> One of my mail accounts at a particular ISP receives an enormous
> amount of spam. The reason for this is that the mailbox is
> identified by  '@domain.name.co.uk'.  This means that any character
> string preceding the '@' symbol will result in the message arriving
> in my mailbox, even if the name is not mine.
>
> This kind of addressing scheme may be OK for families or groups to
> receive individual mail at a common address, but I am the sole user
> of this account.  The spammers are aware of this address scheme and
> delight in prefixing garbage strings to their junk messages, in the
> hope that someone will download and open the message (mainly aimed
> at adolescent boys, I think).  A typical prefix is 'bksqe'.
>
> So far, not a major concern - just a nuisance. My filters reject
> anything that is not addressed to 'justin@domain.name.co.uk'.
>
> Today, there is a message in my ISP mailbox addressed to
> 'bksqe@domain.name.co.uk' and sent from 'bksqe@domain.name.co.uk'.
> My copies to self folder has no record of such an outgoing
> message.
>
> Is this the spammers forging my address?

Yes.

> Is there a genuine <bksqe@domain.name.co.uk> out there?

Unlikely.

>  Has my ISP become infected?

Unlikely

>
> The header has 'Message-Id: <20020101090209.5217.qmail@localhost>'.
> The return path is an address in Germany.
>
> The reason for calling for help here is that I do not have AV
> software. I have avoided infection for a couple of decades by being
> careful about where I surf, and deleting suspicious mail (or very
> occasionally, checking with the source whether mail has been sent).

Generally there is no harm at all downloading a message containing a virus with WinPMail. There is nothing that will happen when you download or even open a message containing a virus as long as you do not execute it.  

That said, there are a number of free anti-virus software packages out there that can be used with the VirScan extension than you probably should be using anyway.  There is nothing that says one of your friends will not become infected and send you and attachment containing a virus.


> Have I succumbed at last, or is there another explanation?
>
> I would like to avoid the hassle of wrestling with McAffee, Norton
> and others if at all possible.
>
> Ideas, suggestions, prayers, magical spells - all welcome.
>
> Aris
>
>  

One of my mail accounts at a particular ISP receives an enormous amount of spam. The reason for this is that the mailbox is identified by  '@domain.name.co.uk'.  This means that any character string preceding the '@' symbol will result in the message arriving in my mailbox, even if the name is not mine.

This kind of addressing scheme may be OK for families or groups to receive individual mail at a common address, but I am the sole user of this account.  The spammers are aware of this address scheme and delight in prefixing garbage strings to their junk messages, in the hope that someone will download and open the message (mainly aimed at adolescent boys, I think).  A typical prefix is 'bksqe'.

So far, not a major concern - just a nuisance. My filters reject anything that is not addressed to 'justin@domain.name.co.uk'.

Today, there is a message in my ISP mailbox addressed to  'bksqe@domain.name.co.uk' and sent from 'bksqe@domain.name.co.uk'.  My copies to self folder has no record of such an outgoing message.

Is this the spammers forging my address? Is there a genuine <bksqe@domain.name.co.uk> out there? Has my ISP become infected?

The header has 'Message-Id: <20020101090209.5217.qmail@localhost>'. The return path is an address in Germany.

The reason for calling for help here is that I do not have AV software. I have avoided infection for a couple of decades by being careful about where I surf, and deleting suspicious mail (or very occasionally, checking with the source whether mail has been sent). Have I succumbed at last, or is there another explanation?

I would like to avoid the hassle of wrestling with McAffee, Norton and others if at all possible. 

Ideas, suggestions, prayers, magical spells - all welcome.

Aris

Sadly, once they get you on their lists there is no way to unsubscribe. You have joined the great world of spammed targets.  I suggest you enable SpamHalter on your Pegasus Mail, which will help trap the ones that get passed your filtering.  It only takes one message to leak onto the 'Net to get picked up and away they go.  Typically things like Newsgroups and subscription services are good sources of email addresses for spammers. But also commercial selling of email addresses from website business.

As far as AV, as long as you don't open or save attachments you cannot get infected through Pegasus Mail. If you need to receive attachments from known friends etc, you should maybe ask them to scan the files they are going to send. 

HTH

Martin 

Martin,

Thanks for the response.

 Receiving spam is not really a concern, just a nuisance.

 My primary concern is that in this instance the message appears to originate from one of my addresses.

Since I did not send it, how and where was it created?

All the other junk mail I have ever received has always originated on someone else's machine.

I presume it is possible that a message can be injected into the transport system with any 'from' address that a malicious person wants, but I do not know enough about the technicalities to be sure. Hence my question.

I guess I am seeking reassurance that the message was not created and dispatched by some malicious software that has infiltrated my system.

 If anybody needs a copy of the header, it is available.

Aris

First of all, there is little chance of spotting something that has installed itself on your machine.  Only AV and/or SpyWare tools such as Ad-Aware or SpyBot will know what is legit.

Receiving a message apparently from yourself or another user on your network is very common. It is part of the social engineering tools to make you confident enough to open an attachment or click on the url that is part of the message.

As you rightly state, any email address can be injected into an email message. That is part of the weakness of the age-old SMTP delivery service, which was devised before people became untrustworthy. 

As far as the headers are concerned, the headers you should look at closely are the "Received from" lines.  These lines will indicate the path taken to get to your mail server, in reverse chronologic order. Also these lines will indicate the IP address routing used to get from the sender to you. A word of caution, these too can be forged, but typically the first Received From line, is the one injected by *your* server, and indicates where it got the message from.

HTH

Martin 

Martin,

Managed to trace the first address - it is in a block allocated to Vietnam Telecom. Probably used as a dynamic IP by their system - there were two individuals named. One seems to be an 'ip' manager, and the other looks to be in charge of the 'ip' abuse department!

> Receiving a message apparently from yourself or another user
> on your

network is very common. It is part of the social engineering
> tools to

make you confident enough to open an attachment or click
> on the url

that is part of the message.

Understandable - but useless in my case. My machine is not on a network, and when I send test messages between accounts at different ISP's, the subject matter is always very specific - not something a virus would know about.

I think I feel a little more relaxed. It is probable that the DNS was a forgery. If so, the message could have originated on any machine on the globe.

I will wait to see if any more of these crop up, and decide what next then.

Thanks for your help.

Aris