joewein.de LLC
Fighting spam and scams
on the Internet

Home / Blog / About us
Spam
419/Nigeria
Online fraud
jwSpamSpy
Contact

Email Spam Filter:
jwSpamSpy
Try it for free!

Google
 

Clueless virus filters spam innocent third parties

Every major virus written over the last three years has used fake sender addresses. Despite this well-documented fact, many widely used virus filter applications will contact the innocent third parties, whose addresses have been abused by a virus, suggesting they were the senders. In many cases, filters do this after specifically having identified the type of virus as one that fakes sender addresses, such as NetSky. Even though I advocate virus filtering at the mail server level, I have to conclude that much of the software available for that job today is either badly written or misconfigured.

If you receive a virus today, you can be almost certain that the computer of the person whose address is listed in the From: statement of the mail header is not infected with a virus. Current viruses scan the hard disk of the infected machine. They look through the email address book, the webbrowser cache and just about any other file on the disk. Basically any string with an '@' in it becomes fair game. The virus mails itself to such addresses, using another address from the same pool as the fake sender. That is the reason why the "sender address" of a virus is often related to the recipient - they may share a common contact, the person whose computer got infected.

If someone visits website X or receives an order confirmation by company Y and then – possibly months later – opens a virus infected email attachment, chances are some of the new virus mails that result will list company X or Y as the sender, even though they are totally innocent. Not only will these innocent parties receive bounce notifications for all virus mails that turn out to be undeliverable (for example, because the sender address has become invalid or a mailbox is full). Badly written virus filter software will also send them emails complaining that their machines are infected with Netsky, MyDoom, Swen or some other virus, even though these viruses are known to fake every sender address. It would be pure coincidence if the machine listed as the sender by the virus was really infected.

You would have thought that any software smart enought to recognize the Netsky virus should be smart enough to know that Netsky fakes the From-address. Apparently not. Until that changes, virus warnings will have to be treated the same way as other spam and viruses: By filtering them.

Articles on this subject:
Anti-Virus Companies: Tenacious Spammers (Brian Martin)
Open letter by Fridrik Skulason (FRISK Software International)


Clueless filters by sender domain

Virus filters for the following domains have sent us bogus virus warning spam. As you can see, the problem gets worse. In March I sometimes went for a week without a bogus warning. Now I get warning spam almost every day, often even multiple warnings per day. We notify postmasters of all servers sending us virus warning spam. Though we have not received a reply from most of them, neither have we received more spams. Only the few entries listed in bold are repeat offenders, i.e. servers that have sent one or more virus warning spams after their postmaster had already been notified of the problem. Postmasters who do reply generally do so to notify us that they have fixed the problem.

