Jump to content

Suspicious e=mail address B1awya73


Recommended Posts

I received an e-mail from a Windows friend with a video of a german Shephard doing an obstacle course. Above my friend's header was B1awya73. I asked him if he had 2 e-mail addresses, no. So I tried Reply and Forward, would not go. I took a picture of desk top and new e=mailed him to show him. At the bottom of his letter was a Free Animation of a monkey from IncrediMail.com, so I went there. A question asked was is this a malware, the answer was yes, a Trojan. Using Spotlight, up came the locations of the videos, gifs and e=mails showing b1awya73 on my hard drive.  Going into my contacts the first time I had under D -dan on a smart card. I deleted that. I told my friend to get Malwarebytes, he did, 500 problems, but all cleaned out. He e-mailed me back and we both scanned each other. Clear. But, the Dog video was at the bottom of his pics. My contacts had a new name under D, Dispatch, so I again cleaned it out. All Malware byte scans show zero problems. When I started eliminating the last letters of b1awya73, at the b1aw level, all sorts of stuff appeared, like videos, music, and files. What is this b1awya73? Using spotlight gives an all clear result as well. I have a 2012 iMac , version 10.14.6.

Thanks.

Link to post
Share on other sites

Without having access to the headers of that email, I can only guess that it is simply a random address used by the sender.

From everything you have said any malware associated with that email was Windows only and your friend has taken care of the problem at their end, so there should be no need for further considerations by you.

In the future you can upload such emails to the Research Center forum for Newest Mac Threats to have the Malware Hunters and staff take a look at it. You might also find SpamCop useful in determining the true sender.

Link to post
Share on other sites

Thank you for your reply. My friend thought he had fixed the problem but he still has it as I got it back. Last night I cleaned out the second address from hard drive, went to forum and asked on the forum about what it is. Logged out, went to Spotlight,typed in the address and guess what, my forum message was sitting there with the address, like it is following me around. In the first Contact Card with Dan on it, I noticed html near name. I was just surprised that this address could add itself to my contact list. Another oddity was I e-mailed a friend of mine starting with Hi. The next day I did Spotlight and this e-mail came up with the suspicius address which was highliting the Hi. Thanks for your time and advice.

Annfaulk

 

Link to post
Share on other sites

@brcd a thorough examination of the raw html data will reveal the source of such a pizel, although you won't know what it is or how big unless you access it. That's why it is recommended that you not load remote images automatically in Apple Mail and only allow remote images when you trust the source and need to see them.

  • Like 1
Link to post
Share on other sites

4 minutes ago, alvarnell said:

@brcd a thorough examination of the raw html data will reveal the source of such a pizel, although you won't know what it is or how big unless you access it. That's why it is recommended that you not load remote images automatically in Apple Mail and only allow remote images when you trust the source and need to see them.

Thanks.  Not sure I understand. BUT, I just received my weekly savings from a grocery store - Safeway- and looked for raw data.  In Mail, View, Message, All Headers, Raw Source.  Is Raw Source  what you are referring to?  If so, I did not understand anything I was looking at. If nothing else, I learned something new.  Thanks again!

 

 

Link to post
Share on other sites

Sorry I wasn't clear. Yes, Raw Source is what you would need to look at, specifically any URL's shown as being "src=" meaning source. Those are links to the remote images that display in illustrated emails if you allow. All images are rendered on your screen as collections of pixels, but there is no way to determine in advance exactly what that image will look like. There might be clues in the html code on it's size and exactly where in the email it will appear, but nothing else beyond that.

Perhaps I could be a bit clearer if I understood exactly why you are asking "Is there any chance that somewhere in the email was an email pixel?" and why this relates to the OP's issues.

Link to post
Share on other sites

Regarding clarity that is my fault. I run AdGuard as well as MWB. Someone on the AG forum had an issue with an email that contained pixels and caused problems and queried about the negative effects. 

The OP here began his/her question by talking about receiving an email and then having some problems. So I asked if it were possible that the email had the pixel embedded. That was all. From what I understand from google searches the pixels can be good or bad. I was curious so I asked. Maybe I should not have chimed in but I thought the pixels could be malicious.  Thanks for your explanation. 

