We've been getting a lot of questions about emails from ISP's that claim you have sent a virus. (They often include MAILER-DAEMON in the address.)

In almost all cases, these have been false acquisitions.

The problem is quite serious. Someone steals your email identity in one of several ways. Usually, from someone you know's address book or from a webpage. (Many viri automatically harvest all emails addresses on the harddrive. If your email address is someone else's computer that gets a virus, the virus starts pretending it is coming from you. Other programs harvest email addresses from every webpage and do the same thing.)

The first part of this is fraud. It is known as "spoofing" your email address.

After your address has been spoofed, is when the second violation often occurs -- an ignorant security administrator accuses you of sending the virus.

I say ignorant because:
1) if you look at the email header, you can see who really sent the virus.
2) most viri are known to spoof addresses (so anyone in the business should know that... like Klez, etc.)

So, I do not know which violation is worse?

But, we are trying to educate as many people as we can.

Below is a sample of a false acquisition made by AOL and a letter we have sent to AOL.


I am the technical contact for membrane.com (among other domains). I received an email bounce notification from aol.com (partly enclosed below) informing me that a forged message purporting to be from my email address was rejected because it contained a virus.

Please be informed that I did not send the message containing the virus. Neither did any of the mailservers that service membrane.com or indeed, any of the mailservers under our control.

A cursory check of the headers indicates that your mailserver rly-xd04.mx.aol.com received the virus laden message from the IP xx.xxx.xx.xx

This IP address has nothing to do with membrane.com or any of our other domains.

The bounce message I received contained all of the suspect virus.

I do not use software susceptible to such a virus; however other recipients of such bounce messages may very well be vulnerable. I suspect they would respond unkindly to being infected through receiving a misguided bounce notification.

May I suggest that you do not include the entire body of any detected virus, when sending such reject notifications informing hapless souls at an easily forged originating address ?

Given your draconian rules about accepting email from dynamic IPs, I would imagine that you could pay more attention to your own mailserver policies. I have previously informed my clients that they should avoid aol.com email addresses because of such mail acceptance policies. I am afraid that I shall have to advise them to ignore, or at least be very wary of messages to them from your mailservers.


begin included text -- warning -- message may contain parts of a virus

 From MAILER-DAEMON  Tue Jun  3 16:23:43 2003
 Date: Tue, 3 Jun 2003 16:23:07 -0400 (EDT)
 From: Mail Delivery Subsystem MAILER-DAEMON@aol.com
 To: johndoe@membrane.com
 MIME-Version: 1.0
 Content-Type: multipart/report; report-type=delivery-status;
 Subject: Returned mail: Service unavailable
 Auto-Submitted: auto-generated (failure)

 This is a MIME-encapsulated message


 The original message was received at Tue, 3 Jun 2003 16:22:51 -0400 (EDT)
 from  []

 *** ATTENTION ***

 Your e-mail is being returned to you because there was a problem with its
 delivery.  The address which was undeliverable is listed in the section
 labeled: "----- The following addresses had permanent fatal errors -----".

 The reason your mail is being returned to you is listed in the section
 labeled: "----- Transcript of Session Follows -----".

 The line beginning with "***" describes the specific reason your e-mail could
 not be delivered.  The next line contains a second error message which is a
 general translation for other e-mail servers.

 Please direct further questions regarding this message to your e-mail

 --AOL Postmaster

    ----- The following addresses had permanent fatal errors -----

    ----- Transcript of session follows -----
 ... while talking to air-xd02.mail.aol.com.:
***  554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has
not been sent.
*** 554 janesmith@aol.com... Service unavailable

 Content-Type: message/delivery-status

 Reporting-MTA: dns; rly-xd04.mx.aol.com
 Arrival-Date: Tue, 3 Jun 2003 16:22:51 -0400 (EDT)

 Final-Recipient: RFC822; janesmith@aol.com
 Action: failed
 Status: 5.0.0
 Remote-MTA: DNS; air-xd02.mail.aol.com
 Diagnostic-Code: SMTP; 554 TRANSACTION FAILED - Unrepairable Virus

Back To The Study

Main Index

The Philadelphia Spirit Experiment Publishing Company
These graphics, images, text copy, sights or sounds may not be used without expressed written consent of the Glistening Web Communications Corporation.