  • mairs.de (2005-01-03)
  • low-spirit.de (2004-12-07)
  • rtlradio.de (2004-11-15)
  • setarnet.aw (2004-11-06)
  • domein-wonen.nl (2004-10-31)
  • anitabolsen.com.au (2004-10-11)
  • htp-test.de / wbn.de (2004-10-07)
  • mecenat-cardiaque.org (2004-10-05)
  • bsi-fuer-buerger.de / bund400.de (2004-10-03)
  • pressezone.at (2004-10-01)
  • gruener-punkt.de / dsd-ag.de (2004-09-23)
  • x-mailer.de (2004-09-17)
  • blanche-de-castille.fr (2004-09-14)
  • isabel.be (2004-09-11)
  • unitech.nl (2004-09-10)
  • hostnet.nl (2004-09-10)
  • archidiecezja.lodz.pl (2004-09-10)
  • eckernfoerder-zeitung.de / boyens-medien.de (2004-09-09)
  • lc-tech.com (2004-08-31)
  • telegraph.co.uk (2004-08-30)
  • traumfliese.de (2004-08-29)
  • pnp.de / vgp.de (2004-08-29)
  • bosrup.com / hrnoc.net (2004-08-27)
  • gsd-berlin.de (2004-08-25)
  • rtl2.de (2004-08-25)
  • vasko-partner.at (2004-08-23)
  • egm.at / turboprop.aic.at (2004-08-21)
  • salzkontor.de (2004-08-20)
  • rwu.edu (2004-08-16)
  • ib-sh.de (2004-08-15)
  • insunlimited.com (2004-08-13)
  • kredit.nu / serverpool.info (2004-08-12)
  • pnp.de / vgp.de (2004-08-07)
  • skpfcw.de (2004-08-03)
  • remington-products.com (2004-07-27)
  • bs.ch (2004-07-27)
  • cosmos-ss.co.jp (2004-07-26)
  • klicktel.de (2004-07-22)
  • normal.no (2004-07-20)
  • grass.at (2004-07-06)
  • geosjr.co.jp / kddi.ne.jp (2004-07-05)
  • vihreetpantterit.org (2004-07-03)
  • interq.net (2004-06-27)
  • forteprenestino.net (2004-06-26)
  • gpsr.hu (2004-06-26)
  • heiners-adabei.at / emailserver.de (2004-06-26)
  • edv-sinn.com / angermayer.com (2004-06-24)
  • tfh-wildau.de (2004-06-24)
  • schwaebisch-hall.de/ kreditwerk.de (2004-06-24)
  • in-italia.de / fw-notify.net (2004-06-22)
  • cda-bund.de / dpl.net (2004-06-22; fixed 2004-06-23)
  • cib-gmbh.de (2004-06-22)
  • tec-company.de (2004-06-21)
  • esat.net (2004-06-19)
  • outlook4team.com / 4team.biz (2004-06-17)
  • jamba-ag.de / jamba.net (2004-06-17)
  • tfh-wildau.de (2004-06-15)
  • annex-info.co.jp / annexis.ne.jp (2004-06-13)
  • c-seas.co.jp (2004-06-12)
  • hotel-ilf.cz / ipvz.cz (2004-06-12)
  • cascadeaccess.com (2004-06-11)
  • keymachine.de (2004-06-11)
  • datenkraft.com (2004-06-10)
  • jobpilot.de / hbedv.com (2004-06-10)
  • cascadeaccess.com (2004-06-08)
  • aknet.at (2004-06-08)
  • initon.hu (2004-06-08)
  • esat.net (2004-06-06)
  • worldofprincess.com (2004-06-05)
  • csc.at (2004-06-05)
  • rbftpnetworks.com (2004-06-04; fixed 2004-06-29)
  • datenkraft.com (2004-06-04)
  • rapidnet.de (2004-06-03)
  • cascadeaccess.com (2004-06-02)
  • df-webhosting.de (2004-05-31)
  • g-house03.com (2004-05-28)
  • aragon.de (2004-05-28)
  • komplex.net (2004-05-27)
  • jaxa.jp (2004-05-26)
  • activecontrol.de (2004-05-26)
  • cascadeaccess.com (2004-05-26)
  • altrax.com (2004-05-26)
  • ikb.de (2004-05-25)
  • kttg.ch (2004-05-25)
  • g-house03.com (2004-05-25)
  • andorazu.com (2004-05-24)
  • aip.co.at (2004-05-24)
  • cna.at (2004-05-24)
  • khulna.bangla.net (2004-05-23)
  • jennyfer.com (2004-05-21)
  • kddi.ne.jp (2004-05-21)
  • arrownet.dk (2004-05-20)
  • cascadeaccess.com (2004-05-20)
  • aics.ne.jp (2004-05-19)
  • carat.fr (2004-05-18)
  • dmni.com (2004-05-16)
  • bluemark.fr (2004-05-15)
  • superautoforge.net (2004-05-13)
  • bs.ch (2004-05-13)
  • cascadeaccess.com (2004-05-13)
  • rouge-blanc.com (2004-05-12)
  • ltsh.de (2004-05-12)
  • triaton.com (2004-05-11)
  • deg.net (2004-05-10)
  • visiomedia.de (2004-05-09)
  • fullerco.com (2004-05-09)
  • ksg.cashq.ac.cn (2004-05-08)
  • crha.com (2004-05-08)
  • yx.yn.cn (2004-05-08)
  • rudolf-steiner.com (2004-05-07)
  • cascadeaccess.com (2004-05-06)
  • kosei-kai.or.jp (2004-05-05)
  • mts.de (2004-05-04)
  • cdnet.at (2004-05-04)
  • cascadeaccess.com (2004-05-04)
  • chemsoft.de (2004-05-03)
  • microserver.de (2004-04-30)
  • bs.ch (2004-04-28)
  • gummylump.com (2004-04-26)
  • safesecureweb.com (2004-04-24)
  • hmgintl.com (2004-04-23)
  • blk.de (2004-04-21)
  • nextiraone.at (2004-04-19)
  • avd.de (2004-04-18)
  • mediamotion.ch (2004-04-17)
  • baan.com (2004-04-14)
  • tof.de (2004-04-14)
  • regensburg.de (2004-04-12)
  • de.clara.net (2004-04-12)
  • egetech.com (2004-04-11)
  • bhasin.co.in (2004-04-06)
  • kestapo.konehuone.net (2004-04-06)
  • kfunigraz.ac.at (2004-04-04)
  • airnz.co.nz (2004-04-04)
  • planetofstars.com (2004-04-02)
  • ateo.de (2004-04-02)
  • webmailer.de (2004-03-31)
  • clickteam.com (2004-03-30)
  • hostingfabrik.com (2004-03-29)
  • comdok.de (2004-03-29)
  • gmessaging.net (2004-03-24)
  • tu-bs.de (2004-03-24)
  • koa-net.de (2004-03-24)
  • comdok.de (2004-03-24)
  • labor-arndt-partner.de (2004-03-22)
  • gmessaging.net (2004-03-20)
  • toysfactory.co.jp (2004-03-18)
  • bs.ch (2004-03-18)
  • artflowers.ch (2004-03-18)
  • airnz.co.nz (2004-03-11)
  • interdesk.ch (2004-03-11)
  • jowa.ch (2004-03-10)
  • babsi.gibts.net (2004-03-05)
  • ns1.so.ch (2004-03-04)
  • vw-group.com (2004-03-02)
  • slub-dresden.de (2004-02-27)
  • nana-dev.com (2004-02-27)

