[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Fwd: Undelivered Mail Returned to Sender



I'm sorry Arjen if you'll get this message twice I was
to fast in sending the mail


> -----Original Message-----
> From: Arjen de Korte [mailto:suse-security@xxxxxxxxxxxx] 
> Sent: Saturday, June 05, 2004 11:58 AM
> 
> 
> Read the message again. It was send from 'MAILER-DAEMON@xxxxxxx' to 
> 'suse-security@xxxxxxxxxxxx'. The latter was the spoofed 
> sender address, so 
> it was indeed a reply to sender.

I hope you will take another look at the message.

> Subject: Undelivered Mail Returned to Sender
> Date: Friday 04 June 2004 10:20
> From: MAILER-DAEMON@xxxxxxx (Mail Delivery System)
> To: suse-security@xxxxxxxxxxxx

This mail got sent to you from the Mailer-Daemon.

> This is the Postfix program at host hermes.suse.de.

the server that sent this mail was hermes

> I'm sorry to have to inform you that the message returned
> below could not be delivered to one or more destinations.
> 
*snip*
> 
> <25866@xxxxxxx>: unknown user: "25866"

it tells you the user 25866 does not exist.

Now we'll come to the mail that got sent to 25866@xxxxxxx 

> Encapsulated message
> 
> Received: from scanhost.suse.de (scanhost.suse.de [10.0.0.5])
>         by hermes.suse.de (Postfix) with ESMTP id 85C238C9D
>         for <25866@xxxxxxx>; Fri,  4 Jun 2004 10:20:20 +0200 (CEST)

as you can see it got sent to 25866@xxxxxxx

>  Received: from suse.de (pD951F606.dip.t-dialin.net [217.81.246.6])
>         by Cantor.suse.de (Postfix) with ESMTP id 4B95668F3BE
>         for <25866@xxxxxxx>; Fri,  4 Jun 2004 10:13:32 +0200 (CEST)
>  From: suse-security@xxxxxxxxxxxx

Here is your spoofed sender adress

>  To: 25866@xxxxxxx
>  Subject: Re: Your music
>  Date: Fri, 4 Jun 2004 10:26:56 +0200
>  MIME-Version: 1.0
>  Content-Type: text/plain; charset="us-ascii"
>  Message-Id: <20040604081332.4B95668F3BE@xxxxxxxxxxxxxx>
>  X-AMaViS-Alert: INFECTED, message contains virus: Worm.SomeFool.Gen-1
>  X-Converted-To-Plain-Text: from multipart/mixed by demime 1.1d
>  X-Converted-To-Plain-Text: Alternative section used was text/plain
>  
> Please have a look at the attached file.

the e-mail text of the original e-mail sent from spoofed
suse-security@xxxxxxxxxxxx to 25866@xxxxxxx

> [the SUSE virus scanner removed an attachment of type 
> application/octet-stream 
> which had a name of mp3music.pif]
> [if you need the message in its original form including all 
> attachments, 
> please ask the SENDER for a version free of viruses]

This one got added by the suse virusscanner, thats why it tells
the recipient he/she should ask the SENDER for the attachement.

Now this modified mail should be delivered to 25866@xxxxxxxx
Which doesn't exist...

> End of encapsulated message


> > Theres usually no problem in doing so because its a notice 
> to your own
> > users. 
> 
> Which is not the case here.

It is.

1. Virus e-mail from spoofed suse-security@xxxxxxxxxxxx to
   25866@xxxxxxx is sent
2. scanhost.suse.de scans the mail vor viruses and removes
   the attachement, but inserts a warning that the attachement
   got removed
3. scanhost.suse.de relays the mail to hermes.suse.de
   which propbably is the server hosting the suse mails.
4. user 25866@xxxxxxx does not exist, so hermes sends a bounce
   to the (spoofed) sender
   
> > The mail you got was just a legit "User Unknown" bounce.
> 
> You are a perfect example of people falling in the trap I was 
> warning for.

I still say its a legit bounce.
I'm awaiting your answer and wonder if you will prove me wrong.

> Best reagards,
> Arjen

marc

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here