Fake or Real Virus Allert?

[Lodewijk]

Hi!

I just received the following text in an email which has no attachment, nor any link in it with the suggestion to click on it -although all addresses with [at] are rendered as links- and I wonder whether I should report this via SC as spam or not:

..............................................................................

VIRUS ALERT

Our content checker found

virus: Trojan.Win32.Jorik.Androm.jq

banned name: .exe,.exe-ms,BBB abuse.exe

in an email to you from unknown sender:

?[at][19.185.32.48]

claiming to be: <larval8[at]bmfp.org>

Content type: Virus

Our internal reference code for your message is 08978-17/Ru29Ok2NKLrG

First upstream SMTP client IP address: [49.114.214.170]

According to a 'Received:' trace, the message originated at: [19.185.32.48],

[19.185.32.48] helo=kykddznjsvig.mryxriosk.va

Return-Path: <larval8[at]bmfp.org>

From: "Better Business Bureau" <info[at]bbb.org>

Message-ID: <4293687192.VF2M1F3W362518[at]ayicamfkz.hkwkisfnz.ua>

X-Mailer: The Bat! (v3.51) Professional

Subject: BBB assistance Re: Case # 49470337

Not quarantined.

Please contact your system administrator for details.

.............................................................................................

It was send to various people also using (xxx)[at]alice.nl as ISP given mail address as I do, and the sender's address is given as:

postmaster[at]mailscanner13.mer-nm.internl.net

Any advice anyone?

PS: I did out of routine report this to SC, but have not confirmed it yet.

[Lodewijk]

I googled "mailscanner13.mer-nm.internl.net" and found this link:

http://bgp.he.net/net/217.149.192.0/19#_whois

Then I called my ISP in Holland, and the nice lady at the technical help desk said she was not familiar with this being their virus scan service, also googled it and made a note of it, thanking me.

I've no idea what this is. But unless someone here tells me it is spam -which as unsolicited mail strictly speaking it is- and I should confirm it on my SC reporting page, I'll just skip this one.

PS:

I just found "mer-nm.internl.net" on this thread of this forum:

Lodewijk Sep 12 2011, 06:33 AM

http://forum.spamcop.net/forums/index.php?showtopic=11994

So I think it is related to my ISP after all.

[Farelf]

Certainly seems like it might be a legitimate alert Lodewijk, your ISP needs to update their advice to customers on such matters.

The IP address of supposed message origin nominated by the (probable) scanning scanning system is almost certainly spoofed (19.185.32.48 Ford Motor Company, no rDNS/PTR record) and the "First upstream SMTP client IP address" they give is almost certainly responsible (49.114.214.170 CHINANET xinjiang province network, currently listed by SC and many other RBLs). So, nothing to report since mer-nm.internl.net has a relationship with you (even though you didn't really know that before) and since they evidently destroyed the original spam - but the source of that seems to be already listed anyway.

I suppose mer-nm.internl.net is doing something useful by sending you the alert - in case of false positives or so you can alert any friends with infected computers should those try to pass a virus to you - but it seems mer-nm.internl.net's communication with alice.nl support needs to improve. Few people would know what to think when they received such an alert and when their provider says they nothing about it.

There should at least be something about how it all works somewhere in http://www.alice.nl/info/internet_en_veiligheid - bad Alice, bad

Steve

[lisati]

The text of the alert looks similar to the default bounce messages that amavis-new on my email server produces, so it's possibly a genuine alert.

It could also be a form of backscatter: what if there's some malware somewhere which used bogus sender credentials that triggered the alert to the OP's email address instead of that belonging to someone with a compromised machine? Having said that, it probably wouldn't hurt to check your machine for something nasty.

[Lodewijk]

Thank you both. I only saw your replies now because I did not get any of those emails anymore. And because my ISP helper did not know about this, I thought it was some kind of spam -I had not solicited it- and reported it to SC. (I thought it would not hurt anyone, and maybe would alert whomever was in charge of it even if legitimate.)

But I got two new ones today looking exactly like the above one, only the messages and original senders addresses are different. Both emails again had:

..............................................................................................

VIRUS ALERT

Our content checker found virus: Trojan.Win32.Jorik.Androm.jq

.............................................................................................