Clueless filters by product

Here are some of the clueless notifications we have received over the course of the last two months. We received multiple examples by all listed filters, these are only examples:


Clueless filter sample messages

David by Tobit Software

From: postmaster@post.webmailer.de
Date: Wednesday, 31 March, 2004 18:40
To: myaddress
Subject: Virus detected

WARNING!

This site is protected by David from Tobit Software. 

David's Doorkeeper detected that one or several attachments 
of the following message sent by you may NOT have been 
delivered to the recipient because they were infected by a 
virus! 

See the list below for details.

Subject...: Re: Message Error
Recipient.: sh@swamp.de
Date/Time.: Fri, 05 Mar 2004 12:29:35 +0200

Infected file(s):
Virus..: W32/Netsky (ED)
File...: msg.zip
Status.: The file has been deleted.



This is a notification message only.

Please visit www.tobit.com for further information about
David, Tobit's outstanding unified messaging system.


ANTIGEN_IRIS

This one is nicely cryptic:

From: ANTIGEN_IRIS <ANTIGEN_IRIS@saltspring.com>
To: "'myaddress'" <myaddress>
Subject: Antigen found VIRUS= W32/Mydoom@MM (NAI) virus
Date: Tue, 27 Jan 2004 20:10:47 -0800
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain

Antigen for Exchange found data.zip->data.pif infected with VIRUS=
W32/Mydoom@MM (NAI) worm.
The message is currently Purged.  The message, "Test", was
sent from myaddress and was discovered in IMC
Queues\Inbound
located at Imagen/NEPTUNE1/IRIS.


AMaViS - amavis-milter

This one at least provides the original message headers, allowing the recipient of the "warning" to notify the abuse department of the provider of the real sender:

Received: from DE618910X00001.DE618910.vw-group.com 
	(p508E87D4.dip0.t-ipconnect.de [80.142.135.212])
	by powerbox.prohost.de (8.11.6/8.11.6) with ESMTP id i22BkWj07116
	for <myaddress>; Tue, 2 Mar 2004 12:46:32 +0100
Received: from DE618910X00001.DE618910.vw-group.com (localhost [127.0.0.1])
	by DE618910X00001.DE618910.vw-group.com (8.12.6/8.12.6/SuSE Linux 0.6) 
	with ESMTP id i22BOS1j003733
	for <myaddress>; Tue, 2 Mar 2004 12:24:28 +0100
Received: (from vscan@localhost)
	by DE618910X00001.DE618910.vw-group.com (8.12.6/8.12.6/Submit) 
	id i22BORV8003732; Tue, 2 Mar 2004 12:24:27 +0100
Date: Tue, 2 Mar 2004 12:24:27 +0100
From: postmaster@DE618910X00001.DE618910.vw-group.com
Message-Id: <200403021124.i22BORV8003732@DE618910X00001.DE618910.vw-group.com>
To: <myaddress>
Subject: VIRUS IN YOUR MAIL
X-Virus-Scanned: by AMaViS - amavis-milter (http://www.amavis.org/)

                           V I R U S  A L E R T

Our viruschecker found the

	W32/Netsky.D@mm

virus in your email to the following recipient:

-> <admin@localhost>

Delivery of the email was stopped!

