ZYRA's front page //// INTERNET //// e-mails //// site index

Also see: anti-virus measures

This item is a special feature of the ROGUES GALLERY OF SUSPICIOUS E-MAILS

Mail Returned virus messages

You receive a message which says "Mail Subsystem: Mail Returned" or some such thing. Looks like you sent a message and it failed to be delivered. But did you really send it? Here's the problem:

If someone called themselves "Mail Subsystem" and sent messages saying "Returned Mail: Service Unavailable", it would LOOK like a proper mail-returned error message. It's a cunning way to disguise a virus!

What happens is that if you receive a strange looking mail returned message, your natural instinct is to investigate it, for example by opening the attachments... DON'T! There may be a virus in there, and you might not be able to tell, unless you have taken the precautions described at the anti-virus measures page

Anyway, here's an example of the sort of thing:

<attachments: ATT00071.dat (342 bytes) Fw: Joke Love to ur Lovers :-) (31.7KB)>

----- Original Message -----
From: Mail Delivery Subsystem <MAILER-DAEMON@aol.com>
To: <add-a-cat @ zyra.org.uk>
Sent: Monday, October 28, 2002 11:50 AM
Subject: Returned mail: Service unavailable

The original message was received at Mon, 28 Oct 2002 06:50:01 -0500 (EST) from logs-mtc-th.proxy.aol.com [64.12.102.5]

*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster


----- The following addresses had permanent fatal errors -----
someone-or-other@yahoo.com

----- Transcript of session follows -----
... while talking to mx1.mail.yahoo.com.:
>>> DATA
<<< 554 delivery error: dd Sorry your message to someone-or-other@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102]. - mta531.mail.yahoo.com

554 <someone-or-other@yahoo.com>... Service unavailable

To me, it's a dead-giveaway this is a virus and not a genuine mail returned error. The address accused of sending the message this refers to, "add-a-cat", can not in fact send messages at all. It's a receive-only address on the page of categories, and the address has been harvested by the computer of some unwitting person whose computer has already caught the virus.

How to avoid being caught out:

If you can, have separate receive-only e-mail addresses for incoming public-access. That way it's easy to spot these bogus messages, as you know the accused address could not have sent anything!

Or, even if you can't get "infinite e-mails" facility...

1. Never run an attachment in a "mail returned" message.

2. Don't have "hide file extensions" and don't allow ActiveX in e-mails.

3. Try to keep a track of messages you have sent, so that any messages reporting "returned" have to match actual messages which you have sent.

4. See www.zyra.org.uk/avirus.htm

5. Lobby your ISP to find a better way of expressing the mail not delivered concept. The inclusion of old e-mails in attachments is bad form! The problem isn't exclusive to AOL

Also see ANTI-VIRUS SOFTWARE which may help to clear viruses in your machine, and to TEST to see if you are safe!