This really speaks for itself. Not only did the admins of this domain screw up by setting up their e-mail antivirus system to "bounce" detected virus messages (and as most of you know, the "From:" and "Return-Path:" headers in such viruses are nearly always forged/random), when I tried to notify them of it, the message bounced: their mail server was down! Also notice the "From:" line of the bounce had our domain, not theirs,. as the return address. Grr!!
I've used the nonexistent "example.edu" in place of where I found this, and (reluctantly) obfuscated the address of the company who operates this incorrectly set up mail server.
From: Webshield.SMTP.V4.5.MR1a.Mail.Service@example.edu To: <email@example.com> Subject: Returned Mail: Error During Delivery Date: Wed Feb 04 15:01:39 2004 Message-Id: <200402041757.i14HvTs30898@example.edu> ------ Here is your List of Failed Recipients ------ <firstname.lastname@example.org> Mail Server is down or unreachable. -------- Here Is Your Returned Mail -------- Received: FROM example.edu BY ns.example.cl ; Wed Feb 04 14:50:57 2004 -0400 Received: by example.edu (Postfix, from userid 90210) id 0D1A613CDA0; Wed, 27 Feb 2002 19:45:01 -0500 (EST) Message-ID: <email@example.com.HOWL> Date: Wed, 27 Feb 2002 19:45:01 -0500 From: Patrick P Murphy <firstname.lastname@example.org> To: email@example.com Subject: Please change your virus gateway settings. X-Mailer: VM 7.18 under Emacs 21.2.1 If your webshield e-mail antivirus software detects MyDoom -- which always forges the "From:" and "Return-path:" headers -- why are you bouncing this message to someone who did not send it? Please stop doing this, it just annoys mail administrators. Thanks. -- Patrick P. Murphy, Ph.D. Division Head, CV Computing, NRAO Home: http://goof.com/~pmurphy/ Work: http://www.nrao.edu/~pmurphy/ "Laws of nature are...just parochial by-laws in our cosmic patch" - Martin Rees ------- start of forwarded message (RFC 934 encapsulation) ------- Return-Path: <MAILER-DAEMON@example.edu> Received: from ns.example.cl (ns.example.cl [220.127.116.11]) by example.edu (8.11.6/8.11.6) with SMTP id i14HLqs25817 for <firstname.lastname@example.org>; Wed, 4 Feb 2004 12:21:52 -0500 X-MailScanner: Found to be clean To: <email@example.com> Subject: Virus Detected by Network Associates, Inc. Webshield SMTP V4.5 MR1a Date: Wed Feb 04 14:25:11 2004 Message-Id: <200402041721.i14HLqs25817@example.edu> X-Mailer: Network Associates, Inc. Webshield SMTP, Version 4.5 MR1a Se ha detectado el Virus W32/Mydoom.a@MM en el archivo adjunto message.zip enviado desde <firstname.lastname@example.org> y ha sido eliminado ------- end -------