Please check your system for viruses,
or ask your system administrator to do so.


For your reference, here are the SMTP envelope originator
and headers from your email:

From <myaddress>
------------------------- BEGIN HEADERS -----------------------------
Received: from mail.autohausXXXXX.de [216.71.217.20]
	by localhost with POP3 (fetchmail-5.9.13)
	for admin@localhost (multi-drop); Tue, 02 Mar 2004 12:24:26 +0100 (CET)
Received: (from mail@localhost)
	by powerbox.prohost.de (8.11.6/8.11.6) id i22BjZ406331
	for autohausXXXXX@autohausXXXXX.de; Tue, 2 Mar 2004 12:45:35 +0100
Received: from mail42.mobile.de (mail42.mobile.de [213.238.60.41])
	by powerbox.prohost.de (8.11.6/8.11.6) with ESMTP id i22BjYt06310
	for ; Tue, 2 Mar 2004 12:45:34 +0100
Delivery-date: Tue, 02 Mar 2004 12:45:34 +0100
Received: from pd9e08fa7.dip.t-dialin.net ([217.224.143.167] helo=mobile.de)
	by mail42.mobile.de with esmtp (MTA)
	id 1Ay8L2-00082c-00
	for <ah-XXXXX@mobile.de>; Tue, 02 Mar 2004 12:45:29 +0100
From: myaddress
To: ah-XXXX@mobile.de
Subject: Re: Your bill
Date: Tue, 2 Mar 2004 12:45:34 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0013_00007B0C.0000034E"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <E1Ay8L2-00082c-00@mail42.mobile.de>
'X-added: mobile.de customer service'
X-UIDL: ]H;"!3ei"!P/*!!'=:!!
X-Fetchmail-Warning: recipient address ah-XXXXX@mobile.de didn't match 
 any local name
-------------------------- END HEADERS ------------------------------


AMaViS

A different version of Amavis, it seems, also with original message headers, but annoying nonetheless:

Subject: VIRUS (W32/Netsky.d@MM) IN YOUR MAIL
In-Reply-To: <20040304060820.F15B16E08E@ns1.so.ch>
Message-Id: <VS21652-01@ns1.so.ch>
Content-Type: multipart/report; report-type=delivery-status;
    boundary="----------=_1078380504-21652-1"
From: amavisd-new <postmaster@ns1.so.ch>
To: <myaddress>
Date: Thu,  4 Mar 2004 07:08:24 +0100 (CET)

This is a multi-part message in MIME format...

------------=_1078380504-21652-1
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

VIRUS ALERT

Our virus checker found
    virus: W32/Netsky.d@MM
in your email to the following recipient:
-> XXXXXXX@aio.so.ch

Delivery of the email was stopped!

Please check your system for viruses,
or ask your system administrator to do so.

For your reference, here are headers from your email:
------------------------- BEGIN HEADERS -----------------------------
Received: from aio.so.ch (adsl-213-180-162-205.cybernet.ch [213.180.162.205])
	by ns1.so.ch (Postfix) with ESMTP id F15B16E08E
	for <XXXXXXX@aio.so.ch>; Thu,  4 Mar 2004 07:08:20 +0100 (CET)
From: myaddress
To: XXXXXXX@aio.so.ch
Subject: Re: Your website
Date: Thu, 4 Mar 2004 07:08:32 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0002_000009CF.00002243"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040304060820.F15B16E08E@ns1.so.ch>
-------------------------- END HEADERS ------------------------------

------------=_1078380504-21652-1
Content-Type: message/delivery-status
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Description: Delivery error report

Reporting-MTA: dns; ns1.so.ch
Received-From-MTA: smtp; ns1.so.ch ([127.0.0.1])
Arrival-Date: Thu,  4 Mar 2004 07:08:22 +0100 (CET)

Final-Recipient: rfc822; XXXXXXX@aio.so.ch
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, id=21652-01 - 
	VIRUS: W32/Netsky.d@MM
Last-Attempt-Date: Thu,  4 Mar 2004 07:08:24 +0100 (CET)

------------=_1078380504-21652-1
Content-Type: text/rfc822-headers
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Description: Undelivered-message headers

