[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Fwd: Undelivered Mail Returned to Sender



Please folks, this is exactly the reason why you should NOT send bounces in 
reply to virusses. I'm very disappointed that SuSE is still not aware of the 
implications of this annoying behaviour. To summarize, only send warnings to 
authenticated senders otherwise you might be sending it to a spoofed sender 
address.

At the same time it is a perfect example of the type of message (and the user) 
I wrote about just over an hour ago. Obviously he is still connected to this 
list, so I think it would be worthwile to run a scan who it is and to 
unsubscribe him. As can be seen from the bounce message, the message 
originated from pD951F606.dip.t-dialin.net [217.81.246.6] too. This system is 
NOT supposed to send mail on behalf of the 'de-korte.org' domain. And I doubt 
the HELO 'suse.com' is valid either.

As a side note, it is easy to drop this particular virus by using the Postfix 
'smtpd_helo_restrictions' to drop all hosts claiming to be from within your 
own domain, which you know, are not.

----------  Forwarded Message  ----------

Subject: Undelivered Mail Returned to Sender
Date: Friday 04 June 2004 10:20
From: MAILER-DAEMON@xxxxxxx (Mail Delivery System)
To: suse-security@xxxxxxxxxxxx

This is the Postfix program at host hermes.suse.de.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

			The Postfix program

<25866@xxxxxxx>: unknown user: "25866"

-------------------------------------------------------

Encapsulated message

Received: from scanhost.suse.de (scanhost.suse.de [10.0.0.5])
        by hermes.suse.de (Postfix) with ESMTP id 85C238C9D
        for <25866@xxxxxxx>; Fri,  4 Jun 2004 10:20:20 +0200 (CEST)
 Received: by scanhost.suse.de (Postfix, from userid 0)
        id 7B27951E5F; Fri,  4 Jun 2004 10:20:20 +0200 (CEST)
 Delivered-To: virus-quarantine
 X-Quarantine-id: <virus-20040604-101415-03775-17>
 Received: from Cantor.suse.de (cantor.suse.de [195.135.220.2]) (using TLSv1 
with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate 
requested)
        by hermes.suse.de (Postfix) with ESMTP id 953E669115
        for <25866@xxxxxxx>; Fri,  4 Jun 2004 10:13:46 +0200 (CEST)
 Received: from suse.de (pD951F606.dip.t-dialin.net [217.81.246.6])
        by Cantor.suse.de (Postfix) with ESMTP id 4B95668F3BE
        for <25866@xxxxxxx>; Fri,  4 Jun 2004 10:13:32 +0200 (CEST)
 From: suse-security@xxxxxxxxxxxx
 To: 25866@xxxxxxx
 Subject: Re: Your music
 Date: Fri, 4 Jun 2004 10:26:56 +0200
 MIME-Version: 1.0
 Content-Type: text/plain; charset="us-ascii"
 Message-Id: <20040604081332.4B95668F3BE@xxxxxxxxxxxxxx>
 X-AMaViS-Alert: INFECTED, message contains virus: Worm.SomeFool.Gen-1
 X-Converted-To-Plain-Text: from multipart/mixed by demime 1.1d
 X-Converted-To-Plain-Text: Alternative section used was text/plain
 
Please have a look at the attached file.

[the SUSE virus scanner removed an attachment of type application/octet-stream 
which had a name of mp3music.pif]
[if you need the message in its original form including all attachments, 
please ask the SENDER for a version free of viruses]

End of encapsulated message

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here