Jump to content

Suspicious e=mail address B1awya73

Recommended Posts

I received an e-mail from a Windows friend with a video of a german Shephard doing an obstacle course. Above my friend's header was B1awya73. I asked him if he had 2 e-mail addresses, no. So I tried Reply and Forward, would not go. I took a picture of desk top and new e=mailed him to show him. At the bottom of his letter was a Free Animation of a monkey from IncrediMail.com, so I went there. A question asked was is this a malware, the answer was yes, a Trojan. Using Spotlight, up came the locations of the videos, gifs and e=mails showing b1awya73 on my hard drive.  Going into my contacts the first time I had under D -dan on a smart card. I deleted that. I told my friend to get Malwarebytes, he did, 500 problems, but all cleaned out. He e-mailed me back and we both scanned each other. Clear. But, the Dog video was at the bottom of his pics. My contacts had a new name under D, Dispatch, so I again cleaned it out. All Malware byte scans show zero problems. When I started eliminating the last letters of b1awya73, at the b1aw level, all sorts of stuff appeared, like videos, music, and files. What is this b1awya73? Using spotlight gives an all clear result as well. I have a 2012 iMac , version 10.14.6.


Link to post
Share on other sites

Without having access to the headers of that email, I can only guess that it is simply a random address used by the sender.

From everything you have said any malware associated with that email was Windows only and your friend has taken care of the problem at their end, so there should be no need for further considerations by you.

In the future you can upload such emails to the Research Center forum for Newest Mac Threats to have the Malware Hunters and staff take a look at it. You might also find SpamCop useful in determining the true sender.

Link to post
Share on other sites

Thank you for your reply. My friend thought he had fixed the problem but he still has it as I got it back. Last night I cleaned out the second address from hard drive, went to forum and asked on the forum about what it is. Logged out, went to Spotlight,typed in the address and guess what, my forum message was sitting there with the address, like it is following me around. In the first Contact Card with Dan on it, I noticed html near name. I was just surprised that this address could add itself to my contact list. Another oddity was I e-mailed a friend of mine starting with Hi. The next day I did Spotlight and this e-mail came up with the suspicius address which was highliting the Hi. Thanks for your time and advice.



Link to post
Share on other sites

@brcd a thorough examination of the raw html data will reveal the source of such a pizel, although you won't know what it is or how big unless you access it. That's why it is recommended that you not load remote images automatically in Apple Mail and only allow remote images when you trust the source and need to see them.

  • Like 1
Link to post
Share on other sites

4 minutes ago, alvarnell said:

@brcd a thorough examination of the raw html data will reveal the source of such a pizel, although you won't know what it is or how big unless you access it. That's why it is recommended that you not load remote images automatically in Apple Mail and only allow remote images when you trust the source and need to see them.

Thanks.  Not sure I understand. BUT, I just received my weekly savings from a grocery store - Safeway- and looked for raw data.  In Mail, View, Message, All Headers, Raw Source.  Is Raw Source  what you are referring to?  If so, I did not understand anything I was looking at. If nothing else, I learned something new.  Thanks again!



Link to post
Share on other sites

Sorry I wasn't clear. Yes, Raw Source is what you would need to look at, specifically any URL's shown as being "src=" meaning source. Those are links to the remote images that display in illustrated emails if you allow. All images are rendered on your screen as collections of pixels, but there is no way to determine in advance exactly what that image will look like. There might be clues in the html code on it's size and exactly where in the email it will appear, but nothing else beyond that.

Perhaps I could be a bit clearer if I understood exactly why you are asking "Is there any chance that somewhere in the email was an email pixel?" and why this relates to the OP's issues.

Link to post
Share on other sites

Regarding clarity that is my fault. I run AdGuard as well as MWB. Someone on the AG forum had an issue with an email that contained pixels and caused problems and queried about the negative effects. 

The OP here began his/her question by talking about receiving an email and then having some problems. So I asked if it were possible that the email had the pixel embedded. That was all. From what I understand from google searches the pixels can be good or bad. I was curious so I asked. Maybe I should not have chimed in but I thought the pixels could be malicious.  Thanks for your explanation. 