Received: from aio.so.ch (adsl-213-180-162-205.cybernet.ch [213.180.162.205])
	by ns1.so.ch (Postfix) with ESMTP id F15B16E08E
	for <XXXXXXX@aio.so.ch>; Thu,  4 Mar 2004 07:08:20 +0100 (CET)
From: myaddress
To: XXXXXXX@aio.so.ch
Subject: Re: Your website
Date: Thu, 4 Mar 2004 07:08:32 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0002_000009CF.00002243"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040304060820.F15B16E08E@ns1.so.ch>

------------=_1078380504-21652-1--


InterScan NT

This notification is short but wrong and totally useless (no headers):

Date: Wed, 10 Mar 2004 11:18:14 +0100
From: postmaster@jowa.ch
To: <myaddress>
Subject: InterScan NT Alert
Message-Id: <E1B114V-0001fW-00@mxng18.kundenserver.de>

Sender, InterScan has detected virus(es) in your e-mail attachment.

Date:  	Wed, 10 Mar 2004 11:18:14 +0100
Method:	Mail
From:  	<myaddress>
To:    	XXXXXXXXXX@jowa.ch
File:  	your_letter.pif
Action:	clean failed - deleted
Virus: 	WORM_NETSKY.D 


ScanMail for Microsoft Exchange

This notification is short but wrong and totally useless (no headers):

Return-path: <AT1EX1-SA@nextiraone.at>
Received: from at1ex1.nextiraone.at (unknown [62.173.154.98])
	by integer.pobox.com (Postfix) with ESMTP
	for <myaddress>; Mon, 19 Apr 2004 02:31:40 -0400 (EDT)
Received: by at1ex1.nextiraone.at with Internet Mail Service (5.5.2653.19)
	id <HGFH23Z4>; Mon, 19 Apr 2004 08:31:27 +0200
Message-ID: <C5AA968999484043B79F3C4A1B45D64303C37F90@at1ex1.nextiraone.at>
From: System Attendant <AT1EX1-SA@nextiraone.at>
To: "'myaddress'" <myaddress>
Subject: ScanMail Message: To Sender virus found or matched file blocking 
	setting.
Date: Mon, 19 Apr 2004 08:31:26 +0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain

ScanMail for Microsoft Exchange has taken action on the message, please
refer to the contents of this message for further details.

Sender = myaddress
Recipient(s) = SURNAME firstname
Subject = denied!
Scanning Time = 04/19/2004 08:31:25
Engine/Pattern = 7.000-1004/859

Action on message:
The attachment associal.zip contained WORM_NETSKY.C virus. ScanMail has
taken the Deleted action. 

Warning to sender. ScanMail has detected a virus in an email you sent.


MailScanner

This notification is short but wrong and totally useless (no headers):

From: "MailScanner" <postmaster@seth.microserve.de>
To: myaddress
Subject: Warning: E-mail viruses detected
X-MailScanner: generated, Found to be clean
X-MailScanner-Information: Please contact the ISP for more information

Our virus detector has just been triggered by a message you sent:-
  To: someguy@somedomain
  Subject: solve the problem!
  Date: Fri Apr 30 12:09:57 2004
Any infected parts of the message (part2.zip)
have not been delivered.

This message is simply to warn you that your computer system may have a
virus present and should be checked.

The virus detector said this about the message:
Report: >>> Virus 'W32/Netsky-C' found in file part2.zip/part2.com


-- 
MailScanner
Email Virus Scanner
www.mailscanner.info
Mailscanner thanks transtec Computers for their support


Webshield

Webshield by Networks Associates "returns" the mail with an advertisement for the filter, including a link to their website: Unsolicited commercial bulk email = spam. What they don't provid is header information. It is likely though that the final Received-line of the virus warning spam indicates the virus sender.

Received: from dmzws2.antwerpen.be ([195.13.26.51] helo=DMZWS2.webshield)
	by mymailserver with smtp (Exim 4.33)
	id 1BQOhA-0000o5-9O
	for Myname@mydomain; Wed, 19 May 2004 12:53:10 +0200
Received: from 82-168-49-148-bbxl.xdsl.tiscali.nl(82.168.49.148) by 
	DMZWS2.webshield 
	via csmap id 6ccf54aa_a982_11d8_9528_0030482986b3_24584;
	Wed, 19 May 2004 12:51:13 +0200 (CEST)
From: Myname@mydomain
To: user_account@stad.antwerpen.be
Date: Wed, 19 May 2004 10:50:17 GMT
Subject:  Returned due to virus; was:Delivery failure notice (5339)
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID: <90367b85cbb168.9ffb0.qmail@mydomain>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="======ae95ab28.e472"
Content-Transfer-Encoding: 7bit

This is a multi-part message in MIME format.