Both again came from:

"Content-filter at mailscanner12.mer-nm.internl.net" <postmaster[at]mailscanner12.mer-nm.internl.net>"

I now believe they are meant as a service to me as an Alice client, to let me know they prevented me getting malware. I vaguely remember emailing that mentioned postmaster, but got no reply. I'll do it one more time, but don't mind getting such messages now and then, and won't report these nor future ones to SC.

There's no attachments with them, as those have been blocked by the scanner of the sender according to the messages. And my Avira, Malwarebytes, Panda Cloud (which I installed, scanned with, and removed again) SuperAntiSpyware, Hitman Pro, free on-line F-Secure scanner, and free Emisoft scanner all found nothing.

I'll try with the free on-line Symantec scanner too... and will report it here if it found anything.

Thank you again.

[lisati]

My gut feeling is that your computer is probably OK, and that someone you've had email contact with has a computer that has caught something, e.g. malware.

Good luck with your investigations.

[Lodewijk]

Thanks again.

I think you might be right.

The free Norton scanner only found 3 cookies (I don't always use my CCleaner after surfing).

I again send an email to "postmaster[at]mailscanner13.mer-nm.internl.net" and just got this return:

...................................................................

This is the mail system at host fallback.mer-nm.internl.net.

I'm sorry to have to inform you that your message could not

be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can

delete your own text from the attached returned message.

The mail system

<postmaster[at]mailscanner12.mer-nm.internl.net>: connect to

mailscanner12.mer-nm.internl.net[217.149.192.127]:25: Connection timed out

.................................................................

Not sure what that means in the context of this issue, but I still think "No problema..."

[Farelf]

217.149.192.128 mailscanner13.mer-nm.internl.net has no SMTP - 25 service - use

http://centralops.net/co/DomainDossier.aspx

with all reports checked to see the story. That reveals the abuse address for that server is abuse[at]internl.net (Queried whois.ripe.net with "-B 217.149.192.128" per DomainDossier) or IPNetInfo (standalone .exe, use either IP address or server name) or robtex.com (use server name, various tabs for results). SC reporters can see the SC reporting address (do you know how?) shown as "Reporting addresses: abuse[at]inter.nl.net postmaster[at]internl.net" (I refreshed the cache) - not sure if SC knows something RIPE doesn't or whether or not maybe Don hadn't yet taken his first refreshing beverage of the day when he entered that abuse address - but it IS also an apparently valid, deliverable address.

Naturally sending to a postmaster address [at]mailscanner13.mer-nm.internl.net will fail

Resolving host name "mailscanner13.mer-nm.internl.net"...

Connecting to host address "217.149.192.128"...

Failed.

That is why the fallback server steps in when you try to send a message there.

The only authoritative DNSbl to list 217.149.192.128 mailscanner13.mer-nm.internl.net (using IP address with multirbl.valli.org/dnsbl-lookup) is SpamCanibal "no reverse DNS, MX host should have rDNS - RFC1912 2.1" - which is entirely proper because 217.149.192.128 mailscanner13.mer-nm.internl.net is not an MX host and the SpamCanibal bl would kick in (for those using it) if ever it tried to send e-mail.

If you want to assert that the action of the server is spam activity, use either or both of the abuse address I highlighted above to test that contention. I don't think it is spam activity, I think it is merely doing its job but unfortunately the organisation paying to have that job done (your e-mail service provider) is brain-dead to the extent that it doesn't realise at the customer interface (with you) that it has contracted this service. I could be wrong for some value of "wrongness" about any or all of the foregoing . But a life of certainty would be no life at all, eh?

[Lodewijk]

"maybe Don hadn't yet taken his first refreshing beverage of the day when he entered that abuse address - but it IS also an apparently valid, deliverable address."

..................................................................................................................

Maybe my once sending and confirming the email as a spam report to and through SC has something to do with that. Innocent mistake, in any case.

Thanks for investigating. If it is indeed from the malware scanner used by my ISP - it looks like it- then I'm glad to see it works. I don't mind getting a report from them now and then whenever they find malware. In a way it's .

BTW, come to think of it, I'm going to send Alice an email with a link to this thread... they might have no idea that their scan service provider is doing this. The help-desk lady didn't.