Please folks, this is exactly the reason why you should NOT send bounces in reply to virusses. I'm very disappointed that SuSE is still not aware of the implications of this annoying behaviour. To summarize, only send warnings to authenticated senders otherwise you might be sending it to a spoofed sender address. At the same time it is a perfect example of the type of message (and the user) I wrote about just over an hour ago. Obviously he is still connected to this list, so I think it would be worthwile to run a scan who it is and to unsubscribe him. As can be seen from the bounce message, the message originated from pD951F606.dip.t-dialin.net [217.81.246.6] too. This system is NOT supposed to send mail on behalf of the 'de-korte.org' domain. And I doubt the HELO 'suse.com' is valid either. As a side note, it is easy to drop this particular virus by using the Postfix 'smtpd_helo_restrictions' to drop all hosts claiming to be from within your own domain, which you know, are not. ---------- Forwarded Message ---------- Subject: Undelivered Mail Returned to Sender Date: Friday 04 June 2004 10:20 From: MAILER-DAEMON@suse.de (Mail Delivery System) To: suse-security@de-korte.org This is the Postfix program at host hermes.suse.de. I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations. For further assistance, please send mail to <postmaster> If you do so, please include this problem report. You can delete your own text from the message returned below. The Postfix program <25866@suse.de>: unknown user: "25866" ------------------------------------------------------- Encapsulated message Received: from scanhost.suse.de (scanhost.suse.de [10.0.0.5]) by hermes.suse.de (Postfix) with ESMTP id 85C238C9D for <25866@suse.de>; Fri, 4 Jun 2004 10:20:20 +0200 (CEST) Received: by scanhost.suse.de (Postfix, from userid 0) id 7B27951E5F; Fri, 4 Jun 2004 10:20:20 +0200 (CEST) Delivered-To: virus-quarantine X-Quarantine-id: <virus-20040604-101415-03775-17> Received: from Cantor.suse.de (cantor.suse.de [195.135.220.2]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by hermes.suse.de (Postfix) with ESMTP id 953E669115 for <25866@suse.de>; Fri, 4 Jun 2004 10:13:46 +0200 (CEST) Received: from suse.de (pD951F606.dip.t-dialin.net [217.81.246.6]) by Cantor.suse.de (Postfix) with ESMTP id 4B95668F3BE for <25866@suse.de>; Fri, 4 Jun 2004 10:13:32 +0200 (CEST) From: suse-security@de-korte.org To: 25866@suse.de Subject: Re: Your music Date: Fri, 4 Jun 2004 10:26:56 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <20040604081332.4B95668F3BE@Cantor.suse.de> X-AMaViS-Alert: INFECTED, message contains virus: Worm.SomeFool.Gen-1 X-Converted-To-Plain-Text: from multipart/mixed by demime 1.1d X-Converted-To-Plain-Text: Alternative section used was text/plain Please have a look at the attached file. [the SUSE virus scanner removed an attachment of type application/octet-stream which had a name of mp3music.pif] [if you need the message in its original form including all attachments, please ask the SENDER for a version free of viruses] End of encapsulated message