Where's IMM?

In article , J.Milton.Hayes writes

Speaking of rubbish, this last week I have received about a 100 emails that claim to be 'Your Document', 'News, 'Your Music' etc. These I know to hold viruses - can't remember which. I use turnpike so I assume I did not propagate it and deleted them. However, in the list of senders are such familiar names as dave.sound@, mawson.org.uk, etc, which makes me suggest that one of our brethren has a nasty infectious complaint.

Many of the current email worms peer into the address book of the machine they've infected not only to find 'live' email addresses to send to, but also to find email addresses and associated 'human' names to fill in the 'From:' header also. (Others simply use the apparent primrary email-and-friendly-name identifier on the machine they've infected to fill in the From: header). In this way the message arriving at the destination appears to come either from someone who "knows" the addressee (in that their identifier is in the forged-source's address book), or from someone "known" by someone in whose address book the addressee's address is found.

(The second scenario is the reason you get 'bounce' or 'virus found' messages from mail servers you've never sent to talking about 'your' attempts to send mail to someone you've never heard of: these happen because one of these worms is sending messages to one identifier in some numpty's address book, and using your email address - which is also in numpty's address book - as the fake 'From:' address).

So it doesn't at all follow that the *apparent* sender in a message you see (any address in the From:, Reply-To:, Sender:, or X- or Original[ly]- variants) is the true source of some machine-propagated nasty. The *only* headers not under the control of the sending software, whether it's malicious or benign, are the Received: headers added at each step of the email's store-and-forward journey. The original mail-injector might add a few bogus Received: lines of its own, but can't stop later mail handlers adding theirs.

[ObTopic] If only the worm writers could be bothered to find less destructive outlets for their energies, like taking down wallfulls of tiles with an SDS drill ;-)

Stefek

In all probabilty it's I-worm/netsky.D which is doing the rounds. Google will give you the info on it, but basically it's as explained by stefak.

Not guilty. I use an Acorn computer exclusively for news and e-mail so my software can't be infected by an MS virus. I would add, that even if it was, I'd be very aware of it sending out mails I hadn't written.

In article , Dave Plowman writes

I thought it was odd to see your amongst the list - and I use turnpike so I assume (possibly naively) that the viruses writers don't know about its address book format. There is nothing in my outlook address book , I never use it.