Delivery Status Notification (Failure) – Virus

We’re seeing a slew of spoofed Delivery Status Notifications that pretend to be “bounced emails” but which are actually attempting to use JavaScript code to cause the recipient’s computer to download viruses to their systems.

The typical example comes with a fairly common Subject/Sender combination:

Subject:      Delivery Status Notification (Failure)
From:     “System Administrator” <postmaster@roomswithviews.com>

However the “postmaster@” address will be from a randomly spoofed domain since these emails most likely come from already infected personal computers that are functioning as zombies in a spam bot network. The spoofed domain is never the true sender.  For example the one from “postmaster@roomswithviews.com” was actually delivered by:

‘from [109.108.46.163] (helo=isg-109-108-46-163.ivnet.ru) by MailFilter1.onlymyemail.com with esmtp

The domain roomswithviews.com is registered with TUCOWS INC. whereas the IP address above belongs to what appears to be a Russian ISP. Clearly this is either from a compromised personal computer or the ISP itself is allowing someone to send virus attacks.

The faked rejection email’s body generally contains standard language such as:

Note: Forwarded message is attached.

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

lathinga5@roomswithviews.com

Final-Recipient: rfc822;lathinga5@roomswithviews.com
Action: failed
Status: 5.1.1

While this might look like a typical bounced email, what’s noteworthy is that the receiving domain is also spoofed — the bounce is not legitimate either. The person receiving this message never sent the email that’s purportedly being returned.

More importantly, the single attachment doesn’t contain a copy of any legitimate email.  These attachments have either “.html” or “.htm” extensions, and are typically named as:

  • Delivery Status Notification (Failure).htm
  • Delivery Status Notification (Failure).html

These HTML attachments are entirely JavaScript code. If opened, in most cases the script will attempt to force your browser to download virus code to your computer.  In other instances, the JavaScript will only direct you to a spammer’s website. Unfortunately it is impossible for the end user to know whether this is the case or not beforehand.

As a result, the only safe course of action is to delete these bogus bounces on sight, without ever clicking the JavaScript attachments.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: , ,

3 Responses to “Delivery Status Notification (Failure) – Virus”

  1. Richard says:

    Thank you for this post. I have gotten at least a hundred of these in the last week.

    Gabh an latha,
    Richard

  2. Brian says:

    Thanks for the info but how do we get rid of the thing…..Thanks!

  3. OnlyMyEmail Anti-Spam Team says:

    Brian,

    If you have anti-virus software that can at least give you the name of the infection your best bet is to search the web for information on that name. Failing that, we’d suggest taking it to a computer repair professional. Our job is to block email viruses. We don’t really deal with removing them. Sorry.