[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[suse-security] Fwd: Undelivered Mail Returned to Sender
Please folks, this is exactly the reason why you should NOT send bounces in
reply to virusses. I'm very disappointed that SuSE is still not aware of the
implications of this annoying behaviour. To summarize, only send warnings to
authenticated senders otherwise you might be sending it to a spoofed sender
At the same time it is a perfect example of the type of message (and the user)
I wrote about just over an hour ago. Obviously he is still connected to this
list, so I think it would be worthwile to run a scan who it is and to
unsubscribe him. As can be seen from the bounce message, the message
originated from pD951F606.dip.t-dialin.net [18.104.22.168] too. This system is
NOT supposed to send mail on behalf of the 'de-korte.org' domain. And I doubt
the HELO 'suse.com' is valid either.
As a side note, it is easy to drop this particular virus by using the Postfix
'smtpd_helo_restrictions' to drop all hosts claiming to be from within your
own domain, which you know, are not.
---------- Forwarded Message ----------
Subject: Undelivered Mail Returned to Sender
Date: Friday 04 June 2004 10:20
From: MAILER-DAEMON@xxxxxxx (Mail Delivery System)
This is the Postfix program at host hermes.suse.de.
I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.
For further assistance, please send mail to <postmaster>
If you do so, please include this problem report. You can
delete your own text from the message returned below.
The Postfix program
<25866@xxxxxxx>: unknown user: "25866"
Received: from scanhost.suse.de (scanhost.suse.de [10.0.0.5])
by hermes.suse.de (Postfix) with ESMTP id 85C238C9D
for <25866@xxxxxxx>; Fri, 4 Jun 2004 10:20:20 +0200 (CEST)
Received: by scanhost.suse.de (Postfix, from userid 0)
id 7B27951E5F; Fri, 4 Jun 2004 10:20:20 +0200 (CEST)
Received: from Cantor.suse.de (cantor.suse.de [22.214.171.124]) (using TLSv1
with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate
by hermes.suse.de (Postfix) with ESMTP id 953E669115
for <25866@xxxxxxx>; Fri, 4 Jun 2004 10:13:46 +0200 (CEST)
Received: from suse.de (pD951F606.dip.t-dialin.net [126.96.36.199])
by Cantor.suse.de (Postfix) with ESMTP id 4B95668F3BE
for <25866@xxxxxxx>; Fri, 4 Jun 2004 10:13:32 +0200 (CEST)
Subject: Re: Your music
Date: Fri, 4 Jun 2004 10:26:56 +0200
Content-Type: text/plain; charset="us-ascii"
X-AMaViS-Alert: INFECTED, message contains virus: Worm.SomeFool.Gen-1
X-Converted-To-Plain-Text: from multipart/mixed by demime 1.1d
X-Converted-To-Plain-Text: Alternative section used was text/plain
Please have a look at the attached file.
[the SUSE virus scanner removed an attachment of type application/octet-stream
which had a name of mp3music.pif]
[if you need the message in its original form including all attachments,
please ask the SENDER for a version free of viruses]
End of encapsulated message
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here