I have three Internet domains, and recently, I have been getting
several returned e-mails a day saying something like the following




""Delivered-To: myemailaddress@myhost.net 
Date: Wed, 19 Jun 2002 22:37:37 -0400 (EDT) 
From: postmaster <postmaster@mydomain.com> 
To: webmaster@mydomain.com 
Subject: Returned mail--"OBJECTS " 
X-Apparently-From: somebodyiveneverheardof@somedomain.com 


Content-Type: text/html;

The following mail can't be sent to
somebodyelseiveneverheardof@someotherdomain.com:

From: webmaster@mydomain.com
To: thesomebodyelseiveneverheardof@thesomeotherdomain.com
Subject: OBJECTS 
The file is the original mail 

 Norton AntiVirus Deleted1161.txt""



(i've removed all actual e-mail addresses from the above, but you get
the idea)

Now, it appears to me that somebody is sending out viruses with a
return to address using one of my domains. (i'm also getting these
back with straight-up spam as content)  My questions are:

Is this happening to all (or many) webmasters?
What can I do about it?
What should I do about it?
Is there a way to tell who it really came from?
Is there a way to protect myself from this happening again?
Is there a way to protect my domain from people thinking I am spamming
them?

Thanks

Thanks for your question, joli-ga

I'm running an Internet company myself and unfortunately, you are not
the only one suffering from what in this case seems a computer virus
infection.

To be very sure it is good to show the full messages to a qualified
engineer (just like you should go for a disease to a real doctor)

You have to look at two parts of your message.

First, it says that is was refused and deleted because it contained a
virus. That does not automatically means the message came from you, it
does not automatically mean your systems are infected, but it is
always good to check whether your anti-virus has been updated and scan
it anyway.

Second, your return address. Many viruses are able to hide themselves
and use not their real return address, but they can select one at
random. You can do it yourself in MS Outlook and change your return
address into somebody elses. That is not a nice thing to do and might
even bee illegal, but that is what viruses do. An engineer can
probably find the IP address where the original message is coming
from, but most likely that belongs only to the poor guy or girl whose
computer is really infected (and does not need to know it is sending
those emails).

Again: keep you own anti-virus systems updated, be alert, but you will
get used to an increasing number of these messages.

I would not be afraid of the spam-issue: there is nothing you seem to
have done wrong.

Good luck,

Fons

I am afraid that what you are experiencing is not at all uncommon!

I have seen quite many spammers sending emails with faked
From-addresses that point to some domain that I am administering. This
has some implications:

1) there is not much you can do about it, as you cannot control what
From or Reply-To addresses are being used in the emails
2) spam that is being bounced (because it is detected as spam or
contains viruses) is being bounced to your domain, and the amounts can
be quite big which can cause problems with your quota, bandwidth,
diskspace, etc.
3) many victims can actually believe you are responsible for the spam,
although you are not the real sender

Fortunately, it is very easy to look at the chain of Received-headers
in the spam, and conclude that apart from the From or Reply-To parts,
that the email has nothing to do with your domain. By analyzing the
Received headers you can see where the spam originated and through
which email servers it has passed. Most spam-detecting programs or
services are very good at resolving the actual responsible parties for
the spam. You could, e.g. take a look at http://www.spamcop.net where
you can sign up for a free service, where you can paste the whole spam
(all the headers are important) and have the system analyze it for you
and optionally send complaints to the responsible parties (although it
will not help you very much).

As for handling the bounces (and possible complaints) arriving to your
domain, you probably should implement some filtering that either send
back a standard reply explaining the situation, or ignore the mails.
Of course, it helps if the spammer use some fictive address in your
domain and not the webmaster address.. ;)

KLEZ!!

The most likely cause of the problem you are seeing is the Klez worm
that is spreading around the internet. What happens is:
Person A has you in their Outlook/Outlook Express Address book
Person A gets the Klez worm on their computer.
Klez sends itself out to everybody in Person A's address book. But
each message has a random subject, a random body, and a random return
(from:) address. So some people might get a message that appears to be
from you, which contains the Klez worm.
In your case, what is happening is Person A has some invalid or out
dated email addresses in their address book. Klez is sending itself to
that address with your return address. The mail server reads that,
then sends your mail server a message telling it that your message
cannot be deleted. You server faithfully passes this on to you, and
Norton sees the virus in the message and deletes it.

There are two things you can do:
1) Check the logs for your Norton, if you have access to them, to
confirm what virus it is removing from these messages.
2) Wait until you get an actual message that contains the Klez virus.
Use you mail program to view all of the headers for the message. In
Netscape 4.x you click on view, headers, all. In Outlook you double
click the message to open it, then click on view (I think it's view)
and then click on options, and you'll see a window with the headers.
Look for a header named <return-path> I have found that this often
contains the email address of the person who is really infected.

Good Luck!

Hello!
I am the Systems Administrator at my job, and we deal with this issue
at least once or twice a week. Maybe, I too, can help shed some light
on the situation you're having.

1) If you are running your own mail server make sure you're not an
open relay. That's when the spammer sends email through your mail
server and using your email address. If you need more information on
this, just send a reply to this comment and I can give you more info.
2) It's very important you keep your Norton updated constantly. That
way the possibility of a virus is eliminated.
3) Paradiddler hit the nail on the head. I don't think that a virus is
causing your issue. What the problem seems to be is the spammer using
your email address to fake out the From and Reply-To address. That's
the exact problem we have. I have updated all the Internet Explorers
(the main browser we use) with the latest security patches, and taking
the advice from paradiddler I'll be filtering the email today.
Our company is really widespread on the Internet, so we expect things
like this to happen. I just explain this to the consultants and to my
boss. So now they know just to delete it, make a note of the header,
and forward that information to me. From there I put it in a folder
and take inventory of all the headers to see where they are mostly
coming from. Up until now I just kept them, but thanks to paradiddler,
I actually have a use for them now!
Hope this little bit of information helps.
Take care,
Suzanne