Tuesday, October 16, 2012

Notice of Delivery email from BT Business Direct

Important Update - As per the comments this email comes with an attachment that should NOT be opened; mine got automatically quarantined hence me missing it apparently it is a Trojan i.e. something nasty.

Just had an interesting email from BT Business Direct telling me they've accepted and dispatched my order that I made yesterday. Which would be great if I'd made an order.

A quick look at their website and a phone number (which isn't on their email) 0870 4293010 a press of "2" twice and a "high volume of calls" later and I'm talking to someone.

They're currently running around "like headless chickens" the computers have sent out a bunch of emails of this nature to email addresses they don't even have registered with them detailing orders that aren't on their system.

So there's no delivery and I'm not going to be suddenly charged for something. Oh and incidentally these are generated from their system [or perhaps not despite what they themselves said] and the links etc. are genuine so it's not even a phishing attempt. Has someone been hacked?

[Updates as per the comments below (thank-you) - the sent path is enquiries@businessdirectbt.com; the return path is cookedx34@businessdirectbt.com. Coming from server eleusis.dabs.com however I also have a mail.ruj-sp.si which is Slovenia.

It appears someone's mimicking a BT order form complete with correct links and attaching a crudely hidden Trojan to it.

As per usual I've never known a larger business send a PDF in a zip file so always treat such as very suspicious]


Anonymous said...

I got one of these emails too. The email carried an attachment which was a ZIP archive containing a file named [order number].pdf.exe.

That looks supiciously like an attempt to get some code running on my computer... an old-fashioned Trojan virus?

Anonymous said...

I got three of these today. They are clearly suspicious and any attachment that attempts at being a PDF but is in fact an exe in "disguise" is not to be touched. Delete!

Ferrousity said...

Ditto...just received same mail

LazerFX said...

I see four possibilities:

First, they didn't sent them, someone else did but spoofed it so it appeared to come from them. Bad other person, BT should realise this by looking at the e-mail headers, they're not handling it properly.

Second is they did send it, due to a bug in their systems. Ooops, really nasty, but not a major problem.

Third one is that this is a training excercise / test system bug, in which case they need to tighten up resources.

Fourth one is they've been hacked and don't know it. Who knows?

Anonymous said...

I just got one too. The headers show it's been routed via a Dabs mail server. I looked hard at the headers to see if it was gennuine or not, it's well crafted but the giveaway is the exe disguised as a pdf in the zip. Luckily my virus scanner caught it.

Received: from [] (unknown [])
by MX.myserver.net (Postfix) with ESMTP id E400712ACA
for ; Tue, 16 Oct 2012 10:00:52 +0100 (BST)
Received: from eleusis.dabs.com (eleusis.dabs.com [])
(using TLSv1 with cipher RC4-MD5 (128/128 bits))
(No client certificate requested)
by mail2.bronco.co.uk (Postfix) with ESMTP id A491CF94889
for <>; Tue, 16 Oct 2012 10:00:52 +0100
Received: from angelia1.intranet.dabs.com ( by
mail.intranet.dabs.com ( with Microsoft SMTP Server (TLS) id
8.1.436.0; Tue, 16 Oct 2012 10:00:52 +0100

Anonymous said...

Me too - similar headers to post above.

Anonymous said...


Unfortunately I DID open the 'pdf', since I am waiting for a delivery and thought for a moment that the message was real. Once I noticed, I switched off the machine, but it was too late. Up on reboot I had a new'c:\windows\system32\WwYNcVC.exe' in my HKCU, RUN registry entry. Fortunately this module can be simply deleted..

Anonymous said...

Hi, well.. it is a bit more complicated than deleting the exe, since the trojan morphes to another one... 67072 bytes in length. To completely remove it, you should boot in safe mode and remove the program AND the entry into the registry.

Elizabeth Braun said...

I got this one too today. It was obvious it was malware as I'd ordered nothing from them and, frankly, who sends notices of *delivery*? Shipment perhaps, but delivery, no! Anyway, as I saw it on my phone, I was able to delete it from my mail server before it had chance to get into my computer system.

I suppose it's someone with a hate at BT trying to cause them the mayhem they obviously have done! Some people are just TOO sad for words!

Matthew said...

Engineers at ActivSoftware recently announced their new algorithm called 'slow start outbound connection ramping.' This new server technology attempts to avoid becoming flagged as spam by automatically monitoring delivery success and failure rates and adjusting simultaneous connections to an email service provider based upon those parameters. It begins with a very low number of simultaneous connections to any one ESP for any one IP address. It monitors delivery failure to success ratios and slowly ramps up the number of connections to that ESP from that particular IP.

Email Delivery

Unknown said...

Great Ideas and information...