Link to post
Share on other sites

To sum this up...

To make a real determination upon any email, we would need to see the email in RAW Format.  That is the email full header and body of the message in its raw, uninterpreted and non-rendered, state.

How one retrieves that depends on the email client or web browser.  For example in AOL Webmail you open the intended email choose; More ---> View Message Source

Without examining the RAW Email contents, everything is all speculation.

The following is an example of a redacted email's Full Header from a US House of Representative's email in RAW Format...

Spoiler


Received: from 10.196.194.208
 by atlas208.aol.mail.bf1.yahoo.com with HTTP; Thu, 18 Feb 2021 15:29:46 +0000
Return-Path: <#########@mail.house.gov>
Received: from 143.228.145.95 (EHLO serg-bulk3-h.house.gov)
 by 10.196.194.208 with SMTPs; Thu, 18 Feb 2021 15:29:46 +0000
X-Originating-Ip: [143.228.145.95]
Received-SPF: pass (domain of mail.house.gov designates 143.228.145.95 as permitted sender)
Authentication-Results: atlas208.aol.mail.bf1.yahoo.com;
 dkim=pass header.i=@house.gov header.s=august2019-msgb-hg;
 spf=pass smtp.mailfrom=mail.house.gov;
 dmarc=pass(p=NONE) header.from=mail.house.gov;
X-Apparently-To: <redacted>; Thu, 18 Feb 2021 15:29:46 +0000
X-YMailISG: ik7g2gwWLDufalaLfVs38U9Od7cHkh8V9jx_hvtiGwH4csCj
 2yJa5obN2PNkuSDV58t6phmy2RZsH._UeugOsGQeQM1CG9Hb1SFdME5RDkBg
 032tvdx6wUIOV.LFCTotS8Qzyq4AfqX053qj5MJFH99LwfYORY8go.Cb_Qqa
 _IOhf2HBXLAAyZMVce3dORM_plTCDEQ9TZ3YS1Xhz.iBKdi35a6AILUMLMD5
 nhswo_kwHv3PUo3LUzFkv0dzFjMtQXhDjfvBW.rFLcglcuqVusgLCzptb7f_
 uaVLLmYvU9NepOk0xQs3R6p3NcQVVhFeFpIFfGYqIXU3Ppe.N8ThMLDpkBrr
 BgsO.t1K21JphACxFdq2IXEqrtAejlWjFUJoBnqvLaOGrxS0NMKAEiMiSokB
 RTkNVAJeTKyklAeyvgg6J3CnwzitkTYskepl4Y3t2Aw67OCR6bZeSQFvy5F.
 fi5nwQEMMvqeuyZUXS5GRROhW6RNeyhl5kIbE5q4_jAj72xYPSbreHaY2Wgl
 WDS5g8qrU9f5LGE28Bz_VloFYRPCpSIJCww0LAidZUag9UoA.A.O.yDBSk.L
 VQJxiJjYXlFFHfCt0QSonINo914Kyt8vUKIvd6mE_LjSqYe63Ef0EdyDWQZ5
 Lk0mtFELa3UbARGzHxzlsjdd8mdV0d9FRExnwdvtsznZCaUf59M4SxJChBAv
 nIShZsdBoD6xl8WPIx.QLfl6VN4vPM3wvoJYo3pdsJGC2kj7JY1Aym71Y08q
 QtqvSzn9GtBl_Ba3iRdowLafOpDNg4wr6L7NK0ujf7nfdnnBsLBArhlQiqWY
 qa9ekdhTYuUQOhbvYl7H2NqfXRolwQgADWV4rg.id2UYTNwcZlQ_JThSeS1j
 nSEhaVBaz9sdqnO_lGNoz0.Hzdo.wB8Z2fhnIw9O.m2V53b4Ej2PFYD.TT6J
 W2gYI7fI5M2CicZj1CEeCt9t81b5moTeXEGM3R8_fZ27hWK5qgKfKnsoXVyx
 cnxEeS2Fme.WbWhOaCofDvmDVzZqh45nE.CwHIWp0s.nJg914oR.6SkrDyCJ
 3s2TKupX.Rt7tKE3bNzeFhbQpYz3YNZJpTkstie7roeZlDByx4xrmQX5BVUi
 I0iueOwRV2J5Sf_dcWKpRlR_rupdAtSu5ngzpsnsw5cpK1clk5HXBQFttmf9
 wB_Ku.u9d5U7uaiGLkryIuetl_ZTT0BaWcyMou91SlZnk4Bt_kjlUfSk.Dwi
 IS4O4mVAriQ-
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=house.gov; h=message-id :
