Don’t reply on this:
Subject line:
Worm Alert!
Message body:
Dear Customer,
Our robot has detected an abnormal activity from your IP adress
on sending e-mails. Probably it is connected with the last epidemic
of a worm which does not have official patches at the moment.
We recommend you to install this patch to remove worm files
and stop email sending, otherwise your account will be blocked.
Abuse Team
(“this patch” is actually a link:
<a href="http://68.61.229.214/?7703a3b01bdad81d9b848ca9a885b5e6291c3d">this patch</a>
and will very likely install a worm, backdfoor, virus of other malware on your system.
The header that I found was:
X-McAfeeVS-TimeoutProtection: 0
Return-Path:
Received: from grootstal.nijmegen.internl.net by hees.nijmegen.internl.net
via grootstal.nijmegen.internl.net [217.149.192.7] with ESMTP for
id l69JQmRx021094 (8.13.8/2.11); Mon, 9 Jul 2007 21:26:48 +0200 (MEST)
Received: from 248.145-62-69.ftth.swbr.surewest.net by grootstal.nijmegen.internl.net
via 248.145-62-69.ftth.swbr.surewest.net [69.62.145.248] with SMTP for
id l69JQjFj012570 (8.13.6/2.05); Mon, 9 Jul 2007 21:26:47 +0200 (MEST)
X-RelayHost: 69.62.145.248
Received: (qmail 24120 invoked from network); Mon, 9 Jul 2007 12:26:42 -0700
Received: from unknown (HELO crs) (98.132.150.165)
by 248.145-62-69.ftth.swbr.surewest.net with SMTP; Mon, 9 Jul 2007 12:26:42 -0700
Date: Mon, 9 Jul 2007 12:26:42 -0700
To: willem@grooters.100.nl
From: “Abuse Team”
Reply-to: art@hyde-housing.co.uk
Subject: Worm Alert!
Message-ID:
X-Priority: 3
X-Mailer: PHPMailer [version 1.72]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset=”windows-1252″
X-Language-Detected: en
X-Spam-Scanned: InterNLnet Mail Scan System V2.03
and the address is an anonimized one (doesn’t lead to a real address)
