Re: MBSOPPRAPP02 found VIRUS= I-Worm.Sobig.f.txt (Kaspersky) virus
On Sat, Aug 30, 2003 at 02:04:29AM +0300, Richard Braakman wrote:
> On Fri, Aug 29, 2003 at 03:52:09PM -0700, Maxi Stubbs wrote:
> > This was mailed to me are you saying I have this virus? My
> > virus protection say I do not. I am just concerned, I am
> > getting returned mail of addresses I don't have in my book.
> > Could you help me please?
> If you're getting such a notice, it generally means this:
> 1. Someone who has your address in his address book has this virus,
> known as Sobig.F.
> 2. This virus spread to the person who sent you the notice.
> This particular virus spreads via email and always fakes the
> email headers, and in this case it used your address as the
> faked sender.
Actually, it used debian-legal itself!
> 3. The person who sent you the notice is using a broken virus
> scanner, which sends a scary warning notice to the wrong
> person, in this case you.
> (I call the scanner broken, because it managed to recognize
> the virus as Sobig.F, which is KNOWN to use a fake sender,
> so it should have known better than to mail you about it.)
Even more broken, it managed to insert the name of the virus scanner
(Kaspersky antivirus) between the words Sobig.F and virus, making it
sound like the "Kaspersky virus"...
> Note that you're not even involved until step 3, so there's nothing
> you can do about it except complain to the person in step 2.
> I get dozens of such notices a day, and I've given up on complaining
> about them. Your mileage may vary.
Mostly Ditto, but see below.
> You're asking email@example.com for help, but I doubt
> this notice was mailed to you from debian-legal. We don't use broken
> virus scanners. From the mail you quoted:
Actually, you do, one of the bounces I received was from gluck.debian.org
complaining that the virus was undeliverable to murphy.debian.org because
SMTP error from remote mailer after end of data:
host murphy.debian.org [22.214.171.124]: 550 Error:
no executable attachments allowed
This bounce INCLUDED the virus and was caught by my procmail recipe
for catching Sosmall.f.
> > The message is currently Purged. The message, "Your details", was
> > sent from firstname.lastname@example.org and was discovered in IMC Queues\Inbound
> > located at Reunion.com/REUNION/OPTIMUS.
> Do you have any idea what "IMC Queues" or "Reunion.com" is? They're
> probably the ones who bothered you. You can examine the headers of
> the notice you got to see where it came from. (Fortunately, those
> are generally not faked.)
IMC Queues\Inbound is the well-known name of the incoming SMTP
mail spool of a popular non-free MTA from Redmond, WA.
reunion.com is obviously the domain of the virus recipient, I
believe I have encountered their name in Spam, so take care.
REUNION/OPTIMUS is the specific location within the mail spool
hierarchy of that particular server installation, it is relevant
only in case you convince email@example.com to do manual
diagnosis of the bounce.
> The returned mail you're getting is for the same reason: the
> virus spreads (from someone else's machine) with your address
> in its headers, and confused mail servers try to bounce it
> "back" to you.
This message is hastily written, please ignore any unpleasant wordings,
do not consider it a binding commitment, even if its phrasing may
indicate so. Its contents may be deliberately or accidentally untrue.
Trademarks and other things belong to their owners, if any.