In almost all cases, these have been false acquisitions.
The problem is quite serious. Someone steals your email identity in one of several ways. Usually, from someone you know's address book or from a webpage. (Many viri automatically harvest all emails addresses on the harddrive. If your email address is someone else's computer that gets a virus, the virus starts pretending it is coming from you. Other programs harvest email addresses from every webpage and do the same thing.)
The first part of this is fraud. It is known as "spoofing" your email address.
After your address has been spoofed, is when the second violation often occurs -- an ignorant security administrator accuses you of sending the virus.
I say ignorant because:
1) if you look at the email header, you can see who really sent the virus.
2) most viri are known to spoof addresses (so anyone in the business should know that... like Klez, etc.)
So, I do not know which violation is worse?
But, we are trying to educate as many people as we can.
Below is a sample of a false acquisition made by AOL and a letter we have sent to AOL.
I am the technical contact for membrane.com (among other domains). I received an email bounce notification from aol.com (partly enclosed below) informing me that a forged message purporting to be from my email address was rejected because it contained a virus.
Please be informed that I did not send the message containing the virus. Neither did any of the mailservers that service membrane.com or indeed, any of the mailservers under our control.
A cursory check of the headers indicates that your mailserver rly-xd04.mx.aol.com received the virus laden message from the IP xx.xxx.xx.xx
This IP address has nothing to do with membrane.com or any of our other domains.
The bounce message I received contained all of the suspect virus.
I do not use software susceptible to such a virus; however other recipients of such bounce messages may very well be vulnerable. I suspect they would respond unkindly to being infected through receiving a misguided bounce notification.
May I suggest that you do not include the entire body of any detected virus, when sending such reject notifications informing hapless souls at an easily forged originating address ?
Given your draconian rules about accepting email from dynamic IPs, I would imagine that you could pay more attention to your own mailserver policies. I have previously informed my clients that they should avoid aol.com email addresses because of such mail acceptance policies. I am afraid that I shall have to advise them to ignore, or at least be very wary of messages to them from your mailservers.
begin included text -- warning -- message may contain parts of a virus
From MAILER-DAEMON Tue Jun 3 16:23:43 2003 Date: Tue, 3 Jun 2003 16:23:07 -0400 (EDT) From: Mail Delivery Subsystem MAILER-DAEMON@aol.com To: email@example.com MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="QAC14381.1054671787/rly-xd04.mx.aol.com" Subject: Returned mail: Service unavailable Auto-Submitted: auto-generated (failure) This is a MIME-encapsulated message --QAC14381.1054671787/rly-xd04.mx.aol.com The original message was received at Tue, 3 Jun 2003 16:22:51 -0400 (EDT) from [188.8.131.52] *** ATTENTION *** Your e-mail is being returned to you because there was a problem with its delivery. The address which was undeliverable is listed in the section labeled: "----- The following addresses had permanent fatal errors -----". The reason your mail is being returned to you is listed in the section labeled: "----- Transcript of Session Follows -----". The line beginning with "***" describes the specific reason your e-mail could not be delivered. The next line contains a second error message which is a general translation for other e-mail servers. Please direct further questions regarding this message to your e-mail administrator. --AOL Postmaster ----- The following addresses had permanent fatal errors ----- firstname.lastname@example.org ----- Transcript of session follows ----- ... while talking to air-xd02.mail.aol.com.: DATA *** 554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has not been sent. *** 554 email@example.com... Service unavailable --QAC14381.1054671787/rly-xd04.mx.aol.com Content-Type: message/delivery-status Reporting-MTA: dns; rly-xd04.mx.aol.com Arrival-Date: Tue, 3 Jun 2003 16:22:51 -0400 (EDT) Final-Recipient: RFC822; firstname.lastname@example.org Action: failed Status: 5.0.0 Remote-MTA: DNS; air-xd02.mail.aol.com Diagnostic-Code: SMTP; 554 TRANSACTION FAILED - Unrepairable Virus