 list-unsubscribe : mime-version : from : to : date : subject :
 content-type; s=august2019-msgb-hg;
 bh=ULzfH/oGWrOG9uajrFth3+RUhDagW61O4cW5EfEhjpk=;
 b=BkzjmzGQaK6CCjyghHmHwxErJaA4Yr7VNZMVi4LeH1ivpOlw3rpAHMnvK9+DrjRqx8ox
 Ag2U4rNXSqzpaAZWBoVx3CH6O78d0d9XxMhkTyTtg7ssCg7x57VzD/NgpH97TzgDgpJ2
 MoVaZ1oZYUxZulLfgbQc+tAHUl1P/NSGLeITRhzAlBcERE4cBsGu4bfgRblnb9Mm5Xkc
 wdcWyplHhaicxBg/CWSNWXRayylTI4EAXA/sYN0CcfqDDMX9C2dC2U+/7A2Dwg7Mvi0J
 pPZBnB3AgWTBRuaUgnvdhu2wJx+XNcHdjn5UdTWaMVZRPVscZdaygHI9NiI+yr/ivAsY gA== 
Received: from FIRESIDESERV03 (firesideserv03.us.house.gov [143.228.58.103])
	by serg-bulk3-h.house.gov (8.16.0.27/8.16.0.27) with ESMTP id 11IFTkXv013631
	for <redacted>; Thu, 18 Feb 2021 10:29:46 -0500
envelope-from: ########@mail.house.gov
Errors-To: bounce@emanager.house.gov
X-Errors-To: bounce@emanager.house.gov
Message-ID: <T4sraud6emUE4yrVFPOL+4nARk5aNJ2r800E1vp2NM84FLH4rhPErpqC5xtTWHbvBsDpgQFgfCHmxpIGlkDW2Hp7QO2Bgi5s/isgQuL28S2684AuPTNI8MDv/4JbLSbshnczS8yrjO4jPXApEVzfjXYPoSDp3HYMikKSgaWChuZxeXBTkvz4sErrzShm9rp+@fireside21.com>
X-House-Vendor-Seg: unmanaged
List-Unsubscribe: <https://#########.house.gov/forms/emailsignup/?Delete=true&MessageID=539&Email=<redacted>&Submit=true>
Precedence: bulk
MIME-Version: 1.0
From: "Congressman #######" <##########@mail.house.gov>
To: <redacted>
Date: 18 Feb 2021 10:29:46 -0500
Subject: Join me Friday for a virtual veterans roundtable	
Content-Type: multipart/alternative;
 boundary=--boundary_1781796_eed9aab1-98c9-4025-9aa9-ec80837e9506
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.761
 definitions=2021-02-18_06:2021-02-18,2021-02-18 signatures=0
Content-Length: 12316

 

 

Edited by David H. Lipman
Link to post
Share on other sites

You are welcome.  Hoping someone with more savvy than me chimes in. When I said I left them running, I should clarify.  I quit mail and safari.  The MWB and AG  sit on top of the screen tool bar (?) and I did not touch them.  So I suppose they were continuing to run.  Apple probably has full instructions on what to and not to run during the upgrade.

Link to post
Share on other sites

I concur with @brcd's advise. I don't know of any anti-malware software that needs to be disabled in order to download a macOS update. And when you launch the update, it simply sets things up for the installation, shuts down all active processes and reboots before any actual installation takes place, so it matters not what is left running before hitting the Install button.

One additional word of advise is to unplug all external drives and other devices except for mouse/trackball and keyboard. Users find that thing go smoother that way.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.