--======ae95ab28.e472

This e-mail was generated automatically.
Information about -MYDOMAINROOT- under: http://www.mydomain

-----
Errors:

73.74.48.177_does_not_like_sender.
# 469: Giving_up_on_73.74.48.177.
# 431: Remote_host_said:_delivery_error
# 392: mailbox_unavailable
# 231: MAILBOX NOT FOUND

End
-----

The full mail is attached.

Auto-ReMail.System#: [mydomainroot]
--======ae95ab28.e472
Content-Disposition: attachment
Content-Type: Text/HTML;
  name="mail.txt.zip.htm"
Content-Transfer-Encoding: 7bit
X-NAI-WebShielde500-mimepp: Attachment removed

 <html><head><meta HTTP-EQUIV="Content-Type" content="text/html; charset=UTF-8">
<title>VIRUS INFECTION ALERT</title></head>
<body>
<h1><font color="#FF0000">VIRUS INFECTION ALERT</font></h1>
<p>The WebShield® e500 Appliance discovered a virus in this file.
The file was not cleaned and has been removed.</p><p>
See your system administrator for further information.
</p>
<p>File name: mail.txt.zip<br>
Virus name: W32/Sober.g@MM</p>

<p>Copyright © 1993-2003, Networks Associates Technology, Inc.<br>
All Rights Reserved.<br>
<a href="http://www.mcafeeb2b.com">http://www.mcafeeb2b.com</a></p>
</body></html>
			
--======ae95ab28.e472--


F-Secure

Another totally useless warning, as it doesn't include any header information. The filter recognizes the exact virus type (W32/NetSky.D@mm, which is known to spoof the sender address), yet goes ahead and spams the fake sender:

Received: from mail.khis.de ([170.56.58.52] helo=mail006.thyssenkrupp.com)
	by delta.mc1.hosteurope.de with esmtp (Exim 4.33)
	id 1BNXMl-0000l5-57
	for myaddress; Tue, 11 May 2004 15:32:16 +0200
Received: from n0501208.triaton.com (n0501208.triaton.com [170.56.85.81])
	by mail006.thyssenkrupp.com (8.12.11/8.12.11) with ESMTP id i4BDWDE7006453
	for <myaddress>; Tue, 11 May 2004 15:32:13 +0200
Message-Id: <200405111332.i4BDWDE7006453@mail006.thyssenkrupp.com>
From: interner-SMTP-Backbone-Service@triaton.com
To: myaddress
Date: Tue, 11 May 2004 15:32:20 +0200 (MEST)
Subject: Virus detected in: [Spam?] Re: Document
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII

Scenarios/Incoming/F-Secure Anti-Virus: Virus W32/NetSky.D@mm found 
by F-Secure Orion details W32/NetSky.D@mm


Die E-Mail von myaddress an info@bkk-km-direkt.de

enthielt einen Computer Virus. Eine Zustellung erfolgt nicht. Bitte lassen 
Sie umgehend ihr Computer-System pruefen! Mehr Informationen ueber den Virus:
http://www.f-secure.com/virus-info

The e-mail from myaddress to info@bkk-km-direkt.de
 contained a computer virus. The delivery was blocked.
Immediately check your compter, please!
More information about the detected virus:
http://www.f-secure.com/virus-info


Informationsverbund Bonn-Berlin (IVBB)
Your tax-euro at work: The German Federal government spent a fortune on a secure network for its ministries in Berlin and in Bonn, which nevertheless experienced serious problems coping with a flood of viruses in May. This custom written software of the Federal government insists on sending email to faked sender whenever a virus is received.

Here's another example of a "warning" from a braindead virus scanner that is smart enough to recognize Netsky-emails, but too dumb to understand that all Netsky sender addresses are picked at random from email addresses found on the computer.

