[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

Kelson kelson at speed.net
Fri Jul 1 12:20:05 EDT 2005

Les Mikesell wrote:
> For any definition of 'valid MTA', an SMTP rejection *will* generate a
> bounce.  For any recent virus and much spam, the bounce will go to
> some innocent and unrelated address, which may in fact be the intended
> target.

As an example, some Mytob(?) variants forge addresses like 
support at targetdomain or admin at targetdomain.  (The virus in question 
masquerades as an account suspension notice.)  For various reasons, we 
reject anything coming in from outside claiming to be from those 
addresses with "554 5.7.1 Forgery attempt detected: you do not have 
permission to send using this address."

Naturally, several times a week we get NDRs sent *to* those addresses 
explaining that the message "we" tried to send could not be delivered.

Clearly, for whatever reason some of these *are* being relayed through a 
real MTA.  Half the time the target address doesn't even exist, and we 
would still be getting the "User unknown" NDRs if we weren't rejecting 
them in filter_sender.

Kelson Vibber
SpeedGate Communications <www.speed.net>

More information about the MIMEDefang mailing list