What's this?

Dear user nigel.marchant@ntlworld.com,

We have found that your account was used to send a large amount of junk email messages during the recent week. We suspect that your computer had been infected and now contains a hidden proxy server.

We recommend that you follow instructions in the attached file in order to keep your computer safe.

Have a nice day,
ntlworld.com user support team.


Return-Path: <postmaster@ntlworld.com>
Received: from smtp.spamjab.com (core-01.servers.spamjab.com [172.16.0.2])
by storage-01.servers.spamjab.com (8.12.8/8.12.8) with ESMTP id i72DJ2Mu016105
for <sjp3396@storage-01.servers.spamjab.com>; Mon, 2 Aug 2004 14:19:12 +0100
Received: from localhost (fetch-01.servers.spamjab.com [172.16.0.5])
by smtp.spamjab.com (8.12.8/8.12.8) with ESMTP id i72DHQTM029973
for <nigel.marchant@ntlworld.com>; Mon, 2 Aug 2004 14:17:48 +0100
Received: from pop.ntlworld.com [62.253.162.50]
by localhost with POP3 (fetchmail-6.2.0)
for nigel.marchant@ntlworld.com (single-drop); Mon, 02 Aug 2004 14:17:48 +0100 (BST)
Received: from ntlworld.com ([212.23.24.89]) by mta03-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
id <20040802112016.VDWG291.mta03-svc.ntlworld.com@ntlworld.com>
for <nigel.marchant@ntlworld.com>; Mon, 2 Aug 2004 12:20:16 +0100
From: "Bounced mail" <postmaster@ntlworld.com>
To: nigel.marchant@ntlworld.com
Subject: Returned mail: see transcript for details
Date: Mon, 2 Aug 2004 12:21:38 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0011_C0AC5756.54ED1D2F"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20040802112016.VDWG291.mta03-svc.ntlworld.com@ntlworld.com>
X-SJ-ID: i72DHQTM029973
Status:

It's a virus, most likely MyDoom-o
http://www.sophos.com/virusinfo/analyses/w32mydoomo.html#
The email sent by the worm has a spoofed sender.

The subject line may be blank or one of the following:

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error The message text of the email is constructed from a set of optional strings within the worm. The message sent is blank or similar to one of the following messages:

Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.

The message could not be delivered

Whatever it is, with those headers, it hasn't come from within the walls of an NTL office.

Discussed here last week.

http://www.cableforum.co.uk/board/showthread.php?t=15391

Thread closed due to duplication-link to original provided (Thanks iadom :tu: )