I received a similar e-mail. Sent to a user who doesn't normally get spammed. Made to look like a Yahoo link to my company.
<HTML><HEAD></HEAD><BODY bgColor=#ffffff><DIV><FONT face=Arial size=2><BR><A href="http://drs.yahoo.com/farmprogress.com/NEWS/*http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs.yahoo.com/farmprogress.com/NEWS">http://drs.yahoo.com/farmprogress.com/NEWS</A></FONT></DIV></BODY></HTML> Headers: Received: from imail.Farmprogress.com by fpmain.farmprogress.com; Tue, 11 May 2004 10:04:20 -0500 Received: from webgate.bg [212.50.2.129] by imail.Farmprogress.com (SMTPD32-8.11) id AB5E15D70268; Tue, 11 May 2004 10:03:58 -0500 Received: (qmail 16825 invoked from network); 11 May 2004 15:17:58 -0000 Received: from voka-gw.customer.0rbitel.net (HELO [EMAIL PROTECTED]) (195.24.34.138) by lea.webgate.bg with SMTP; 11 May 2004 15:17:58 -0000 From: [EMAIL PROTECTED]<[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [Possible SPAM] RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: <[EMAIL PROTECTED]> Declude JunkMail for spam. X-Note: Reverse DNS lea.webgate.bg . X-Country-Chain: BULGARIA->destination Date: Tue, 11 May 2004 10:04:19 -0500 Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 05/11/04 03:23PM >>> Hello Our Mail server recevied a mass mailing earlier today. The email is address to [EMAIL PROTECTED] and is coming from [EMAIL PROTECTED] Copy of headers: Received: from mail.citravel.com [10.215.43.52] by citravel.com (SMTPD32-8.11) id A06E595011C; Tue, 11 May 2004 11:25:34 -0400 From: mail.citravel.com<[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: RE: X-Mailer: Microsoft Outlook Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Message-Id: <[EMAIL PROTECTED]> X-Declude-Sender: [EMAIL PROTECTED] [10.215.43.52] X-Declude-Spoolname: Df06e0595011c829f.SMD X-Note: This message was scanned for Spam X-RBL-Warning: Total weight value: 0 X-Spam-Tests-Failed: Whitelisted [0] X-Note: Recipient Host: citravel.com X-Note: Sender Address: [EMAIL PROTECTED] X-Note: Sender Host Name: (Private IP) X-Note: Sender IP Address: 10.215.43.52 X-Note: Sender Country ID: X-Note: This E-mail was sent from (Private IP) ([10.215.43.52]) Precedence: bulk Sender: [EMAIL PROTECTED] Date: Tue, 11 May 2004 11:32:11 X-RCPT-TO: citravel.com Status: U X-UIDL: 384277933 This person's email client does not show they sent this message but the IP of the sending host is the senders system. I have scanned this system and it is showing virus free. Using SOPHOS latetest defs as of 2pm est 5/11/2004 I am also sniffing the network now looking for other SMTP Traffic. User who receive the email which has a link of h t t p:// d r s . y a h o o . com / citravel.com/news Get sent to a pornography site. After they close this site there system keeps having pop ups appearing regularly. this link redirects to h t t p:// d r s . y a h o o . com / citravel.com/news*http://www.security-warning.biz/personal6/maljo24/www.yahoo.com/#http://drs.yahoo.com/citravel.com/news I am not so much worried about the email but as to how it was sent. This is where I think it might be a virus. Currently I have a filter stopping emails with d r s . y a h o o . c o m (space added) I am seeing several hundred an hour being stopped. Any help ideas thouhgt? Or should I just go golfing and forget about it??? :) ~Paul~ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.