[Actual domain filed off because *lots* of sites have sent me
such bounce messages.]
From dglenn
To: postmaster@[XXXXX].com
Subject: Your MTA is spreading a virus. Please correct this.
I received the following, apparently from the SMTP daemon
at [XXXXX].com:
> This message was created automatically by mail delivery software.
>
> A message that you sent could not be delivered to one or more of its
> recipients. This is a permanent error. The following address(es) failed:
>
> nobody@[XXXXX].com
> This message has been rejected because it has
> a potentially executable attachment "all_document.pif"
> This form of attachment has been used by
> recent viruses or other malware.
> If you meant to send this file then please
> package it up as a zip file and resend it.
>
> ------ This is a copy of the message, including all the headers. ------
Please note (and _correct_) the following problems:
1) The message was *not* sent by me, from one of my computers, or
from my account. Like most modern worms, it forged the From
address. Sometimes very rudimentary checking of the headers
will reveal a forgery (note that the suspicious message was
injected from h134.221.40.162.ip.alltel.net, and not from
radix.net); otherwise assume that if a message is a worm, the
sender will be forged and the _alleged_ sender will not want
a potentially infectious message. I can understand not wanting
to "black hole" any messages, but if a forgery can be detected,
drop it on the floor; and if the forgery is not detectable/uncertain,
at least don't send the _payload_ back.
2) By sending the entire message _including_the_viral_payload_
"back" to me, you _sent_me_a_fresh_copy_ of the worm! Since
it did not originate on one of my machines, it wasn't already
*here* until your MTA "helpfully" mailed it to me in a bounce
message. If you're bouncing a message because it's almost
certainly a worm, strip the payload out. If the sender really
did mean to send a binary (and it's innoccuous) they'll still
have the file handy to resend, and they probably don't need a
new copy coming over their net connection.
3) The instruction to package binaries in a zip file is actually
less helpful than it sounds. The latest worms (such as Beagle)
send their payloads in zip files. With a password no less.
Perhaps forwarding a message to the intended recipient asking
"Were you _expecting_ a binary file from this user?" and
requiring some sort of handshake between both ends will be
safer than merely trusting zipped attachments. OTOH, if your
network is a "work only" environment (that is, if you're not
an ISP), a flat "no executable attachments" policy may make
the most sense (with a mail-sanitizer that knows how to look
inside zip files). Or designate a few users who may actually
have a valid reason to receive executables, and make sure
those users are *educated* regarding proper caution and
avoidance of worms.
In any event, I do not appreciate your system having mailed me a
copy of a worm/virus/trojan, and I find it rather ironic that it
did so _in_the_name_of_ virus _protection_. I get plenty of copies
directly; I do *not* need additional copies from easily-fooled
MTAs. Please fix your configuration accordingly. Thank you.
-- D. Glenn Arthur Jr.
Here is the mostly-complete message, showing all headers and
quoted headers, but minus the PIF attachment (no point in
sending that around _again_):
[etc.]
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}