[ale] Once again, how about a virus scanner on the mailing list server?
Jim Popovitch
jimpop at yahoo.com
Sun Feb 20 18:32:33 EST 2005
On Sun, 2005-02-20 at 12:16 -0500, Jim Patterson wrote:
> Ummm, Actually, if you read the message that came from postman
> carefully, yo will see that the failed message did NOT come from
> James, it is being included as a SAMPLE, so that James can
> diagnose any problems on his side. I (and presumably, every other
> gmail user) got a similar message from postman because of the
> virus traffic to the list. I have quoted the relevant parts below.
QMail sends bounces to Mailman (aka ale-bounces at ale.org) and only
Mailman sends bounce-checks. The fact that you (and possibly other
gmail users) got a similar message just shows that gmail blocked inbound
ALE email after ALE tried to send a virus to multiple gmail users.
After several failed deliveries to gmail users ALE sent a bounce-check
that gmail allowed through.
>From ALE's side:
The failed delivery notification came from the QMail MAILER-DAEMON aka
postman/postmaster. What QMail was saying is that it wasn't able to
deliver a virus infected email, to multiple external recipients, and it
was giving up trying. It then bounced the offending email back to
Mailman. Mailman had trouble delivering *MANY* emails to James (because
gmail was now temporarily blocking ALE email), not just this one
particular one. It tried several times and finally sent one last
bounce-check before setting James' subscription to nomail. The
bounce-check include a sample copy of one email it was trying to deliver
to james.sumners at gmail.com ... the particular last email just so
happened to be the QMail notification, showing the failed delivery
targets, including a copy of the virus.
Did the virus come directly from James Sumners? Probably not, the odds
are highly against it.
Does it have the appearance of coming from James Sumners? Yes, after
all Mailman returned to him a virus laden email as undeliverable. It
only sends these back to the "sender" (which can easily be spoofed).
The source IP of the original virus email, as reported to QMail, is
202.9.146.122 (India). Presumably someone in India sent spam to ALE
using James' email address. (not a surprising thing) There is no way to
absolutely prevent this from happening, but a good start is to use a
combination of clamav, spamassassin, and demimie to keep inbound garbage
at bay.
-Jim P.
More information about the Ale
mailing list