Sender warnings going to recipients!

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Thu Dec 6 09:49:01 GMT 2001

> -----Original Message-----
> From: Nick Phillips [mailto:nwp at] 
> Sent: 05 December 2001 14:11
> Subject: Re: Sender warnings going to recipients!
> On Wed, Dec 05, 2001 at 12:16:10PM -0000, Quentin Campbell wrote:
> > We have ben running 2.60-2 since it was released. The platforms are 
> > Solaris 2.7 running sendmail 8.10.1.
> >
> > We have started to receive complaints (and evidence) that 
> _recipients_ 
> > of infected messages are sometimes getting the "sender" warning 
> > message. That is, the "To:" address _in_ the warning 
> message (a local 
> > recipient) also becomes the "To:" address _for_ the warning message 
> > itself. The latter should be the address of the sender. Any 
> ideas? An 
> > example follows with the original message at the end:
> We've seen things that initially appeared to be incorrect, 
> but actually turned out to be correct, caused by Badtrans.
> What we've seen is that the postmaster appears to receive the 
> recipient message, but that's actually caused by the virus 
> replying to the sender warning with another copy of itself.
> Nice.


My collaegue, Paul Haldane, did a bit of digging around last night and
the sendmail log records show what is really going on.

The envelope From address is a Newcastle one although the message source
was a machine at a college in Leeds. In fact our mail logs showed two
messages from the same source sent just one second apart. Both had
Newcastle addresses in the envelope From field that relate to the
Newcastle Netskills team.

In both cases the messages carried the Badtrans virus. This I think is
the clue to what is going on. A machine at the college in Leeds is
infected with Badtrans. The same machine has previously been in
correspondence with various Netskills lists here at Newcastle. Badtrans
is a mass mailing worm which attempts to send itself using Microsoft
Outlook by replying to unread email messages. It has got some Newcastle
addresses from Outlook and used them to send virus carrying message to
us with spoofed envelope From addresses.

In fact its use of the addresses that it collects is a little more
sophisticated than what the brief description above implies. As a
consequence the only way to see what is really going on is to look at
your MTA logs, both at the envelope From address and the source of the
message that is being queried.

We should thus expect to see "Badtrans" in any other messages of this
sort that are brought to our attention.

PHONE: +44 191 222 8209    Computing Service, University of Newcastle
FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
"Any opinion expressed above is mine. The University can get its own."  

More information about the MailScanner mailing list