Home page logo

basics logo Security Basics mailing list archives

Re: Can anybody explain this Klez Variant?
From: it_hjw () juno com
Date: Fri, 7 Feb 2003 07:21:21 -0600

Spam is so frustrating.  grrrrrrrrr.   I always report it--It doesn't
stop it from coming, but if I can be an annoyance to them (like they are
to me) then I'll keep doing it.  :)

My ISP just sent me this to report complaints regarding other domains. 
It may help (or may not).  



On Thu, 06 Feb 2003 00:04:50 +0000 "Drexcia ====" <drexcia () hotmail com>
Hi Guys,

A friend of mine received this message supposedly from me in his 
account. Names/Email addresses have been changed but you'll get the 


From :    my_name <my_name () excite com au>
To :      myfriend () hotmail com
Subject : A good tool

Date :    Mon, 6 Jan 2003 02:36:46 -0600

   MIME-Version: 1.0
Received: from out009.verizon.net ([]) by 
mc1-f5.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, 
6 Jan 
2003 00:36:47 -0800
Received: from Idxgvfqiv ([]) by out009.verizon.net 
vM. 201-253-122-126-120-20021101) with SMTP id 
<20030106083621.IPQL7162.out009.verizon.net () Idxgvfqiv> for 
<myfriend () hotmail com>; Mon, 6 Jan 2003 02:36:21 -0600
Message-Id: <20030106083621.IPQL7162.out009.verizon.net () Idxgvfqiv>
Return-Path: my_name () verizon net
X-OriginalArrivalTime: 06 Jan 2003 08:36:47.0071 (UTC) 

Content-Type: multipart/alternative; 
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

This is a special good tool
I wish you would like it.


I know this looks like a typical Klez message but there are a few 
that have me stumped.

1) The "my_name" email address is an old excite account which hasn't 
used in over 2 years and has been disabled. The "myfriend" address 
was not 
in my address book at this excite account.

2) The return path is "my_name"@verizon.net

3) The source IP has been traced back to a prepaid account with an 
Australian ISP which doesn't require any personal information to 

Obviously my email address has been spoofed and they've used a 
server to send it. Also included was a 112K Attachment called 
href.exe which 
I'm unable to access, presumably Hotmail has stripped it.

Anybody able to help me out with this one? I'm really just wondering 
anybody has seen this before or if this is specifically targeted at 

Many thanks guys..

The new MSN 8: advanced junk mail protection and 2 months FREE*  

Sign Up for Juno Platinum Internet Access Today
Only $9.95 per month!
Visit www.juno.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]