What is this e-mail?

George Toft plug-discuss@lists.plug.phoenix.az.us
Mon, 26 Aug 2002 22:39:01 -0400 

The answer is at the bottom.

Lee Einer wrote:
> 
> Hi, all-
> 
> I just got an e-mail returned to me by postmaster@cox.net, but I didn't
> send the e-mail in question. The e-mail source is as follows- and there
> was apparently a file attached- what is this? Why am I getting returned
> e-mail which I never sent?
> 
> >From - Mon Aug 26 10:24:17 2002
> X-UIDL: <E17jTcw-00037E-00@harrier.mail.pas.earthlink.net>
> X-Mozilla-Status: 0001
> X-Mozilla-Status2: 00000000
> Return-Path: <srrico@earthlink.net>
> Received: from harrier.mail.pas.earthlink.net ([207.217.120.12])
>           by fed1mtai02.cox.net
>           (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with ESMTP
>           id <20020826235107.SLNO24000.fed1mtai02.cox.net@harrier.mail.pas.earthlink.net>
>           for <appealsman@cox.net>; Mon, 26 Aug 2002 19:51:07 -0400
> Received: from user-33qtm4t.dialup.mindspring.com ([199.174.216.157] helo=Pankdc)
>         by harrier.mail.pas.earthlink.net with smtp (Exim 3.33 #1)
>         id 17jTcw-00037E-00
>         for appealsman@cox.net; Mon, 26 Aug 2002 16:50:35 -0700
> From: postmaster <postmaster@cox.net>
> To: appealsman@cox.net
> Subject: Undeliverable mail--"inserting missing "
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>         boundary=MR8491G3GqS58vN8a5S037x2101Kl10
> Message-Id: <E17jTcw-00037E-00@harrier.mail.pas.earthlink.net>
> Date: Mon, 26 Aug 2002 16:50:35 -0700
> 
> --MR8491G3GqS58vN8a5S037x2101Kl10
> Content-Type: text/html;
> Content-Transfer-Encoding: quoted-printable
> 
> <HTML><HEAD></HEAD><BODY>
> 
> <FONT>The following mail can't be sent to 24C01AA0AD6@its-pharm.vcp.monash.edu.au:<br>
> <br>
> From: appealsman@cox.net<br>
> To: 24C01AA0AD6@its-pharm.vcp.monash.edu.au<br>
> Subject: inserting missing <br>
> The file is the original mail</FONT></BODY></HTML>
> 
> --MR8491G3GqS58vN8a5S037x2101Kl10
> Content-Type: application/octet-stream;
>         name=size.scr
          ^^^^^^^^^^^^^
My guess is a klez (or similar) worm.  It sends out mail to people and
spoofs the mail as being from someone in the victim's outlook address
book.  I was the spoofee a few weeks ago and someone notified me that I
was sending out viruses.  Heh, not very likely.

George