Shorewall users - Mar 2004 - Returned mail: see transcript for details

The original message was received at Mon, 22 Mar 2004 15:28:59 -0500
from d01av03.pok.ibm.com [9.56.224.217]

   ----- The following addresses had permanent fatal errors -----
<862568e4@tivoli.com>
    (reason: 550 5.1.1 <862568e4@tivoli.com>... User unknown)

   ----- Transcript of session follows -----
... while talking to d03mjd01.boulder.ibm.com.:
>>> DATA
<<< 550 5.1.1 <862568e4@tivoli.com>... User unknown
550 5.1.1 <862568e4@tivoli.com>... User unknown
<<< 503 5.0.0 Need RCPT (recipient)
-------------- next part --------------
Skipped content of type message/delivery-status-------------- next part
--------------
An embedded message was scrubbed...
From: shorewall-users@shorewall.net
Subject: Hello
Date: Mon, 22 Mar 2004 21:08:00 +0100
Size: 1832
Url:
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20040322/ddce1eee/attachment.eml

The original message was received at Mon, 22 Mar 2004 15:29:42 -0500
from d01av03.pok.ibm.com [9.56.224.217]

   ----- The following addresses had permanent fatal errors -----
<20000522111827.a26718@tivoli.com>
    (reason: 550 5.1.1 <20000522111827.a26718@tivoli.com>... User unknown)

   ----- Transcript of session follows -----
... while talking to d03mjd01.boulder.ibm.com.:
>>> DATA
<<< 550 5.1.1 <20000522111827.a26718@tivoli.com>... User unknown
550 5.1.1 <20000522111827.a26718@tivoli.com>... User unknown
<<< 503 5.0.0 Need RCPT (recipient)
-------------- next part --------------
Skipped content of type message/delivery-status-------------- next part
--------------
An embedded message was scrubbed...
From: shorewall-users@shorewall.net
Subject: Mail Delivery (failure 20000522111827.a26718@tivoli.com)
Date: Mon, 22 Mar 2004 21:08:39 +0100
Size: 2108
Url:
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20040322/54dddbb5/attachment.eml

This message had a virus attached to it.  Please check yur system to see if
it is still sending out the virus with your messages.

Aubrey

At 03:29 PM 3/22/2004 -0500, you wrote:
>The original message was received at Mon, 22 Mar 2004 15:28:59 -0500
>from d01av03.pok.ibm.com [9.56.224.217]
>
>   ----- The following addresses had permanent fatal errors -----
><862568e4@tivoli.com>
>    (reason: 550 5.1.1 <862568e4@tivoli.com>... User unknown)
>
>   ----- Transcript of session follows -----
>... while talking to d03mjd01.boulder.ibm.com.:
>>>> DATA
><<< 550 5.1.1 <862568e4@tivoli.com>... User unknown
>550 5.1.1 <862568e4@tivoli.com>... User unknown
><<< 503 5.0.0 Need RCPT (recipient)
>Reporting-MTA: dns; northrelay01.pok.ibm.com
>Received-From-MTA: DNS; d01av03.pok.ibm.com
>Arrival-Date: Mon, 22 Mar 2004 15:28:59 -0500
>
>Final-Recipient: RFC822; 862568e4@tivoli.com
>Action: failed
>Status: 5.1.1
>Remote-MTA: DNS; d03mjd01.boulder.ibm.com
>Diagnostic-Code: SMTP; 550 5.1.1 <862568e4@tivoli.com>... User unknown
>Last-Attempt-Date: Mon, 22 Mar 2004 15:29:01 -0500
>Return-Path: <shorewall-users@shorewall.net>
>Received: from e1.ny.us.ibm.com (d01av03.pok.ibm.com [9.56.224.217])
>	by northrelay01.pok.ibm.com (8.12.10/NCO/VER6.6) with ESMTP id
>	i2MKSwDv080188
>	for <862568e4@tivoli.com>; Mon, 22 Mar 2004 15:28:59 -0500
>Received: from tivoli.com ([212.20.74.206])
>	by e1.ny.us.ibm.com (8.12.10/NS PXFA) with ESMTP id i2MKS43a485946
>	for <862568e4@tivoli.com>; Mon, 22 Mar 2004 15:28:26 -0500
>Message-Id: <200403222028.i2MKS43a485946@e1.ny.us.ibm.com>
>From: shorewall-users@shorewall.net
>To: 862568e4@tivoli.com
>Subject: Hello
>Date: Mon, 22 Mar 2004 21:08:00 +0100
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
>	boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
>X-Priority: 3
>X-MSMail-Priority: Normal
>
>Try this game ;-)
>
>
>
>application.txt
       .pif is removed from here because it contains a
virus.
>
>Found virus WORM_NETSKY.P in file application.txt
                                         .pif
>The file is deleted.
>
>IBM''s antivirus detection system has identified a virus in an
attachment
to this e-mail.  The attachment has been deleted.  No further reporting or
action is required on your part.  THIS EMAIL IS NOW SAFE TO OPEN.  Visit
w3.ibm.com/virus for more information.
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm

