[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications
kelson at speed.net
Fri Jul 1 12:20:05 EDT 2005
Les Mikesell wrote:
> For any definition of 'valid MTA', an SMTP rejection *will* generate a
> bounce. For any recent virus and much spam, the bounce will go to
> some innocent and unrelated address, which may in fact be the intended
As an example, some Mytob(?) variants forge addresses like
support at targetdomain or admin at targetdomain. (The virus in question
masquerades as an account suspension notice.) For various reasons, we
reject anything coming in from outside claiming to be from those
addresses with "554 5.7.1 Forgery attempt detected: you do not have
permission to send using this address."
Naturally, several times a week we get NDRs sent *to* those addresses
explaining that the message "we" tried to send could not be delivered.
Clearly, for whatever reason some of these *are* being relayed through a
real MTA. Half the time the target address doesn't even exist, and we
would still be getting the "User unknown" NDRs if we weren't rejecting
them in filter_sender.
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang