Yes, this happens a lot these days with some email viruses. Some infected user had your email address in his outlook address book and the virus used it as the "From" address when it resent itself to new targets.

It has happened to us with the email address I use for our newsletter and get nasty emails from people who think we are spreading the virus...

Terrible but there is nothing you can do about it.

Happened to a friend of mine recently. They were using OE, so I assumed some cruddy worm had gotten in (they had rather impressively managed to de-activate their kaspersky antivirus), but no, all was clean.
I eventually reckoned that they'd been mistakenly using 'Reply to all' (none too savvy, this person) and that the bounces were for some turkey addresses that were in the original (enormous) 'cc' list.

However, that's got very little to do with your circumstances, so I'm none too sure why I posted that!

Mat

[edited by: mat at 10:28 am (utc) on Nov. 18, 2002]

Nothing I can do about it? This is very disturbing. I mean, this is my professional email we're talking about.

Guess the only "option" (although it isn't really one) would be to tell every body I know to remove me from their adress book.

Starec, you make it sound like the virus resent the email with Outlook, not an online agent. Does that mean it is able to change the "from" adress in the program? That would be (another) M$ bug, so is there a reason it is not made impossible to have another sender than the person currently looged on the computer?

I know it wouldn't be a solution to the problem in general, but at least I would not be touched.

> That would be (another) M$ bug...

No...more of just how the virus works.

> This is very disturbing. I mean, this is my professional email we're talking about.

Be a professional webmaster. Don't use insecure systems. Don't use Outlook, and if possible, don't use Microsoft

Josk - go re-read the original post.

Sinner_G, here's an example of one of the klez virus variants:

Klez Virus Info [securityresponse.symantec.com]

See the section on email spoofing, and email.

This worm searches the Windows address book, the ICQ database, and local files for email addresses.

The (infected PC)/person sending the virus might not even know you; it could have found the address in a MSIE cache from a web page.

Unfortunately, there is little that you can do about it. This is assuming that it's one of these worm types. There are other possibilities.

well, it could be just another spam tactic. i used to get thigns like this : undeliverable returned. i never sent and dont know who is this. there was attachment or "transcriot" of failed message included - and it was jsut some ad! so to put it simplay -spamer "shaped" his ad like it is my undeliverable. they are smart :)

also one time i was gettign a tons of emails telling me that 2this and this address is not valid" ...it tured out that spamer jsut used my address as "reply" address.

try looking at SOURCE of this email,maybe you will find some details. there are more detials when you look source of email(where it came etc)

Yes, it's well known that worms like Klez can scan address books for recipients - some even running there own SMTP client for sending them. They can also scan local drives for random files to attach (Sircam, for example) to outgoing messages.

However, the point that Sinner_G is making is that he was unaware that such worms/viruses could (genuinely) spoof the 'from' sender, and that is news to me also.

Mat

Yes, could be from a spammer also.

If the returned/bounced email has the original headers, you can somewhat determine where it originated, only the IP address. You can't count on any From: or To: headers.

See:
Reading Email Headers [stopspam.org]

If you can determine the originating IP address, you can use samspade or whois or some other tool to see where it might have originated, but you won't be able to id the person.

> Josk - go re-read the original post.

Oops

Just view the source of the e-mail and look for the reply-to address. That should be your culprit. Send them a note explaining that they are infected with the Klez virus and direct them to a site with removal tools (like Symantec).

I see a lot of Outlook bashing here - how about blaming the actual culprits, the users who are too lazy to install anti-virus software to stop a simple virus that's been around for what? A year now? Stopping this thing is not rocket science.

Since your mail is being bounced back from the mailserver, not certain my advice above still holds. I think it does - it certainly works on any Klez-mail that arrives directly in your box.

Unfortunately, I already deleted the email, so I can't look at the source. It's just some automatic reflex, anything that remotely looks like spam or a virus is involved gets deleted.

Outlook bashing: I've got some viruses from clients who do have the newest versions of anti-virus software. The problem is that the software is full of holes. The anti-virus industry normaly comes with patches quite fast, but still new viruses are programmed, mostly for Outlook simply because it's the most used tool. Still, no (or less) holes, no (or less) viruses.