[pchelpers] Re: non text virus

> -----Original Message-----
> From: tactilelady
> Sent: Monday, July 29, 2002 2:03 am

> You get a e-mail with in the message area or where you would 
> type your message there is no message.
> 
> Where it says subject are two attachments one is always from 
> word the other is a white with blue around it.
> 
> It comes either from someone you don't know or from someone 
> you know well. Last week I got one with my mothers e-mail 
> address. I deleted it and wrote her asking if she had sent me 
> a attachment mail. She had not.

Hi again, Pen!

You're using Outlook Express 6.  Right-click on the line for the message
and select Properties.  Click Details, then click Message Source.  Look
for a line that looks like this:

   Content-Type: multipart/mixed;  boundary="(whatever)"

Note the (whatever) text.  Go down to the bottom and see if that text is
at the end.  If it doesn't, the message is malformed; Outlook and
Outlook Express don't like these, and messages that are malformed like
this are virtually guaranteed to be spam.

Now, go back up to the top, and search again, for a set of three lines
that look like this:

   (whatever)
   Content-Type: text/plain; charset="iso-8859-1"
   Content-Transfer-Encoding: base64

If you see this, and you see "gibberish" following (nothing readable,
just letters and numbers), then the message has been obfuscated by the
spammer to keep content filters from flagging it.  This is a
near-certain indication that the message is spam.

Here's an example message:

--------------------------------------------------
[some headers snipped for privacy]
Subject: Euro is running now is the time to bite.
Date: Fri, 26 Jul 0102 15:13:01 -0900
MiME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00C8_68D88A0B.A5514B27"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Importance: Normal
X-UIDL: 274660955
Status: U
 
------=_NextPart_000_00C8_68D88A0B.A5514B27
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
 

T24gSmFudWFyeSAxc3QgMjAwMiwgdGhlIEV1cm9wZWFuIGNvdW50cmllcyBi
ZWdhbg0KdXNpbmcgdGhlIG5ldyBFdXJvLiAgTmV2ZXIgYmVmb3JlIGhhdmUg
c28NCm1hbnkgY291bnRyaWVzIHdpdGggc3VjaCBwb3dlcmZ1bCBlY29ub21p
ZXMgdW5pdGVkDQp0byB1c2UgYSBzaW5nbGUgY3VycmVuY3kuICBXZSB3b3Vs
ZCBsaWtlIHRvIHNlbmQgeW91IGEgDQpGUkVFIHJlcG9ydCBvbiB3b3JsZCBj
dXJyZW5jeS4gIEp1c3QgdmlzaXQgb3VyIHNpdGUgdG8gDQpyZXF1ZXN0IHlv
dXIgRXVybyByZXBvcnQ6DQoNCmh0dHA6Ly93d3cubmV3dG9waWNzLmNvbS9m
cmVlZXVyb3JlcG9ydC8NCg0KSW4gYWRkaXRpb24gdG8gb3VyIGN1cnJlbmN5
IHJlcG9ydCwgeW91IGNhbiByZWNlaXZlDQpvdXIgRlJFRSBJTlZFU1RNRU5U
IFBBQ0tBR0U6DQoNCiogIExlYXJuIGhvdyAkMTAsMDAwIGluIG9wdGlvbnMg
d2lsbCBsZXZlcmFnZSAkMSwwMDAsMDAwIGluDQpFdXJvIEN1cnJlbmN5LiBU
aGlzIG1lYW5zIGV2ZW4gYSBzbWFsbCBtb3ZlbWVudCBpbiB0aGUgbWFya2V0
DQpoYXMgaHVnZSBwcm9maXQgcG90ZW50aWFsLg0KDQpJZiB5b3UgYXJlIG92
ZXIgYWdlIDIxIGFuZCBoYXZlIHNvbWUgcmlzayBjYXBpdGFsLCBpdCdzDQpp
bXBvcnRhbnQgdGhhdCB5b3UgZmluZCBvdXQgaG93IHRoZSBFdXJvIHdpbGwN
CmNoYW5nZSB0aGUgZWNvbm9taWMgd29ybGQgYW5kIGhvdyB5b3UgY2FuIHBy
b2ZpdCENCg0KaHR0cDovL3d3dy5uZXd0b3BpY3MuY29tL2ZyZWVldXJvcmVw
b3J0Lw0KDQokMTAsMDAwIG1pbmltdW0gaW52ZXN0bWVudA0KDQpJbnZlc3Rp
bmcgaW4gRm9yZXggQ3VycmVuY3kgb3B0aW9ucyBpcyBzcGVjdWxhdGl2ZSBh
bmQgaW5jbHVkZXMgYSANCmhpZ2ggZGVncmVlIG9mIHJpc2suIEludmVzdG9y
cyBjYW4gYW5kIGRvIGxvc2UgbW9uZXkuDQoNCmh0dHA6Ly93d3cubmV3dG9w
aWNzLmNvbS90YWtlbWVvZmYvIFRvIE9wdE91dC4NCg0KNDQxM0ZkdEU2LTA1
NkdHT1Q4Njc3VGNCczctMjAyZXlVUzY5OTN0REhjMS01NTNsNDQ=
--------------------------------------------------

I know about this because I sent this to an anti-spam mailing list to
see what they thought.

--Scott.

Other related posts: