> All right. What an explosive cocktail of themes! Did you make sure that > representatives of the whole political spectrum will be there? > To: Jared Pritchard <[EMAIL PROTECTED]> Cc: Slug List <[EMAIL PROTECTED]> Bcc: Subject: Re: [SLUG] Server being used to relay emails Reply-To: In-Reply-To: <[EMAIL PROTECTED]> X-Nihilism: Consistency is all I ask... Give us this day our daily mask. X-GPG-Key: 1024D/77625870 X-GPG-Fingerprint: B141 CD1A 4603 1CD7 6D64 EFBF D256 C568 7762 5870
On Fri, Apr 30, 2004, Jared Pritchard wrote: > We are getting reports back from other servers on the net saying our > message from something like [EMAIL PROTECTED] was rejected > because of an attached virus. > > Has anyone got ANY idea on what could be happening? Has our linux > server got a virus? (!?!!?!!) Is someone using our machine as an open > relay? (I did take steps to stop that, and abuse.net reports our > server as fine) Are our WinXP machines infected regardless of our > anti-virus software? This message alone is not a positive sign that you're running an open relay. It's just as likely that this is happening: 1. Someone else totally unrelated to you, lets call him Billy, has a nasty Outlook virus. 2. A virus uses Billy's machine to send copies of itself to every email address in Billy's address book, web cache etc etc, including [EMAIL PROTECTED] BUT... the nasty virus also does not set the sender to [EMAIL PROTECTED] because that wouldn't be sufficiently nasty. (Insert evil laugh.) Instead, it chooses ANOTHER email address, [EMAIL PROTECTED], out of Billy's address book and sets the sender to [EMAIL PROTECTED] 3. example.net uses an over zealous virus filter that is unaware of the fact that the sender address was faked. Many commerical virus filters are pretty obtuse in this respect[1]. When the virus from Billy arrives for [EMAIL PROTECTED], the over zealous virus filter sends a warning to [EMAIL PROTECTED] informing it that it sent a virus, when in fact no such thing happened. Hence your message. This is the most likely scenario to explain what's going on. Other people may have suggestions about doublechecking that your mail server is not an open relay. It also wouldn't hurt to filter your users' incoming mail for viruses and dump any viruses BEFORE they arrive in users' mail boxes, for extra safety (and because your users won't have to delete virus after virus the next time a wave of them arrives). The combination of amavis and clamav is good for this, there's some tips in the last few months of slug archives. Don't set your own mail server to warn senders about viruses though! -Mary PS Incidently, note that most viruses these days bypass the set outgoing mail relay. If your user has told Outlook that their relay is mail.ourdomain.com.au, that doesn't mean that the virus will send its mail there too. Viruses tend to contain their own SMTP server and will try and connect directly to the recipient. [1] The most common conspiracy theory about why commercial virus checkers don't know about faked senders (when they've been happening for a few years and are now the norm for viruses) is that it's nice free advertising: convincing some totally innocent person that they have a virus and need a virus checker! -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