Link to post
Share on other sites

To sum this up...

To make a real determination upon any email, we would need to see the email in RAW Format.  That is the email full header and body of the message in its raw, uninterpreted and non-rendered, state.

How one retrieves that depends on the email client or web browser.  For example in AOL Webmail you open the intended email choose; More ---> View Message Source

Without examining the RAW Email contents, everything is all speculation.

The following is an example of a redacted email's Full Header from a US House of Representative's email in RAW Format...


Received: from
 by atlas208.aol.mail.bf1.yahoo.com with HTTP; Thu, 18 Feb 2021 15:29:46 +0000
Return-Path: <#########@mail.house.gov>
Received: from (EHLO serg-bulk3-h.house.gov)
 by with SMTPs; Thu, 18 Feb 2021 15:29:46 +0000
X-Originating-Ip: []
Received-SPF: pass (domain of mail.house.gov designates as permitted sender)
Authentication-Results: atlas208.aol.mail.bf1.yahoo.com;
 dkim=pass header.i=@house.gov header.s=august2019-msgb-hg;
 spf=pass smtp.mailfrom=mail.house.gov;
 dmarc=pass(p=NONE) header.from=mail.house.gov;
X-Apparently-To: <redacted>; Thu, 18 Feb 2021 15:29:46 +0000
X-YMailISG: ik7g2gwWLDufalaLfVs38U9Od7cHkh8V9jx_hvtiGwH4csCj
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=house.gov; h=message-id :
 list-unsubscribe : mime-version : from : to : date : subject :
 content-type; s=august2019-msgb-hg;
 pPZBnB3AgWTBRuaUgnvdhu2wJx+XNcHdjn5UdTWaMVZRPVscZdaygHI9NiI+yr/ivAsY gA== 
Received: from FIRESIDESERV03 (firesideserv03.us.house.gov [])
	by serg-bulk3-h.house.gov ( with ESMTP id 11IFTkXv013631
	for <redacted>; Thu, 18 Feb 2021 10:29:46 -0500
envelope-from: ########@mail.house.gov
Errors-To: bounce@emanager.house.gov
X-Errors-To: bounce@emanager.house.gov
Message-ID: <T4sraud6emUE4yrVFPOL+4nARk5aNJ2r800E1vp2NM84FLH4rhPErpqC5xtTWHbvBsDpgQFgfCHmxpIGlkDW2Hp7QO2Bgi5s/isgQuL28S2684AuPTNI8MDv/4JbLSbshnczS8yrjO4jPXApEVzfjXYPoSDp3HYMikKSgaWChuZxeXBTkvz4sErrzShm9rp+@fireside21.com>
X-House-Vendor-Seg: unmanaged
List-Unsubscribe: <https://#########.house.gov/forms/emailsignup/?Delete=true&MessageID=539&Email=<redacted>&Submit=true>
Precedence: bulk
MIME-Version: 1.0
From: "Congressman #######" <##########@mail.house.gov>
To: <redacted>
Date: 18 Feb 2021 10:29:46 -0500
Subject: Join me Friday for a virtual veterans roundtable	
Content-Type: multipart/alternative;
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.761
 definitions=2021-02-18_06:2021-02-18,2021-02-18 signatures=0
Content-Length: 12316



Edited by David H. Lipman
Link to post
Share on other sites

You are welcome.  Hoping someone with more savvy than me chimes in. When I said I left them running, I should clarify.  I quit mail and safari.  The MWB and AG  sit on top of the screen tool bar (?) and I did not touch them.  So I suppose they were continuing to run.  Apple probably has full instructions on what to and not to run during the upgrade.

Link to post
Share on other sites

I concur with @brcd's advise. I don't know of any anti-malware software that needs to be disabled in order to download a macOS update. And when you launch the update, it simply sets things up for the installation, shuts down all active processes and reboots before any actual installation takes place, so it matters not what is left running before hitting the Install button.

One additional word of advise is to unplug all external drives and other devices except for mouse/trackball and keyboard. Users find that thing go smoother that way.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.