Aubrey Kilpatrick wrote:
> This message had a virus attached to it.  Please check your system to see
if
> it is still sending out the virus with your messages.
> 
>>
>>Final-Recipient: RFC822; 862568e4@tivoli.com
>>Action: failed
>>Status: 5.1.1
>>Remote-MTA: DNS; d03mjd01.boulder.ibm.com
>>Diagnostic-Code: SMTP; 550 5.1.1 <862568e4@tivoli.com>... User
unknown
>>Last-Attempt-Date: Mon, 22 Mar 2004 15:29:01 -0500
>>Return-Path: <shorewall-users@shorewall.net>
>>Received: from e1.ny.us.ibm.com (d01av03.pok.ibm.com [9.56.224.217])
>>	by northrelay01.pok.ibm.com (8.12.10/NCO/VER6.6) with ESMTP id
>>	i2MKSwDv080188
>>	for <862568e4@tivoli.com>; Mon, 22 Mar 2004 15:28:59 -0500
>>Received: from tivoli.com ([212.20.74.206])
>>	by e1.ny.us.ibm.com (8.12.10/NS PXFA) with ESMTP id i2MKS43a485946
>>	for <862568e4@tivoli.com>; Mon, 22 Mar 2004 15:28:26 -0500
>>Message-Id: <200403222028.i2MKS43a485946@e1.ny.us.ibm.com>
>>From: shorewall-users@shorewall.net
As you can see above, this message appears to have originated from a 
system masquerading as tivoli.com (212.20.74.206); it has a bogus From: 
address (and I suspect that the envelope sender was forged as well). 
There is a difference of opinion about the name of the IBM system which 
may indicate that the lower received header is also forged.

What is most important to notice is that shorewall.net is nowhere in the 
original send headers.
>>To: 862568e4@tivoli.com
>>Subject: Hello
>>Date: Mon, 22 Mar 2004 21:08:00 +0100
>>MIME-Version: 1.0
>>Content-Type: multipart/mixed;
>>	boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>
>>Try this game ;-)
> FAQ: http://www.shorewall.net/FAQ.htm
What ended up getting posted on the mailing list was the bounce 
notification, not the virus itself. I get dozens of these a day (in 
addition to the 100s I get from bounced Italian spam sent to Russia!!!) 
and most of them are dropped here at my server; looks like one sneaked 
through. With so many viruses forging sender addresses, it is criminal 
for mail admins to continue to configure their AV software to send DSNs 
like this.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks Tom,  I knew you would be ableto explain it too me.  Just want to
make sure I''m not one of the systems that  causes the problem.

I am going to send a copy of this to my ISP for their information and
records also.

Thanks,

aubrey

At 02:28 PM 3/22/04 -0800, you wrote:
>Aubrey Kilpatrick wrote:
>> This message had a virus attached to it.  Please check your system to
see if
>> it is still sending out the virus with your messages.
>> 
>
>>>
>>>Final-Recipient: RFC822; 862568e4@tivoli.com
>>>Action: failed
>>>Status: 5.1.1
>>>Remote-MTA: DNS; d03mjd01.boulder.ibm.com
>>>Diagnostic-Code: SMTP; 550 5.1.1 <862568e4@tivoli.com>... User
unknown
>>>Last-Attempt-Date: Mon, 22 Mar 2004 15:29:01 -0500
>>>Return-Path: <shorewall-users@shorewall.net>
>>>Received: from e1.ny.us.ibm.com (d01av03.pok.ibm.com [9.56.224.217])
>>>	by northrelay01.pok.ibm.com (8.12.10/NCO/VER6.6) with ESMTP id
>>>	i2MKSwDv080188
>>>	for <862568e4@tivoli.com>; Mon, 22 Mar 2004 15:28:59 -0500
>>>Received: from tivoli.com ([212.20.74.206])
>>>	by e1.ny.us.ibm.com (8.12.10/NS PXFA) with ESMTP id i2MKS43a485946
>>>	for <862568e4@tivoli.com>; Mon, 22 Mar 2004 15:28:26 -0500
>>>Message-Id: <200403222028.i2MKS43a485946@e1.ny.us.ibm.com>
>>>From: shorewall-users@shorewall.net
>
>As you can see above, this message appears to have originated from a 
>system masquerading as tivoli.com (212.20.74.206); it has a bogus From: 
>address (and I suspect that the envelope sender was forged as well). 
>There is a difference of opinion about the name of the IBM system which 
>may indicate that the lower received header is also forged.
>
>What is most important to notice is that shorewall.net is nowhere in the 
>original send headers.
>
>>>To: 862568e4@tivoli.com
>>>Subject: Hello
>>>Date: Mon, 22 Mar 2004 21:08:00 +0100
>>>MIME-Version: 1.0
>>>Content-Type: multipart/mixed;
>>>	boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>
>>>Try this game ;-)
>> FAQ: http://www.shorewall.net/FAQ.htm
>
>What ended up getting posted on the mailing list was the bounce 
>notification, not the virus itself. I get dozens of these a day (in 
>addition to the 100s I get from bounced Italian spam sent to Russia!!!) 
>and most of them are dropped here at my server; looks like one sneaked 
>through. With so many viruses forging sender addresses, it is criminal 
>for mail admins to continue to configure their AV software to send DSNs 
>like this.
>
>-Tom
>-- 
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
>