You may have experience in receiving an undeliverable email notification from an email server (e.g. Mailer-Daemon) saying that your email sent to someone was rejected because it contains a virus or an unsafe file. However, you have never sent such email!
This kind of email is in fact related to the spreading of some massing-mailing virus/worms (e.g. Netsky, Bagle). The virus-infected email was actually sent by the virus itself from an infected computer (this neither means it is your computer, nor means it is located in the CityU network) automatically! The sender address that appeared in the infected email was randomly chosen by the virus from the address book or mailbox of the infected computer. If your email address was found in the infected computer, it could be picked up by the virus to fake the sender address. As a standard procedure, when a mail server detects an email with virus or unsafe file, it will reject the mail and send an undeliverable notification to the "sender". That is why you received an undeliverable notification for an email that you have never sent.
Those worms/viruses have caused a lot of disturbance, annoyance, confusion and misunderstanding to email users as well as administrators! You can obtain more information of them from the following links: http://www.hkcert.org/ , http://www.sophos.com.
When you receive such an email undeliverable notification, you can:
(a) If you are sure your computer has not been infected by any virus, you may simply discard the notification.
(b) If you want to find out the source machine of the virus-infected email, please:
Note: (i) Sometimes the "real_hostname" is absent. (ii) If the "real_hostname" presents but differs from the "apparent_hostname", trust the "real_hostname".
Example: The following is a sample undeliverable notification message. From the last "Received:" line, we know that the original virus-email was sent by a machine named 056-078.dummy.com. The IP address of the machine is [12.34.56.78]. This machine is NOT belongs to CityU. (The spoofed apparent_hostname "cityu.edu.hk" and the spoofed sender email address "50123456@student.cityu.edu.hk" were made-up by the virus.)
This report relates to a message you sent with the following header fields:
Return-path: <50123456@student.cityu.edu.hk>
Received: from conversion-daemon.mailgw1.cityu.edu.hk by mailgw1.cityu.edu.hk (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) id <0HTD00H011A1Q3@mailgw1.cityu.edu.hk> (original mail from 50123456@student.cityu.edu.hk); Fri, 20 Feb 2004 09:50:32 +0800 (CST)
Received: from cityu.edu.hk (056-078.dummy.com [12.34.56.78]) by mailgw1.cityu.edu.hk (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) with SMTP id <0HTD11JL77CH5U@mailgw1.cityu.edu.hk> for chantaiman@hotmail.com; Fri, 20 Feb 2004 09:50:30 +0800 (CST)
Date: Fri, 20 Feb 2004 09:43:27 +0800
From: 50123456@student.cityu.edu.hk
Subject: something for you
To: chantaiman@hotmail.com
Message-id: <0HTD00JL81CH5U@mailgw1.cityu.edu.hk>
MIME-version: 1.0
Content-type: multipart/mixed;
boundary="Boundary_(ID_XCKVEQphE4B2OgXVrzzunQ)"
Your message cannot be delivered to the following recipients:
Recipient address: 50123456@student.cityu.edu.hk
Reason: Virus W32/Bagle-E is detected!
Note: For safety, you should protect all your computers (including your home PC, office PC, and notebook computers) with an updated anti-virus software. If you are not sure your computer is virus free, you may perform a virus-scanning on it.
Return to University In-house Email Service FAQ page
IT.ServiceDesk@cityu.edu.hk
