[Shorewall-users] Returned mail: see transcript for details

Aubrey Kilpatrick aubrey at oppcatv.com
Mon Mar 22 14:41:24 PST 2004

Thanks Tom,  I knew you would be ableto explain it too me.  Just want to
make sure I'm not one of the systems that  causes the problem.

I am going to send a copy of this to my ISP for their information and
records also.



At 02:28 PM 3/22/04 -0800, you wrote:
>Aubrey Kilpatrick wrote:
>> This message had a virus attached to it.  Please check your system to
see if
>> it is still sending out the virus with your messages.
>>>Final-Recipient: RFC822; 862568e4 at tivoli.com
>>>Action: failed
>>>Status: 5.1.1
>>>Remote-MTA: DNS; d03mjd01.boulder.ibm.com
>>>Diagnostic-Code: SMTP; 550 5.1.1 <862568e4 at tivoli.com>... User unknown
>>>Last-Attempt-Date: Mon, 22 Mar 2004 15:29:01 -0500
>>>Return-Path: <shorewall-users at shorewall.net>
>>>Received: from e1.ny.us.ibm.com (d01av03.pok.ibm.com [])
>>>	by northrelay01.pok.ibm.com (8.12.10/NCO/VER6.6) with ESMTP id
>>>	i2MKSwDv080188
>>>	for <862568e4 at tivoli.com>; Mon, 22 Mar 2004 15:28:59 -0500
>>>Received: from tivoli.com ([])
>>>	by e1.ny.us.ibm.com (8.12.10/NS PXFA) with ESMTP id i2MKS43a485946
>>>	for <862568e4 at tivoli.com>; Mon, 22 Mar 2004 15:28:26 -0500
>>>Message-Id: <200403222028.i2MKS43a485946 at e1.ny.us.ibm.com>
>>>From: shorewall-users at shorewall.net
>As you can see above, this message appears to have originated from a 
>system masquerading as tivoli.com (; it has a bogus From: 
>address (and I suspect that the envelope sender was forged as well). 
>There is a difference of opinion about the name of the IBM system which 
>may indicate that the lower received header is also forged.
>What is most important to notice is that shorewall.net is nowhere in the 
>original send headers.
>>>To: 862568e4 at tivoli.com
>>>Subject: Hello
>>>Date: Mon, 22 Mar 2004 21:08:00 +0100
>>>MIME-Version: 1.0
>>>Content-Type: multipart/mixed;
>>>	boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>Try this game ;-)
>> FAQ: http://www.shorewall.net/FAQ.htm
>What ended up getting posted on the mailing list was the bounce 
>notification, not the virus itself. I get dozens of these a day (in 
>addition to the 100s I get from bounced Italian spam sent to Russia!!!) 
>and most of them are dropped here at my server; looks like one sneaked 
>through. With so many viruses forging sender addresses, it is criminal 
>for mail admins to continue to configure their AV software to send DSNs 
>like this.
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep at shorewall.net
>Shorewall-users mailing list
>Post: Shorewall-users at lists.shorewall.net
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm

More information about the Shorewall-users mailing list