What is this email?

[Mr. Stick]

From time to time I'm getting a strange email. The sender (which looks phony IMO) and subject changes, but the form is always the same. The sender is not trying to sell me anything, but I find it strange and annoying. I have no idea what it's about, but I'm curios and would like to know why I'm receiving these emails ( and preferable put a stop to them). Any help would be appreciated. I've pasted the text from the email, as well as the text from the email's properties.

Email subject: times

Email text:

Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit

development


Properties:

X-Symantec-TimeoutProtection: 0
Return-Path: <lsatui15xykma@netwiz.net>
Received: from fep25.mail.dk ([66.168.42.242]) by fep33.mail.dk
(InterMail vM.6.01.06.01 201-2131-130-101-20060113) with ESMTP
id <20060701225358.LGNA7150.fep33.mail.dk@fep25.mail.dk>
for <my@address.dk>; Sun, 2 Jul 2006 00:53:58 +0200
Received: from cpe-66-168-42-242.ma.charter.com ([66.168.42.242])
by fep25.mail.dk
(InterMail vG.2.02.00.00 201-2161-120-101-20051020) with SMTP
id <20060701225357.PHEU13758.fep25.mail.dk@cpe-66-168-42-242.ma.charter.com>
for <my@address.dk>; Sun, 2 Jul 2006 00:53:57 +0200
From: lsatui15xykma@netwiz.net
To: my@address.dk
Subject: times
Date: Sat, 01 Jul 2006 15:53:59 -0800
Message-Id: <20060701225357.PHEU13758.fep25.mail.dk@cpe-66-168-42-242.ma.charter.com>


I've substituted my real email address in the text.

 

[Beady]

My immediate reaction is that it's a virus. There are others here who can tell you how the visible text can have absolutely nothing to do with the real content, which may not be visible. Just delete it and run your AV software.

 

[rjh01]

The virus may not be on your machine. Could be on someone else's machine. Is there any text? What does your anti virus and spam software think of it?

 

[Mr. Stick]

The text and subject is in the OP. I'm using Norton Internet Security, and both in- and outgoing emails are scanned, and there has not been any alerts of any kind.
I don't think the email contains a virus, the size is only 1 KB. Notice the name "Symantec" in the first line of the properties, this indicates to me that it has something to do with Norton.

 

[kevin]

Several things jump out as red flags. First off the message came directly from a system at charter.com (a cable company) and not via charter.com's e-mail servers. I know this because I looked up the txt dns records for charter.com. They've published a list of their mail servers in their SPF record and the source of this e-mail isn't one of them.

http://www.dnsstuff.com/tools/lookup.ch?name=charter.com&type=TXT

Next is that the from on the e-mail claims to be from a netwiz.net user not charter.com. This isn't an automatic indicator that there is a problem, if netwiz had outsourced their e-mail to charter this type of thing might happen. However checking netwiz.net's MX records (they don't have an SPF record defined) it appears netwiz has outsourced to megamailservers.com.

http://www.dnsstuff.com/tools/lookup.ch?name=netwiz.net&type=MX

So yes, this is a bogus e-mail address sent from a zombie computer on Charter Cable's network at ip address 66.168.42.242.

I would guess virus, stripped out by your ISP's mail server.

 

[Mr. Stick]

I would guess virus, stripped out by your ISP's mail server.

Thanks, that's a lot of effort you put in to helping me . It might be my inadequate English skills, but what do you mean by "stripped out", cleansed, withheld or what?

 

[De_Bunk]

It means...

Dont open emails from people you dont know or recognise...

Anyway...

'Cleansed"..."Stripped out" means either your anti-virus or your ISP removed the virus before you opened it...

Lucky for you...

DB

 

[bigred]

From time to time I'm getting a strange email.

Whenever I get such a thing I immediately delete it. In younger days I had some curiousity about these emails (ie losers), but now that I'm older I can't imagine why. Don't recognize the sender? Don't open it; delete.

 

[kevin]

Thanks, that's a lot of effort you put in to helping me . It might be my inadequate English skills, but what do you mean by "stripped out", cleansed, withheld or what?

Not poor English skills, poor American skills

I think your ISP removed an attachment it believed to be virus infected from the e-mail. Many anti-virus packages will do this, but still let the message through so that you know something was sent to you. If it had been from a legitimate person you knew you could then warn them.

They are supposed to put a real message indicating the attachment was removed and why, but I occasionally see messages where that doesn't happen.

 

[kevin]

It means...

Dont open emails from people you dont know or recognise...

And be careful of the ones that ARE from people you know or recognise -- they can be infected too. Many viruses send to a persons contact list just so they'll be going to people that recognize the sender.

 

[Mr. Stick]

Thanks all for replying. It looks more and more convincing to me that the email is a virus attack that has been intercepted. I don't know much about how my anti virus actually works, but could it be that the first line in the properties (X-Symantec-TimeoutProtection: 0) indicates that my own anti virus program has denied receiving the email?

I was considering to write and ask Symantec, but it seems that they will charge me about 50 $ to answer any questions.

 

[rjh01]

If you have a technical question like that they should not charge you anything. I have asked them questions and they have not charged me anything.

 

[De_Bunk]

Mr Stick...

Or you could always ask the question here and get the advice for free...

You'd be surprised at how many tech minded people are here...

Never, ever be embarrassed to ask a tech / PC related question here...

you may get some straight taling...but you'll get the correct answer in the end...and they will explain it so anyone could understand what to do..

The Tech people that use this board HAVE got the time to help you and me...

I promise, if i didnt know something...or something strange had happened to my PC the first place i would come to would be here to get an answer...

Ask the questions...

DB

 

[rjh01]

Deleted. Wrong thread.

 

[kevin]

Thanks all for replying. It looks more and more convincing to me that the email is a virus attack that has been intercepted. I don't know much about how my anti virus actually works, but could it be that the first line in the properties (X-Symantec-TimeoutProtection: 0) indicates that my own anti virus program has denied receiving the email?

I was considering to write and ask Symantec, but it seems that they will charge me about 50 $ to answer any questions.

Actually I looked up the X-Symantec-TimeoutProtection header when I looked up the other stuff (believe me, anytime I spend researching stuff for questions on the board here will come up in my day job at some point.)

I had hoped it was Symantec server AV product header only (so I could confirm that the message was cleaned by your ISP) but I couldn't verify that.

The message is written by Symantec scanners at set intervals, the number after the header is incremented each time the scanner writes the header. A 0 indicates the message went through pretty quickly (not unexpected even if there was a virus.) If the the counter reaches a certain (confirgurable) level it rejects the message without doing anymore scanning.

Symantec does this for a couple of reasons, one is in case someone sends a lot of very large messages to a mail server. The large number of large sized messages that take a long time to process can slow down the mail server to the point where it can't process mail anymore, effectively shutting the server down.

 

[kevin]

oh yeah, i think the standard fee for someone that helps you on the board is a beer if you meet them at a TAM.