Is this genuine '.mac support Email or a virus?

Posted:
in Genius Bar edited January 2014
Is this genuine '.mac support Email or a virus? Got a little suspicious after receiving this Email, supposedly from Apple's .mac team. I first saw it when accessing my .mac account from my NT Wintel machine at work. When I tried opening the zip file I got a virus warning and the puter refused to open it!



Quote:

Dear user of mac.com,



We have detected that your email account was used to send a large amount of unsolicited email during this week.

Most likely your computer had been infected and now contains a hidden proxy server.



Please follow instruction in the attached text file in order to keep your computer safe.



Best regards,

mac.com support team.



?



Should I dare open it on me Mac?



Cheers

kelib

Comments

  • Reply 1 of 12
    jambojambo Posts: 3,036member
    It's a new strain of MyDoom virus. Don't open it on a Windows machine!



    Your Mac is safe though.
  • Reply 2 of 12
    aslan^aslan^ Posts: 599member
    is it really a text file ? if so you can look at it with a text editor to see what it is. It does sound fake though, If you want to open it on your mac you could always create a user account just for this purpose. This would negate the damage from the text file being some kind of trojan that will delete your home folder.



    EDIT: Really, MyDoom eh, these guys never give up. The two places in the email where it says mac.com, are those like generic fields that the virus engine rips out of the target email address before sending ?

  • Reply 3 of 12
    kelibkelib Posts: 740member
    It's not a real text file. I did open it however and the file automatically opened and updated some dat files in Virex and then ran it afterwards.
  • Reply 4 of 12
    pantherpanther Posts: 64member
    Post full headers of the mail, all details. I'll check where that's supposed to be coming from.
  • Reply 5 of 12
    kelibkelib Posts: 740member
    Quote:

    Originally posted by Panther

    Post full headers of the mail, all details. I'll check where that's supposed to be coming from.



    Here you go:





    \tFrom: \t [email protected]

    \tSubject: \tReturned mail: Data format error

    \tDate: \t29. júlÃ* 2004 17:52:45 GMT+02:00

    \tTo: \t [email protected]

    1 Attachment





    Dear user of mac.com,



    We have detected that your email account was used to send a large amount of unsolicited email during this week.

    Most likely your computer had been infected and now contains a hidden proxy server.



    Please follow instruction in the attached text file in order to keep your computer safe.



    Best regards,

    mac.com support team.



    Name of the attached file: [email protected] (28,3kb)
  • Reply 6 of 12
    rhoqrhoq Posts: 190member
    Just the fact that the attached file is a ".zip" would indicate to me that this is malicious. I don't think anyone at Apple (or in this case .mac) would send a Zip file.
  • Reply 7 of 12
    Quote:

    Originally posted by kelib

    Is this genuine '.mac support Email or a virus? Got a little suspicious after receiving this Email, supposedly from Apple's .mac team. I first saw it when accessing my .mac account from my NT Wintel machine at work. When I tried opening the zip file I got a virus warning and the puter refused to open it!







    Should I dare open it on me Mac?



    Cheers

    kelib




    its malware. I think apple would not send you an email with an attachment to warn you. they would put it in the email itself. most companies are getting stuff like this, they just ad aol.com, mac.com. yourcompanynamehere.com to the emails trash it. dont open on windows pc.
  • Reply 8 of 12
    lucaluca Posts: 3,833member
    Quote:

    Originally posted by kelib

    Here you go:



    (snip)




    He said FULL headers. There should be an option somewhere.
  • Reply 9 of 12
    kelibkelib Posts: 740member
  • Reply 10 of 12
    To get the full headers, select View->Message->Long Headers (Command-Shift-H).
  • Reply 11 of 12
    kelibkelib Posts: 740member
    From: [email protected]

    Subject: Returned mail: Data format error

    Date: 29. júlÃ* 2004 17:52:45 GMT+02:00

    To: [email protected]

    Return-Path: <[email protected]>

    Received: from mac.com (smtpin06-en2 [10.13.10.151]) by ms35.mac.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <[email protected]> for [email protected]; Thu, 29 Jul 2004 08:52:57 -0700 (PDT)

    Received: from mac.com (host27.atlanta.is [194.144.131.27] (may be forged)) by mac.com (Xserve/smtpin06/MantshX 4.0) with ESMTP id i6TFqjw4021845for <[email protected]>; Thu, 29 Jul 2004 08:52:47 -0700 (PDT)

    Message-Id: <[email protected]>

    Mime-Version: 1.0

    X-Mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000

    X-Mailer: Microsoft Outlook Express 6.00.2600.0000

    Content-Type: multipart/mixed; boundary="----=_NextPart_000_0004_D0098275.A11F8CA3"

    X-Priority: 3

    X-Msmail-Priority: Normal

    Original-Recipient: rfc822;[email protected]
  • Reply 12 of 12
    voxappsvoxapps Posts: 236member
    As others in this thread have written, this is fraudulent without a doubt. (1) Apple would never send a .mac subscriber message out that a computer is "infected" and "contains a hidden proxy server" with no explanation of what that actually means. (2) "Please follow instruction" is incorrect English and would never get past the tech writers at Apple who create such messages. (3) If the attachment is a small text file, why zip it? (4) Why would the file be named with your specific account, rather than a generic name like "instructions.txt"? (5) If they know your account name well enough to name the file attachment after it, why don't they use it in the salutation ("Dear Askell")? (6) "mac.com support team." is also incorrect English (there is no need for a period after "team").



    Finally, based on the complete headers, the message is coming to you via the domain "atlanta.is". This is the domain for Air Atlanta Aviation in Iceland. Apple would send e-mail via its own domain(s). If anyone has an open proxy, it's Air Atlanta.
Sign In or Register to comment.