Linux virus or forged address?

Rick Stevens rstevens at vitalstream.com
Mon Apr 12 20:24:49 UTC 2004 

Alexander Dalloz wrote:
> Am Mo, den 12.04.2004 schrieb Jonathan Ryshpan um 20:37:
> 
> 
>>I recently received the following bounce message for a message I never
>>sent.  Is it possible that some component of my email system (fetchmail
>>+ sendmail + evolution) has been infected by a virus?  Or has someone
>>just forged my return address?
>>
>>Thanks - Jonathan Ryshpan
>>
>>-----Forwarded Message-----
>>From: MAILER-DAEMON at admin.thenth.com
>>To: jonrysh at pacbell.net
>>Subject: failure notice
>>Date: Mon, 12 Apr 2004 16:04:23 +0000
>>
>>Hi. This is the qmail-send program at admin.thenth.com.
>>I'm afraid I wasn't able to deliver your message to the following addresses.
>>This is a permanent error; I've given up. Sorry it didn't work out.
>>
>><php at elitemaps.com>:
>>This address no longer accepts mail.
> 
> 
> As others already replied it is caused by actual worms (running on
> infected Windows[tm] machines) misusing your email address from the
> address book.
> 
> And what you see too is the bad behaviour of qmail as MTA: it first
> accepts the whole mail and later produces a bounce mail, hitting you
> though you never sent the original mail.

Not necessarily.  There are a lot of ISPs that detect the virus/worm and
bounce the whole message.  Incredibly stupid.  However, your MTA should
virus scan on the fly and drop the connection if one is found.

If there are any ISPs out there, please PLEASE change your policies!  If
you detect a virus and it's a Klez or Bagle variant, throw it away as
the sender address is bogus.  Don't clog up innocent people's mailboxes
with bounces since you know darned well the sender is invalid.  In fact,
if you see ANY virus or worm, just toss the message away.  You'll be
doing everyone a huge favor by helping to stop the stupid things, as
well as putting far less load on your own servers by getting rid of the
bounce overhead.

Someone has to help stop these things, as it seems that Microsoft and
that POS "Outlook" and its kin are the cause of 95% of these bloody
things and users don't seem to be willing to update their ancient,
buggy, security-hole-ridden Outlook/OE/Exchange clients.  As soon as we
detect an incoming virus, we drop the connection with a "522 Virus
Detected" message and throw the mail away.  Done.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-     Veni, Vidi, VISA:  I came, I saw, I did a little shopping.     -
----------------------------------------------------------------------

More information about the users mailing list