Didn't know where else to put this. mail to postmaster@trilogyintl.com has been returned as undeliverable.

I received a "returned" e-mail for the Trilogy mail system, indicating I had sent an e-mail to sales@trilogyintl.com, and it was being returned for content.

Since I've never e-mailed Trilogy, they've never e-mailed me, and their address is not in my e-mail address book, my system is virus free, there must be a problem somewhere.

the message from trilogy mail


Status: U
Return-Path: <>
Received: from mailer.trilogyintl.com ([209.187.237.15]) by bunting (EarthLink SMTP Server) with ESMTP id 1bisJb2qw3NZFmR1 for <rcsignals@earthlink.net>; Tue, 27 Apr 2004 06:34:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailer.trilogyintl.com (Postfix) with ESMTP id E29FF1518074 for <rcsignals@earthlink.net>; Tue, 27 Apr 2004 09:45:37 -0400 (EDT)
MIME-Version: 1.0
Subject: BANNED FILENAME (message.txt.pif) IN MAIL FROM YOU
In-Reply-To: <20040427134536.30A451518025@ma iler.trilogyintl.com>
Message-Id: <VS15719-01@mailer>
Content-Type: multipart/report; report-type=delivery-status; boundary="----------=_1083073537-15719-1"
From: amavisd-new <postmaster@trilogyintl.com>
To: <rcsignals@earthlink.net>
Date: Tue, 27 Apr 2004 09:45:37 -0400 (EDT)
This is a multi-part message in MIME format...
------------=_1083073537-15719-1
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
BANNED FILENAME ALERT
Our content checker found
banned name: message.txt.pif
in email presumably from you (<rcsignals@earthlink.net>), to the following recipient:
-> sales@trilogyintl.com
Please check your system,
or ask your system administrator to do so.
Delivery of the email was stopped!
For your reference, here are headers from your email:
------------------------- BEGIN HEADERS -----------------------------
Return-Path: <rcsignals@earthlink.net>
Received: from trilogyintl.com (unknown [10.10.8.19])
by mailer.trilogyintl.com (Postfix) with ESMTP id 30A451518025
for <sales@trilogyintl.com>; Tue, 27 Apr 2004 09:45:36 -0400 (EDT)
From: rcsignals@earthlink.net
To: sales@trilogyintl.com
Subject: Re: Secure delivery
Date: Tue, 27 Apr 2004 09:34:03 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040427134536.30A451518025@ma iler.trilogyintl.com>
-------------------------- END HEADERS ------------------------------
------------=_1083073537-15719-1
Content-Type: message/delivery-status
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Description: Delivery error report
Reporting-MTA: dns; mailer
Received-From-MTA: smtp; mailer.trilogyintl.com ([127.0.0.1])
Arrival-Date: Tue, 27 Apr 2004 09:45:37 -0400 (EDT)
Final-Recipient: rfc822; sales@trilogyintl.com
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, id=15719-01 - BANNED: message.txt.pif
Last-Attempt-Date: Tue, 27 Apr 2004 09:45:37 -0400 (EDT)
------------=_1083073537-15719-1
Content-Type: text/rfc822-headers
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Description: Undelivered-message headers
Received: from trilogyintl.com (unknown [10.10.8.19])
by mailer.trilogyintl.com (Postfix) with ESMTP id 30A451518025
for <sales@trilogyintl.com>; Tue, 27 Apr 2004 09:45:36 -0400 (EDT)
From: rcsignals@earthlink.net
To: sales@trilogyintl.com
Subject: Re: Secure delivery
Date: Tue, 27 Apr 2004 09:34:03 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040427134536.30A451518025@ma iler.trilogyintl.com>
------------=_1083073537-15719-1--

Maybe this info can be passed to the "postmaster@trilogyintl.com

In the header of the message the filename 'you' sent is "message.txt.pif". Also in the header "Received: from localhost (localhost [127.0.0.1]) by mailer.trilogyintl.com (Postfix)"

Those are dead give aways. Someone has a virus - not nessecarally you.

Here's how it works. Someone has your address is infected by most likely the MSBlaster worm. It steals their address book, passes the book on to the next victim, and starts sending email using the stolen addresses as the sender. So the book was stolen from someone whom you are in their address book, and someone elses machine is sending emails in your name. The same virus also grabs domains from the local cache, and sends email to that domain, to all the default addresses, eg: postmaster@, root@, info@, admin@.

The address "127.0.0.1" is a dead givaway - it's local to a machine. Unless the MTA forewards mail within Trilogy's server, it's someone at Trilogy that has the infection. Where did the address come from? MM.net member list perhaps?? I'm guessing that, because who would have both your address and Trilogy's address in their address book. I dunno.

Some people configure their server to respond to the sender when it detects a virus. These newer batch are nasty in that respect, because the sender doesn't really have the virus, and there is no way to track down the actual infected machine.

Don't worry - you didn't send that message, but someone you know may have. Trilogy's server are doing what they are supposed to.

Thanks Glenn,


That's kind of what I suspected. I use mcafee spamkiller, and it isolated that particular message, so I didn't actually down load it to my mail program.

In the header of the message the filename 'you' sent is "message.txt.pif". Also in the header "Received: from localhost (localhost [127.0.0.1]) by mailer.trilogyintl.com (Postfix)"

Those are dead give aways. Someone has a virus - not nessecarally you.

.

Dead on! I get windoze boxes EVERY DAY with those nasty little presents...

Guys,

If you did not get my response to your emails from work, I want to thank everyone again for letting me know about the problems. I have new SPAM and Virus software installed because we have really been having problems. So, just to repeat myself, please call me directly if I do not respond promptly. (313)336-6135.

Thanks!!

Jerry

Jerry, I had just wanted to let you know what happened, and when I tried to send a copy of that message above, to "postmastr@trilogyintl.com" it was returned as

"did not reach the following recipient(s):
Administrator on Tue, 27 Apr 2004 15:51:49 -0400
The recipient was unavailable to take delivery of the message
MSEXCH:MSExchangeIS:TRILOGYINT L(u)US:TRILOGY(u)PUB "

I figured your postmaster or administrator should know

Dead on! I get windoze boxes EVERY DAY with those nasty little presents...

Virus? What's a virus? No viruses or virus programs are running on my computer.

Hmmm. I wonder if it is because I use a Macintosh? Hmmm. :uzi:

Best,

Dan