what causes spurious email virus rejections?

[jullrich at euclidian.com (Johannes Ullrich)]

On Sat, 2003-09-06 at 08:53, Duane Morin wrote:
> Once in a blue moon either I or my wife will get an unexpected email that 
> says "Could not deliver message to <unknown address X> because it 
> contained a virus."  Never heard of that address, never intended to send 
> anything to that address.  
...
> every 
> couple of months?  Should I just ignore it?

Modern viruses, in particular 'Sobig', fake the 'From' address.
They pick a random address either from the infected users 
address book, or from caches web pages.

So someone who had your e-mail address got infected. The virus
picked your e-mail address as 'From' address. The virus is now
getting caught by some recipient and her virus filter is configured
to notify "Senders".

In particular if your e-mail address is posted on some frequently
visited web pages, you will get flooded with these notices. After
Sobig, I had to adjust filters in my mail server to catch literally
thousands of these (procmail is your friend) on the server before
clogging my mail reader.

If anybody here is running a mail server with virus scanner, I
strongly recommend that you do not send these notices to the sender.
Some scanners allow you to suppress these notices for certain viruses.




-- 
--------------------------------------------------------------
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net
--------------------------------------------------------------