My mom just received an email from “Postmaster” (this is not an email address) saying something along the lines that her email sent to XXX was rejected because a virus was detected in the email. The subject says that a file attachment, ‘yours.pif’ was in the email, and the text of the email, a string of random letters, was shown in the message. The only thing is, my mom does not know the person the email was sent to and did not send the email. This HAS happened to her before- several months ago, and this is the second time this week, albeit to a different person each time (all not familiar to my mom in any way).
I don’t believe my mom has a Virus or Spyware that could do that- she has Adaware, Spybot, Spy(something else), and Norton’s which she updates frequently. I’ve also searched for the attachment but I can’t find it on her computer.
What could this be caused by? I’m leaning towards that someone/thing stole her email and used it to spam viruses. She could have a virus that’s sending them out (this is doubtful because these people are not in her Address book). Is anyone familiar with this phenomenon, and how could I fix it?
It wasn’t sent by her, but rather was sent by an infected computer. The virus spoofs email addresses it finds in its host’s address book, and emails out copies of itself. Any that get sent to invalid addresses get bounced to the “From” address in the email header, which in this case is NOT the sender’s email address. Your mom’s computer may or may not be infected, but someone’s who has her email address in their address book is.
Postmaster is the traditional account/alias for the human responsible for mail on a machine. (I believe this is required by RFC822, the document that specifies Simple Mail Transfer Protocol). It is not suprising that your mom would get mail bounces claiming to be from the Postmaster.
A lot of viruses/worms/spam forges the “from” headers so it appears that to come from someone elses valid mailbox. I do not know whether it makes up addresses that just happen to match real ones, or if they are using real addresses that have been harvested somehow (for example, from mail to public lists, from website registrations, etc.). Some of the technical anti-spam measures like SPF involve a reverse lookup to see if mail from “foo.com” is actually coming from a machine authorized to send mail for the “foo.com” domain.
Many sites are configured to send a reply if they discover a problem (virus, etc.) in a message. Nowadays this just exacerbates the problem, as the sender’s address was more than likely forged. It results in situations like your mom’s, where they are left wondering why is “postmaster” at some domain claiming I sent a virus to someone I don’t even know.
Bad guys write malware that sends mail from infected computers. The from addresses in the mails are all false.
The mail claims to be a reply indicating that your computer sent defective mail. The truth is you never sent anything to anyone, and the mail you get is simply a disguised attempt to infect your computer.
But people tend to click on the attachment to see which of their outgoing emails didn’t go through. BANG, you’ve sprung the trap on yourself.
It’s simply a different wrapper over the old idea of “click here to see free porn” which triggers a virus/worm infection. Bad guys will do whatever it takes to get you to click the thing.
When you get a message like thism, it can be one of three things:
[ol][li]A genuine response to a virus/worm that your machine sent (not all that likely anymore because contemporary viruses all seem to spoof the ‘from’ address - see below)[/li][li]A response to n email that was genuinely received, but was sent from somewhere else with forged headers to make it appear from you.[/li][li]A first-hand virus/worm message (I’ve started getting quite a few of these lately; they aren’t rejections from any mail server at all; they are malicious items forged to look like messages from a mail server.[/li][/ol]