On Thursday 26 June 2003 18:32, Paulo Melo wrote:
this is a portion of my today's log. As you can see, before a line with "from=<>" there are one before whith a tentative of a non-existent user. the pattern is to strong... for be just only bounced messages:
This looks suspiciously like virus activity, possibly BugBear or something like that. Here is the scenario: These kinds of viruses replicate by sending themselves to as many e-mail addresses they can find on the PC they are running on. In the process they fake the return address (to prevent others from warning of an infection) by picking random user names from e-mail addresses they find, combining them with random domain names from other e-mail addresses. In most cases, this combination will not be a valid address. What you're seeing now, is mail servers bouncing messages because a virus scanner detected a virus in e-mails where the virus SMTP engine took your domain name in the faked return addresses. Unless you can stop the virus from sending e-mails, there is basically nothing you can do. Note that the mails are not neccessarily sent via you mail server! Since you appear to receive quite a number of bounces, at least verify that not one or more of your users is infected by such a virus. In that case a relatively high number of messages will have your domain name in the faked return address as you local users will probably have many others within your domain in their address books. One way to prevent these viruses from propagating, is by only relaying mail from known users. Best regards, Arjen -- 51 N 25' 05.1" - 05 E 29' 14.1" Key fingerprint - 66 4E 03 2C 9D B5 CB 9B 7A FE 7E C1 EE 88 BC 57