Very Strange Ebay Emaills not spoofing

Samba

I would apreciate if anyone could shed some light on this as it is quite a cause for concern.

I have contaced ebay in relation to this and since the emails have stopped dead yet I have recieved no reply from ebay, they have obviously taken action but I am very curious as to what the source of the problem may have been.

I sell quite alot on ebay and so deal with the usual spoof mails, muppet mails etc.

Last week I started to recieve approx. 200k in size emails, with what appear to be virus attachments, first one, then 5, then up to 20 a day up until yesterday when i contact ebay.

What's alarming is that it states from member, o.k this could be any schmuck, however when I check the email source and properties it says the following.
details are edited for privacy



Return-Path: <member@ebay.com>
Delivered-To: eircom.net-xxxxxx@eircom.net
Received: (vpopmail 28205 invoked by uid 16); 27 Jan 2006 17:05:39 +0000
Received: (qmail 27625 messnum 7068514 invoked from network[xxxxxxxxx1.prp.dublin.eircom.net]); 27 Jan 2006 17:05:30 -0000
Received: from xxxxxxx-ras1.prp.dublin.eircom.net (HELO pc2) (xxxxx249.160)
by
xxxxxxcra.dublin.eircom.net (qp 27625) with SMTP; 27 Jan 2006 17:05:30 -0000
From: "member" <member@ebay.com>
To: <ixxxx@ircom.net>
Subject: Fw: Sexy
MIME-Version: 1.0
Status: U
X-UIDL: 1138381539.xxxxx.mail01.xxxxxdublin.eircom.net,S=183157
Content-Type: multipart/mixed; boundary="----=_NextPart_1.84517502784729E-03"


So you see, if i then block "member@ebay.com" naturally any of my customers attempting to contact me will also be blocked.

My internet security and spoofing education is well out dated and I would apreciate if anyone could shed some light on this very shady business!

Running Up to date win2k, outlook express, Internet explorer, all secure and firewalled etc.

Some of the emails were of sexual content with jpeg images showing places but no images. I have no bloody virus scanner from the computer where I work and so I have not been able to analyse any of the files.

Sorry for the long post.

Samba

SwampThing

May have nothing to do with it, but when you say you have no virus scanner....


http://news.bbc.co.uk/2/hi/technology/4661582.stm

Samba

Very much related, I recieved all of the following

SAMPLE SUBJECT LINES
Fw: Funny
Fw: Picturs
Fw: SeX.mpg
Re: Sex Video


My biggest concern is that it would appear as though ebay themselves are or at least were passing on the infection

Kali

Samba wrote:

Very much related, I recieved all of the following

SAMPLE SUBJECT LINES
Fw: Funny
Fw: Picturs
Fw: SeX.mpg
Re: Sex Video

My biggest concern is that it would appear as though ebay themselves are or at least were passing on the infection

By the looks of the headers you posted it's an infected Eircom user (or at least one who has their smtp servers set to eircom)... nothing to do with ebay at all, most viruses From headers are spoofed.
Likely scenario is that someone has your email address in their contacts/inbox and have gotten infected.. or else your pc is infected.. either way a virus scanner really is a necessity.

Samba

I'm on eircom myself using an eircom email address also.

I am very curious (and ignorant in many respects ) i was not aware that spoofing was possible in the actual header, how and why could it possibly have spoofed member@ebay.com what would be the likely explanation for this? any random email address I can understand, member@ebay.com and the fact that as soon as I alerted ebay to the issue, it stopped and instantly.

I ran a scan and everything is clean, i bloody hate anti-virus software!

SwampThing

Samba wrote:

i bloody hate anti-virus software!

It's a neccessary evil, or the lesser of two weavels (watch Master and Commander)

The alternative is just too scary to think about - no-one using anti-virus software?!?!?!?!

Samba, you can to some degree, thank all the people who do use anti-virus software for keeping crap like this from bringing I.T. to it's knees.

It's no joke - e-mail as a communications medium is fast becoming unviable because of spam and the easy spread of virii.
Already work is underway on iSMTP servers to control e-mail - you only get mail from people you authorise to send to you.

Anyway, don't get me started.

dalk

Samba wrote:

I am very curious (and ignorant in many respects ) i was not aware that spoofing was possible in the actual header, how and why could it possibly have spoofed member@ebay.com what would be the likely explanation for this?

The virus is either coded to use this address (or a list of) or it simply goes through the infected PC's email address', choses one to send an email to and another to use as the spoofed Mail From.

Samba wrote:

any random email address I can understand, member@ebay.com and the fact that as soon as I alerted ebay to the issue, it stopped and instantly.

Coincidence. The emails were not originating from ebay mail servers. Nothing to do with them. Maybe ebay got in contact with the user of the infected PC that was spitting emails at you? Maybe the user of the infected PC copped on and removed the infection...