Sender warnings going to recipients!

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Wed Dec 5 12:16:10 GMT 2001


We have ben running 2.60-2 since it was released. The platforms are
Solaris 2.7 running sendmail 8.10.1.

We have started to receive complaints (and evidence) that _recipients_
of infected messages are sometimes getting the "sender" warning message.
That is, the "To:" address _in_ the warning message (a local recipient)
also becomes the "To:" address _for_ the warning message itself. The
latter should be the address of the sender. Any ideas? An example
follows with the original message at the end:

--------------- cut here
> Date: Tue, 4 Dec 2001 17:02:52 GMT
> From: MailScanner <Virus.Scanner at ncl.ac.uk>
> To: netskills-admin at netskills.ac.uk
> Subject: Warning: E-mail viruses detected
> 
> Our virus detector has just been triggered by a message you sent:-
>   To: <netskills-admin at netskills.ac.uk>
>   Subject: Re:
>   Date: Tue Dec  4 17:02:52 2001
> Any infected parts of the message have not been delivered.
> 
> This message is simply to warn you that your computer system may have 
> a virus present and should be checked.
> 
> The virus detector said this about the message:
> Report: /fB4H2et10389/README.MP3.scr        Found the W32/BadTrans at MM
virus !!!
> Attempt to hide real filename extension in README.MP3.scr
> 
> 
> Information on viruses can be found at the sites of commercial 
> suppliers of anti-virus tools such as NAI (http://vil.nai.com/vil). If

> you are a user at Newcastle University then information and guidance 
> on anti-virus measures can be found at 
> http://www.ncl.ac.uk/ucs/docs/G17.html.
> --
> Message sent on behalf of Postmaster at ncl.ac.uk
--------------- cut here

Original message as shown in the attachment received by our local
recipient with the warning is:

--------------- cut here
Message-Id: <200112041702.fB4H2et10389 at cheviot2.ncl.ac.uk>
From: "Support"  <support at cyberramp.net>
To: netskills-admin at netskills.ac.uk
Subject: Re:

Message from Newcastle University MailScanner E-Mail Virus Protection
Service
------------------------------------------------------------------------
-----
The original e-mail attachment "README.MP3.scr"
was believed to be infected by a virus and has been replaced by this
warning
message.

At Tue Dec  4 17:02:51 2001 the virus scanner said:
   /fB4H2et10389/README.MP3.scr        Found the W32/BadTrans at MM virus
!!!
   Attempt to hide real filename extension in README.MP3.scr


Due to limitations placed on us by the Regulation of Investigatory
Powers
Act 2000, we were unable to keep a copy of the infected attachment.
Please
ask the sender of the message to disinfect their original version and
send
you a clean copy.

Information on viruses can be found at the sites of commercial suppliers
of anti-virus tools such as NAI (http://vil.nai.com/vil). If you are a
user at Newcastle University then information and guidance on anti-virus
measures can be found at http://www.ncl.ac.uk/ucs/docs/G17.html.
--
--------------- cut here


Quentin
---
PHONE: +44 191 222 8209    Computing Service, University of Newcastle
FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."  



More information about the MailScanner mailing list