Received: from [194.95.179.209] (helo=Augsburg.bund.de)
	by mxng09.kundenserver.de with esmtp (Exim 3.35 #1)
	id 1CDLvF-0006mC-00
	for ####@###########; Fri, 01 Oct 2004 13:50:01 +0200
Received: (from root@localhost)
	by Augsburg.bund.de (8.9.3p2/8.9.3) id NAA04221
	for <####@###########>; Fri, 1 Oct 2004 13:50:00 +0200
From: warnung@bund400.de
Message-Id: <200410011149.NAA04120@Augsburg.bund.de>
To: ####@###########
Subject: IVBB-VIRENWARNUNG: WORM_NETSKY.P
MIME-Version: 1.0 
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Date: Fri, 1 Oct 2004 13:49:57 +0200

Warnung! 
Wir haben eine E-Mail mit Ihrem Absender abgefangen, die einen 
Virus enthält. Diese E-Mail muss nicht unbedingt von Ihrem Computer 
aus versandt worden sein, da Computer-Viren und Würmer oft die 
Adresse des Absenders fälschen. Möglicherweise erreicht diese 
Warnung daher nicht den eigentlichen Verursacher. In diesem Falle 
können Sie diese Meldung ignorieren. 

Warning! 
We received an e-mail with your sender adress containing a virus. 
This e-mail was not necessarily sent from your computer, because 
viruses and worms are often able to fake the senders adress. 
Therefore it is possible, that this warning reaches not the right 
originator of the infected e-mail. In such occasions please ignore 
this warning. 

Sender: ####@###########
Empfänger: tools@bsi-fuer-buerger.de  
Betreff: [VIRUS] Mail Delivery (failure tools@bsi-fuer-buerger.de) 
Datum: Fri, 1 Oct 2004 13:49:16 +0200 
 
Grund : Es wurde eine Schadfunktion z.B. Virus entdeckt. 

Reason: It contained a virus infected attachment. 

Viren Name(n): WORM_NETSKY.P 
Anhang Name(n): UNBEKANNT! 
 



Sample replies to clueless virus notifications

Subject: Badly configured virus scanner at yourdomain

Hello,

please reconfigure your virus filter so that it will not spam people whose addresses are listed in From-lines of Netsky, Sober, SomeFool, Swen and other current worm mails. None of the worms released over the last three years uses the sender's actual email address.

It is a well documented fact that these worms mail themselves to intended victims using fake sender addresses, i.e. addresses of innocent third parties found on an infected PC. Notifying the fake sender address is pointless and annoying.

The right address to contact is the abuse-address of the provider from whose network the virus originates (typically, the last Received-line in the header). Unfortunately, your notification does not include Received-lines. Therefore, it's completely pointless.

Regards

Joe Wein

http://www.joewein.net/spam/spam-virus-warnings.htm
"Clueless virus filters spam innocent third parties

Sample replies to clueless virus notifications (in German)

Hallo,

Ihr Virenfilter ist so fehlkonfiguriert, dass er fuer jeden eintreffenden Virus eine Spam-Email an einen unbeteiligten Dritten verschickt.

Der Virus Netsky, der Ausloeser fuer die untenstehende Mail war, setzt zufaellig ausgewaehlte Adressen, die er auf dem infizierten Rechner gefunden hat (z.B. im Adressbuch des Emailprogramms oder im Browsercache) als gefaelschte Absender fuer seine Virenmails ein. Eine Benachrichtigung an diese Adresse erreicht somit nur unbeteiligte, unschuldige Dritte die mit der Versendung des Virus nichts zu tun hatten.

Der tatsaechliche Versender laesst sich nur ueber die Received-Zeilen im Mailheader feststellen, da daraus der zustaendige Provider des Versenders bestimmt werden kann. Diese Informationen liefert aber Ihre Benachrichtigung nicht mit. Es bleibt also nur eine sinnlose Belaestigung.

Bitte stellen Sie diese automatisierten Email-Spams umgehend ab.

MfG

Joe Wein
--
"Clueless virus filters spam innocent third parties"
http://www.joewein.net/spam/spam-virus-warnings.htm


Anti-Spam Resources:
jwSpamSpy is spam filtering software (Now available!)
Anti-spam domain blacklist – list of domains that I refuse to receive mail from
Recent additions to domain blacklist (with whois details)
"419" scam sender/contact addresses ("Nigeria connection" address book)
DNS-based IP and domain name blacklists
Dynamic IP addresses (700 KB!)
Free email providers

How to trace senders of spam
Link exchange offer spam
Getting creative with spam
Smyrnagroup spammers (in German)

Lookup an IP address on blacklists (http://dnsbl.net.au/lookup/)
AOL dial-up address ranges and mail servers