| View previous topic :: View next topic |
| Author |
Message |
tecknojunky
Veteran
Joined: 19 Oct 2002
Posts: 1937
Location: Montréal
|
 Posted: Thu Jun 17, 2004 1:24 am Post subject: DOMINICAN SISTERS OF MSJ |
 |
|
I'm receiving this over and over again: | Code: | De: MAILER-DAEMON@courriels.inet
À: postmaster@courriels.inet
Sujet: failure notice
Date: 14 Jun 2004 18:03:56 -0400
Hi. This is the qmail-send program at courriels.inet.
I tried to deliver a bounce message to this address, but the bounce bounced!
<root@localhost.courriels.inet>:
Sorry, I couldn't find any host named localhost.courriels.inet. (#5.1.2)
--- Below this line is the original bounce.
Return-Path: <>
Received: (qmail 25143 invoked by uid 204); 14 Jun 2004 18:03:55 -0400
Date: 14 Jun 2004 18:03:55 -0400
From: "System Anti-Virus Administrator" <root@localhost.courriels.inet>
To: root@localhost.courriels.inet
Subject: problem found in sent message "DOMINICAN SISTERS OF MSJ"
Message-ID: <baby108725063542625112@baby>
X-Tnz-Problem-Type: 40
MIME-Version: 1.0
Content-type: text/plain
Attention: grafb@pa.net
A problem was found in an Email message you sent.
This Email scanner intercepted it and stopped the entire message
reaching its destination.
The problem was reported to be:
Illegal breakage found in header name - potential virus
Please contact your I.T support personnel with any queries regarding this
policy.
Your message was sent with the following envelope:
MAIL FROM: grafb@pa.net
RCPT TO: hiuk@tecknojunky.com
... and with the following headers:
---
MAILFROM: grafb@pa.net
Received: from unknown (HELO mail-kr3.tecknojunky.com) (65.203.50.8)
by 0 with SMTP; 14 Jun 2004 18:03:50 -0400
Message-ID: <x955364329.9797554154378023932@ktjtrxrnw>
From: DOMINICAN SISTERS OF MSJ <grafb@pa.net>
To: <hiuk@tecknojunky.com>
Subject: DOMINICAN SISTERS OF MSJ
Date: Wed, 16 Jun 2004
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_14472_8440654.6170646504371"
X-Priority: 3
Microsoft Outlook Express 5.00.2314.1300
---
The original message is kept in:
baby:/var/spool/qmailscan/quarantine
where the System Anti-Virus Administrator can further diagnose it.
The Email scanner reported the following when it scanned that message:
---
---perlscanner results ---
problem 'Illegal breakage found in header name - potential virus'
found in message /var/spool/qmailscan/baby108725063442625112
--- |
Yet, I can't find any information on it... as if I was the only one in the world receiving this. So, I'm wondering.
_________________
(7 of 9) Installing star-trek/species-8.4.7.2::talax. |
|
| Back to top |
|
 |
jkcunningham
l33t
Joined: 28 Apr 2003
Posts: 649
Location: 47.49N 121.79W
|
| Posted: Thu Jun 17, 2004 3:43 am Post subject: |
|
|
| Have you looked in your log to see if you are bouncing it back to them? (sort of playing ping-pong?), or is it just one-sided? (all coming from the other end w/o any interaction from your system) |
|
| Back to top |
|
|
tecknojunky
Veteran
Joined: 19 Oct 2002
Posts: 1937
Location: Montréal
|
| Posted: Thu Jun 17, 2004 3:56 am Post subject: |
|
|
Well, the To: field is always different and to non-existant users on my system (ie: hiuk@tecknojunky.com).
Further, bounces to unexistant From: will rebounce like this. So this does not do ping pong.
So this is obviously a worm or a deliberate attempt.
_________________
(7 of 9) Installing star-trek/species-8.4.7.2::talax. |
|
| Back to top |
|
|
jkcunningham
l33t
Joined: 28 Apr 2003
Posts: 649
Location: 47.49N 121.79W
|
| Posted: Thu Jun 17, 2004 4:10 am Post subject: |
|
|
| If its to different non-existent users, you've got it: the Dominican Sisters (or whoever) have been infected and somewhere along the line it picked up your domain in its list of potential targets. Not much you can do but build a procmail rule to send them to /dev/null |
|
| Back to top |
|
|
|
Networking & Security
