I had loads of the so big virus but I havent recieved any of what you mentioned!

I really hope your not seeing another major attack! Good luck!

Sounds like you are getting the returns from a spam that was sent with your address as the Return-Path. Likely a scanner on the receipients end has removed any infected attachments or plain-text'd them.

You set up a mail rule to automatically delete them (possible in many email clients). Then, when they've all gone, change the rule to delete them from the server - your email client will not attempt to download the message but send a message back to delete them from the server (much quicker).

Something along the lines of:
* Subject line: contains "Undeliverable:"
* Has an attachement
* Delete from server

If you are scared to do this, use a rule to move them to a different folder, so you normal emails are separate and you can read them easily. You can delete the contents of the other folder quickly after scanning for genuine mails.

FYI, this is a variant of the Yaha worm, "E" I believe.

Jon -

like bcolflesh said; these are most likely bounces received by you because a spammer has used some random_address@yourdomain.com as the reply to and / or from address in their spam.

Out of interest, are the original recipients shown as @aol.com address?

I think there is a mass spamming attempt targetting AOL users going on at the moment; and in attempt to make each spam look different they are using from addresses at virtually every domain they can get their hands on.

I have had to remove MX records from a number of my domains because of this.

Incidentally; does anybody more knowledgeable than me on the default workings of an SMTP server know whether the from/reply-to address _has_ to be valid in order for the server to accept the mail?

It seems spammers are forging headers not as per the original definition of a "joe job" (where you make the entire spam look like it has come from your victim), but simply to relieve the spammer of having to deal with the thousands of bounce messages and abuse complaints.

If an SMTP server does not require a valid address; why not just forge a non-existent domain? This meets the spammers objective of not having to deal with the backlash, and saves annoying the innocent owner of the domain name they forged.

[edited by: dmorison at 2:23 pm (utc) on Sep. 18, 2003]

I have had to remove MX records from a number of my domains...

Drastic! - how many messages per hour are you talking about?

Drastic! - how many messages per hour are you talking about?

Oh, not many - they're dormant domains and I just can't be bothered with them!

Just noticed that all the To addresses are things like:

asdr345@mydomain.com

sdfg890809@mydomain.com

Does this mean a spammer has used lots of different names so that it is sent from XXX@mydomain.com?

Wont this mean I will be blacklisted by loads of spam cop type filters?

Jon

Just noticed that all the To addresses are things like:
asdr345@mydomain.com

sdfg890809@mydomain.com

If they are the "To:" address of the messages that you are receiving that contain the subject line "Undeliverable: ...", then it is exactly what myself and bcolflesh are talking about; because those were the original From / Reply-To in the spam that is being bounced.

Wont this mean I will be blacklisted by loads of spam cop type filters?

Shouldn't do. The anti-spam community are well aware that spammers forge From / Reply-To headers and do not go around blocking domain names. What they will look at is the IP address of servers used in the sending of the spam (as this can identify a currently open relay) - and it is these that will be blacklisted.

[edited by: dmorison at 2:32 pm (utc) on Sep. 18, 2003]

Wont this mean I will be blacklisted by loads of spam cop type filters?

No, it will be obvious from the headers that the email is not really coming from your domain - unless you have an open relay!