Email addys - anyone heard of this one?


I posted this a short while ago over at Wilders, but I figured posting here too wouldn’t hurt any.

I’m well aware that some email viruses “borrow” the from and/or to addresses from the addy book in the process of distributing themselves. But I always thought the address was picked up complete, rather than in “pieces”.

I frequently forward copies of Nigerian Letters and related stuff to the Phonebusters unit (joint RCMP-OPP operation). Last night I got a failed-delivery notice relating to one of those, for one I’d sent them – it was showing delivery attempted to “wafl@” (so far correct) at a totally different domain. The message body, and even my original “To” address, were still there and were correct.

I use Eudora 6 (under XP-Home, all critical updates), and avast (both resident and on-demand) and Ad-Aware both showed clean, and not a peep out of SpywareGuard.

Anyone ever heard of this before, the mix-and-match of a name and an unrelated domain? It’s entirely possible, of course, that it was a freak mailer-daemon glitch rather than any kind of malware – I re-sent the latest version, complete with failed-delivery notice, and they apparently received that one ok.

Any comments or suggestions would be appreciated. There’s been no other oddball behavior to suggest any kind of malware.

Thanks and best,

It is old, well known and widely used trick. First e-mail viruses did use the real addresses (of those really infected). Then they used false but real addresses (of some innocent people). Third step is to combine name and domain - such address does not exist in most cases.


Thanks, Pavel. :slight_smile: That third step, which is apparently what I ran into, I’d never even heard of before.

As I’d mentioned, everything looks clean at my end. I did get a couple of pop-up warnings about incoming mail this afternoon, “possibly dangerous” frames – they related to Doubleclick, however, and while that outfit is a pain for spam, it’s highly unlikely they’re dangerous. I risked a look at the second one, and it turned out to be Yahoo’s own advertising (this was in a group there).
