This really speaks for itself. Not only did the admins of this domain screw up by setting up their e-mail antivirus system to "bounce" detected virus messages (and as most of you know, the "From:" and "Return-Path:" headers in such viruses are nearly always forged/random), when I tried to notify them of it, the message bounced: their mail server was down! Also notice the "From:" line of the bounce had our domain, not theirs,. as the return address. Grr!!
I've used the nonexistent "example.edu" in place of where I found this, and (reluctantly) obfuscated the address of the company who operates this incorrectly set up mail server.
From: Webshield.SMTP.V4.5.MR1a.Mail.Service@example.edu
To: <me@example.edu>
Subject: Returned Mail: Error During Delivery
Date: Wed Feb 04 15:01:39 2004
Message-Id: <200402041757.i14HvTs30898@example.edu>
------ Here is your List of Failed Recipients ------
<postmaster@example.cl>
Mail Server is down or unreachable.
-------- Here Is Your Returned Mail --------
Received: FROM example.edu BY ns.example.cl ; Wed Feb 04 14:50:57 2004 -0400
Received: by example.edu (Postfix, from userid 90210)
id 0D1A613CDA0; Wed, 27 Feb 2002 19:45:01 -0500 (EST)
Message-ID: <15485.32141.475265.252666@gargle.gargle.HOWL>
Date: Wed, 27 Feb 2002 19:45:01 -0500
From: Patrick P Murphy <me@example.edu>
To: postmaster@example.cl
Subject: Please change your virus gateway settings.
X-Mailer: VM 7.18 under Emacs 21.2.1
If your webshield e-mail antivirus software detects MyDoom -- which
always forges the "From:" and "Return-path:" headers -- why are you
bouncing this message to someone who did not send it? Please stop doing
this, it just annoys mail administrators. Thanks.
--
Patrick P. Murphy, Ph.D. Division Head, CV Computing, NRAO
Home: http://goof.com/~pmurphy/ Work: http://www.nrao.edu/~pmurphy/
"Laws of nature are...just parochial by-laws in our cosmic patch"
- Martin Rees
------- start of forwarded message (RFC 934 encapsulation) -------
Return-Path: <MAILER-DAEMON@example.edu>
Received: from ns.example.cl (ns.example.cl [64.76.142.18])
by example.edu (8.11.6/8.11.6) with SMTP id i14HLqs25817
for <mailman-owner-nospam@example.edu>; Wed, 4 Feb 2004 12:21:52 -0500
X-MailScanner: Found to be clean
To: <mailman-owner-nospam@example.edu>
Subject: Virus Detected by Network Associates, Inc. Webshield SMTP V4.5 MR1a
Date: Wed Feb 04 14:25:11 2004
Message-Id: <200402041721.i14HLqs25817@example.edu>
X-Mailer: Network Associates, Inc. Webshield SMTP, Version 4.5 MR1a
Se ha detectado el Virus W32/Mydoom.a@MM en el archivo adjunto message.zip enviado
desde <mailman-owner-nospam@example.edu> y ha sido eliminado
------- end -------