[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Fwd: Undelivered Mail Returned to Sender
I'm sorry Arjen if you'll get this message twice I was
to fast in sending the mail
> -----Original Message-----
> From: Arjen de Korte [mailto:suse-security@xxxxxxxxxxxx]
> Sent: Saturday, June 05, 2004 11:58 AM
> Read the message again. It was send from 'MAILER-DAEMON@xxxxxxx' to
> 'suse-security@xxxxxxxxxxxx'. The latter was the spoofed
> sender address, so
> it was indeed a reply to sender.
I hope you will take another look at the message.
> Subject: Undelivered Mail Returned to Sender
> Date: Friday 04 June 2004 10:20
> From: MAILER-DAEMON@xxxxxxx (Mail Delivery System)
> To: suse-security@xxxxxxxxxxxx
This mail got sent to you from the Mailer-Daemon.
> This is the Postfix program at host hermes.suse.de.
the server that sent this mail was hermes
> I'm sorry to have to inform you that the message returned
> below could not be delivered to one or more destinations.
> <25866@xxxxxxx>: unknown user: "25866"
it tells you the user 25866 does not exist.
Now we'll come to the mail that got sent to 25866@xxxxxxx
> Encapsulated message
> Received: from scanhost.suse.de (scanhost.suse.de [10.0.0.5])
> by hermes.suse.de (Postfix) with ESMTP id 85C238C9D
> for <25866@xxxxxxx>; Fri, 4 Jun 2004 10:20:20 +0200 (CEST)
as you can see it got sent to 25866@xxxxxxx
> Received: from suse.de (pD951F606.dip.t-dialin.net [126.96.36.199])
> by Cantor.suse.de (Postfix) with ESMTP id 4B95668F3BE
> for <25866@xxxxxxx>; Fri, 4 Jun 2004 10:13:32 +0200 (CEST)
> From: suse-security@xxxxxxxxxxxx
Here is your spoofed sender adress
> To: 25866@xxxxxxx
> Subject: Re: Your music
> Date: Fri, 4 Jun 2004 10:26:56 +0200
> MIME-Version: 1.0
> Content-Type: text/plain; charset="us-ascii"
> Message-Id: <20040604081332.4B95668F3BE@xxxxxxxxxxxxxx>
> X-AMaViS-Alert: INFECTED, message contains virus: Worm.SomeFool.Gen-1
> X-Converted-To-Plain-Text: from multipart/mixed by demime 1.1d
> X-Converted-To-Plain-Text: Alternative section used was text/plain
> Please have a look at the attached file.
the e-mail text of the original e-mail sent from spoofed
suse-security@xxxxxxxxxxxx to 25866@xxxxxxx
> [the SUSE virus scanner removed an attachment of type
> which had a name of mp3music.pif]
> [if you need the message in its original form including all
> please ask the SENDER for a version free of viruses]
This one got added by the suse virusscanner, thats why it tells
the recipient he/she should ask the SENDER for the attachement.
Now this modified mail should be delivered to 25866@xxxxxxxx
Which doesn't exist...
> End of encapsulated message
> > Theres usually no problem in doing so because its a notice
> to your own
> > users.
> Which is not the case here.
1. Virus e-mail from spoofed suse-security@xxxxxxxxxxxx to
25866@xxxxxxx is sent
2. scanhost.suse.de scans the mail vor viruses and removes
the attachement, but inserts a warning that the attachement
3. scanhost.suse.de relays the mail to hermes.suse.de
which propbably is the server hosting the suse mails.
4. user 25866@xxxxxxx does not exist, so hermes sends a bounce
to the (spoofed) sender
> > The mail you got was just a legit "User Unknown" bounce.
> You are a perfect example of people falling in the trap I was
> warning for.
I still say its a legit bounce.
I'm awaiting your answer and wonder if you will prove me wrong.
> Best reagards,
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here