[Dshield] Odd emails from apparently MS..

Chris Scott cscott at fluidsmgmt.com
Wed Dec 17 21:34:27 GMT 2003

I've been getting them for several months in my Yahoo mailbox. Looks exactly
like something from Microsoft. Headers, IP's, everything. The average user
probably wouldn't know not to open them. These things come in so frequently
my Yahoo box fills up about every other day. These emails are some of the
few virus-infested ones I get that actually have correct English.

Chris Scott
Systems Engineer

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Micheal Patterson
Sent: Wednesday, December 17, 2003 2:58 PM
To: dshield
Subject: [Dshield] Odd emails from apparently MS..

I've currently gotten a total of 5 messages this month that contained
various virus/trojans according to Clamav / F-Prot and Sophos that appear to
be from the MS postmaster. IP's and headers match. Has anyone else gotten
any of these? I even went and contacted abuse at microsoft.com about it but
their response was "this appears to be dns spoofing" which I disagree with.
IP spoofs perhaps, or one of their systems could indeed be breeched.
Regardless, the source ip's are now being blocked at my border. Headers from
the latest message are below, all previous messages are exactly the same
source hosts.


Micheal Patterson
TSG Network Administration

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original


Here is the output of the scanner:

/var/amavis/amavis-16261868/parts/msg-14906-1.txt: OK
/var/amavis/amavis-16261868/parts/msg-14906-2.msg: OK
/var/amavis/amavis-16261868/parts/msg-14906-3.txt: OK
/var/amavis/amavis-16261868/parts/msg-14906-4.html: OK
/var/amavis/amavis-16261868/parts/msg-14906-5.pif: Worm.Torvil.D FOUND

----------- SCAN SUMMARY -----------
Known viruses: 11753
Scanned directories: 1
Scanned files: 5
Infected files: 1
Data scanned: 0.06 Mb
I/O buffer size: 131072 bytes
Time: 0.448 sec (0 m 0 s)

Here are the headers:

------------------------- BEGIN HEADERS -----------------------------
Return-Path: <>
Received: from mail6.microsoft.com (mail6.microsoft.com [])
by mail.tsgincorporated.com (8.12.10/8.12.8) with ESMTP id hBHJUNNB014869
for <edited>; Wed, 17 Dec 2003 13:30:24 -0600 (CST)
Received: from inet-imc-05.redmond.corp.microsoft.com ([]) by
mail6.microsoft.com with Microsoft SMTPSVC(6.0.3790.1069);
Wed, 17 Dec 2003 11:19:24 -0800
From: postmaster at microsoft.com

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list