SOBIG collects email addresses from infected systems and fakes the mail = from field. If your client addresses were collected somewhere, then they can appear = in the from and in the mail_to field. When such a mail is rejected by an AV filter it bounces back to your = system even it was not sent from there. because of a faked from field ...
Yes - this is crazy .... --Harald > -----Urspr=FCngliche Nachricht----- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im Auftrag von Michael Mehrle > Gesendet: Freitag, 22. August 2003 20:15 > An: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Betreff: [xmail] Re: AW: Re: HEELP - mailserver has been hacked!! >=20 >=20 >=20 > Well, only four people use my mailserver and three of them=20 > have patched > systems and the fourth one runs a Mac. So, I really have no=20 > clue where these > messages come from. Also, I don't receive bounce messages - I=20 > only see smtp > activity in my current smtp log. This is really highly suspect... >=20 >=20 > ----- Original Message -----=20 > From: "Harald Schneider" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, August 22, 2003 11:03 AM > Subject: [xmail] AW: Re: HEELP - mailserver has been hacked!! >=20 >=20 > > > > Don't panic. If these mails have one of these subjects > > Your details=3D20 > > Thank you!=3D20 > > Re: Thank you!=3D20 > > Re: Details=3D20 > > Re: Re: My details=3D20 > > Re: Approved=3D20 > > Re: Your application=3D20 > > Re: Wicked screensaver=3D20 > > Re: That movie=3D20 > > > > then they are the generated by the SOBIG worm. They bounce=20 > back to your > > server > > and fill up the queue. For details see > > http://xmailforum.homelinux.net/index.php?showtopic=3D3D956 > > > > --Harald > > > > > -----Urspr=3DFCngliche Nachricht----- > > > Von: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Im Auftrag von William > > > Gesendet: Freitag, 22. August 2003 18:44 > > > An: [EMAIL PROTECTED] > > > Betreff: [xmail] Re: HEELP - mailserver has been hacked!! > > >=3D20 > > >=3D20 > > >=3D20 > > > > > I got a few 'bounced' messages this morning quoting=3D20 > > > emails that I never > > > sent out. Now, I'm tailing my smtp log and it appears=3D20 > > > somebody is using > > > several machines to connect to my server and send out messages: > > >=3D20 > > > Which would mean you have an open relay, not really a hacked=3D20 > > > machine. I > > > would change my management port from the default though,=3D20 > > > which is done via > > > the registry. > > >=3D20 > > > - > > > To unsubscribe from this list: send the line "unsubscribe=20 > xmail" in > > > the body of a message to [EMAIL PROTECTED] > > > For general help: send the line "help" in the body of a message to > > > [EMAIL PROTECTED] > > >=3D20 > > > > - > > To unsubscribe from this list: send the line "unsubscribe xmail" in > > the body of a message to [EMAIL PROTECTED] > > For general help: send the line "help" in the body of a message to > > [EMAIL PROTECTED] > > >=20 > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] >=20 - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]