[Dshield] Polish Baloney

Jon R. Kibler Jon.Kibler at aset.com
Wed Oct 22 18:37:44 GMT 2003

snuffy smith wrote:
> This e-mail is generated by the krypton.azoty.pulawy.pl mail server to
> warn you that the e-mail
> sent by <not disclosed> to <not disclosed> is infected with virus: Win32/Bugbear.B at mm.
> Please contact your system administrator for further information.

The problem is that someone forged your email address as the sender. Most likely, your email address was in someone else's address book (probably some spammer) whose system got infected with BugBear -- and your email address was harvested from their address book (or Inbox or other folder) as someone whose address to use as the sender. I would also be surprised if that infected system did not try to send you  a copy of the virus, with the sender masquerading as someone else in that infected system's address book.

For more details, on this specific virus, see: http://www.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html

The REAL problem is that so many viruses forge a sender's email address, that the RFCs concerning returning undeliverable email are no longer relevant. [The RFCs require that you 'return to sender' (envelope sender -- not From:) any undeliverable message. A virus infected email is generally considered as undeliverable, and thus bounced to the sender.] 

There was a big discussion on the MIMEDefang mail list back in August that the desirable (but not technically correct) behavior is to just silently discard any virus infected emails. (See: http://lists.roaringpenguin.com/mailman/listinfo/mimedefang) This solves approach several problems:
  -- The bounces from viruses were generating as much traffic as the viruses themselves.
  -- Since most viruses now forge email headers, bouncing a virus infected email sends a copy of that virus to a new target -- which in many cases causes that system to become infected -- while doing nothing about notifying the actual infected system.
  -- It eliminates the explaining to users how they got back messages they never sent, or got messages such as you just received.

The above message says "Please contact **YOUR** system administrator for further information" (emphasis mine). What you should really do is write back the postmaster and abuse addresses at the ISP that bounced the message and ask them to stop bouncing virus infected emails. Your administrator cannot do anything about THEIR problem.

While that ISP's mail system is behaving  to standards, it is not behaving to acceptable real-world conditions that have arisen recently, and they REALLY need to fix it! (To do so should be trivial -- change virus action from bounce to discard.)

Hope this clears up your message confusion!

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list