[Esd-l] Mysterious failures

Albert McCann amc358 at rcn.com
Fri Jan 30 20:37:13 PST 2004

Our ISP is getting ready to enable spam filtering, and is already virus
filtering. Unfortunately, they are redirecting the infected messages to my
address. We are using the local-rules, and /dev/nul/ing the NovArgs. For the
last three days, over 3500 NovArgs were sent to me, where the local rules
and Sanitizer cheerfully ate them, as we added .ZIP to the Mangle list.

Some though, are getting through. I am seeing occasion messages where the
NovArg virus fake bounce messages are being bounced by real mail servers,
which then 'returns' the virus to us. The X-Virus-Pattern-Match: header line
is inserted by our ISP as part of the filtering process on their end, before
the messages are delivered to us. 'steve at septa.org' is a virus generated
address, we don't have anyone with that address.

Here is a header from one: (text continues below)

Message-Id: <200401301733.i0UHXGAk030255 at diskless11.axs2000.net>
Received: (qmail 29026 invoked for bounce); 30 Jan 2004 17:33:17 -0000
Date: 30 Jan 2004 17:33:17 -0000
From: MAILER-DAEMON at atl.globix.net
To: steve at septa.org
Subject: failure notice
X-Virus-Pattern-Match: MyDoom/Novarg worm

Hi. This is the qmail-send program at atl.globix.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<michael at attentionllc.com>: does not like recipient.
Remote host said: 553 <michael at attentionllc.com>... No such user here
Giving up on

--- Below this line is a copy of the message.

Return-Path: <steve at septa.org>
Received: (qmail 29021 invoked from network); 30 Jan 2004 17:33:15 -0000
Received: from unknown (HELO septa.org) (
  by mx01.atl.globix.net with SMTP; 30 Jan 2004 17:33:15 -0000
From: steve at septa.org
To: michael at attentionllc.com
Subject: STATUS
Date: Fri, 30 Jan 2004 12:37:48 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-MSMail-Priority: Normal

This is a multi-part message in MIME format.

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

Mail transaction failed. Partial message is available.

Content-Type: application/octet-stream;
Content-Transfer-Encoding: base64
Content-Disposition: attachment;


Note the split Content-Type: and Content-Disposition: lines above. That
attachment isn't seen by the Sanitizer or local-rules, and McAfee is beating
me to death with complaints about infected messages. ;-)

On a slightly different topic: I'd like to publicly thank John Hardin for
the Sanitizer, you have saved me and my employer much grief.

Al McCann

More information about the esd-l mailing list