 listed in sbl-xbl.spamhaus.org]
1.1 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: parlevas.info]
3.6 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
[URIs: parlevas.info]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
[URIs: parlevas.info]
2.6 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
blocklist
[URIs: parlevas.info]
3.3 URIBL_AB_SURBL Contains an URL listed in the AB SURBL
blocklist
[URIs: parlevas.info]
3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
[URIs: parlevas.info]

<HTML>
<STYLE>
BODY {background-color: #FFFFFF;font-family: arial;font-size: 12px;}
P {font-family: arial;font-size: 12px;}
</STYLE>
<BODY>
<P><B>You are about to launch a new business?<BR>
You intend to change you corporate identity in order to impress your target
audience?</B></P>
<P>Remember, the largest part of your success depends on whether you<BR>
are able to distinquish yourseIf from numerous competitors swamping the
market.<BR>
Do not hesitate! Perfect soIution is right here!</P>
<P>Loqoway has a hiqhly creative professionaI desiqners lonqing to
provide<BR>
your company with the most unigue ,sophisticated and modern Ioqo and<BR>
business identity .Hundreds of Ioqos ,and other branded materials have<BR>
been made for numerous customers representing aII types of businesses
worldwide.</P>
<P>If you are curious to know how to obtain a high-impact logo, follow the
link below<BR>
and let the team of professional designers assist you in your pursuit of a
future success.</P>
<P><A href="http://wsvggnhggedp.parlevas.info" target="_blank">Have a look
at our portfolio, check our prices and hot deals.</A></P>
______________________________________________________<BR>
<A href="http://vcdviedgbqnxiblrx.parlevas.info/">not
interested...</A><BR>______________________________________________________<
A href="http://J85Gz028157939.parlevas.info/">&nbsp;</A>
</BODY>
</HTML>

****************************************************************************

Why is it obvious to you? (You might want to be careful and separate out
attacks involving executable code like worms, and emails trying to phish
your bank account details out of you.)


Why did you think it would damage things? Entourage will put its own
document icons on a whole bunch of filetypes, but that doesn't mean they'll
do anything/anything bad.

Cheers,

Chris

 

[Corentin Cras-Méneur]

I found a phishing type virus email attachment that's being distributed in
an interesting way.

Phishing and viri are two different things. Phishing does not involve
any application sent in attachement. Nothing ever gets executed on your
computer, it's just an e-mail that looks like a legit one and tries to
attract you to click on it's link and get you to enter your passwords,
credit card number... on their sote.

First, a question about virus propagation on Mac. Despite recent
advertisements to the contrary, it's obvious to me that worms and other
nasties can be and are being foisted upon unsuspected Mac users.

Though worms and virus are both technically possible, we have yet to see
one that propagates between Mac COmputers. It's not that it's not
possible, it's just that we haven't seen one yet (there has been a
couple of proof of concept, but they could not really spread).

Is this particularly so via Entourage? I think that has been exasperated
lately by Apple's claims of invulnerability, don't you?

Why through Entourage particularely ?? There isn't anything in Entourage
that makes it succeptible than any other e-mail client on Mac.

Let's say that I'm not currently too worried about viri and worms
compromising my Mac through ENtourage (or any other e-mail client).

Second question, what to do about it? I recently have received several
similar suspect emails proporting to be rejected messages from Danish server
(xxxx.xxxx.de), in particular, although there were others, rejecting an
email sent from my address with my name to their server but with some phony
addresses in the source code, like (e-mail address removed) with a reply to of my email
address.

That's very very common. It doesn't mean that they were sent from your
computer (and my guess is that they probably weren't).
Either they are simply not from an ISP but they are a scam trying to get
you to open an attachment (that contains a virus for Windows).
Or someone you know got infected. The virus takes the names of his/her
address book and send e-mails around to try to infect more computers.
The virus uses one of the addresses in the Address Book as the Sender's
address: it reduces the chances that the actual infected sender is
identified and it hopes that if the sender and the recipient are in the
address book of someone, they might also know each-other and therefore
trust the e-mail and open the attachment.

Again: in both cases you never sent the e-mail yourself.

There is an attachment entourage file enclosed which I think will do damage
to my entourage application and/or database as it is a 15K file that appears
with an Entourage icon. I simply trashed it. Then I ran database utility and
rebuilt my database.

Sure, you can trash the entire e-mail. I'm not sure why you'd need to
rebuild the database though. Chaces are the attachment has a .pif, .dat,
..exe or .zip extension (cmmon for PC viri).

Is there any safe way to burn that email or filter it to the trash in the
future? I'll save the next one I get and send to my favorite Spam filter
developer, SpamSieve to see about this. I just thought you folks would like
to know and maybe have some antidote to the Entourage poison pill
spammers...

SpamSieve probably won't do a thing about it since its purpose is to
filter spam - not viri. You can simply manually delete it.


Corentin

 

[Corentin Cras-Méneur]

Hey it isn't paranoia, OK? And it's also not a joke. I tried deleting it
from the server and from the database but can't get rid of it!

You mean it comes back ?? Does it have the same date or is it a new
iteration of the same e-mail?

The message follows. It has so far crashed my database three times. It seems
that every time I get it it crashes the database and forces a rebuild. I
didn't include the attached file because I don't want to pass on a suspect
virus.

The e-mail itself is probably corrupted. The best thing to do is to
delete it on the server side. If you have any way to get in the mail
server through a Web page, (webmail, etc) go there and delete the
message. I suspect it is corrupted and that the server fails to properly
send you when you check your e-mails (so it tries to send it over and
over again on the following attemps to send you your new mail).

Corentin

 

[Corentin Cras-Méneur]

****************************************************************************
Received: from mail13a.nshosts.com

BTW, none of these e-mail were sent from Entourage. It would have the
name of the application mentioned in the headers (something like "User
-agent: Entourage...).


You could also trace the sender's IP. If you're lucky and it is not
spoof, it could give you some information on the sender.

Corentin

 

[Henry Seiden]

I tried to delete it from within Entourage (Delete from Server appears on
the message window) without success. I went to the server via web mail after
deleting it and did _not_ find it. So, supposed that it was in fact deleted
from the server.

I will look again for it.

 

[Henry Seiden]

My suggestion is that it 'automagically' trash any future responses from
this particular email address and still allow other notifications through.
I'm working on that. Spamsieve is pretty clever.

 

[Henry Seiden]

I traced the originating email to a Costa Rican server but with no name or
email address that I can find. I sent a message to teletipp.de webmaster and
to their contact point. I deleted this from the server. Judging by the name,
it is a new message not a resent one. The name used is different than
previous similar messages. Clearly a spam result.