That would be when the infected person gets home every day, and dials in to check for new e-mails.
-Peter -----Original Message----- From: Chinnery Paul [mailto:paulc@;mmcwm.com] Sent: Friday, October 11, 2002 13:55 To: Exchange Discussions Cc: Giles, Cathy Subject: RE: unknw user: possible infection? AHHHH!!! I hate it when I make a left-turn onto stupid. Of course, why didn't I think of that. I knew that about klez but didn't read anything about bugbear using the same MO. But I'm still real curious as to why it only hits around 4 PM. Paul Chinnery Network Administrator Mem Med Ctr -----Original Message----- From: [EMAIL PROTECTED] [mailto:Dflorea@;privateconsulting.com] Sent: Friday, October 11, 2002 4:55 PM To: Exchange Discussions Subject: RE: unknw user: possible infection? It's Klez or a related (BugBear) worm, on a third party's PC somewhere, spoofing your address as the 'from' address. So if it bounces, it bounces back to you. Delete, Fuggedaboutit. -----Original Message----- From: Chinnery Paul [mailto:paulc@;mmcwm.com] Sent: Friday, October 11, 2002 1:46 PM To: Exchange Discussions Subject: unknw user: possible infection? A strange occurrence has happened in the last two days. Right around 3:50 PM (EST), I start receiving ndr's saying that a message for [EMAIL PROTECTED] cannot be delivered. There is no such user or mailbox. Trend also sends me a mail saying it's found and quarantined the bugbear virus The text message that cannot be delivered is at the end of this message. The file that is sent out is the worm_bugbear virus. I've checked Trendmicro's site for information on how "bugbear" propogates itself as I thought that this is possibly an infected machine. However, on the day that "bugbear" information hit the internet, I checked and then immediately upgraded the Trendmicro anti-virus. I've got relaying turned off and have verified it using the method described numerous times on this list. Do I have an infected desktop? I'm running Trend's Officescan on the desktop. What also confuses me is that it I start getting the ndr's right around 4 PM, EST. And just as a side note, there actually is a "[EMAIL PROTECTED]" The original message was received at Fri, 11 Oct 2002 16:00:38 -0400 (EDT) from rly-yb01.mail.aol.com [172.18.146.1] *** ATTENTION *** Your e-mail is being returned to you because there was a problem with its delivery. The address which was undeliverable is listed in the section labeled: "----- The following addresses had permanent fatal errors -----". The reason your mail is being returned to you is listed in the section labeled: "----- Transcript of Session Follows -----". The line beginning with "<<<" describes the specific reason your e-mail could not be delivered. The next line contains a second error message which is a general translation for other e-mail servers. Please direct further questions regarding this message to your e-mail administrator. --AOL Postmaster ----- The following addresses had permanent fatal errors ----- <[EMAIL PROTECTED]> ----- Transcript of session follows ----- ... while talking to air-yc03.mail.aol.com.: >>> RCPT To:<[EMAIL PROTECTED]> <<< 550 jhaze99 IS NOT ACCEPTING MAIL FROM THIS SENDER 550 <[EMAIL PROTECTED]>... User unknown _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:leave-exchange@;ls.swynk.com Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:leave-exchange@;ls.swynk.com Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:leave-exchange@;ls.swynk.com Exchange List admin: [EMAIL PROTECTED] ______________________________________________ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:leave-exchange@;ls.swynk.com Exchange List admin: [EMAIL PROTECTED]
