Antigen found =*.exe file

Aaron Blosser ablosser@virtuoso.com
Sun, 28 Oct 2001 21:19:24 -0800


FYI, our antivirus software simply calls itself "Antigen" in the "from"
... no @ or anything.

I would posit that the list at xent.com simply appended it's own domain
name in some weird and tragic circumstance.  Don't ask me to explain it
further, I can't.  I get copies of the antivirus responses, and I have
the original one it sent out on this, and believe me, nowhere does it
identify itself as antigen@xent.com, so I can only infer that the server
at xent.com added that part itself for some reason.

Regardless of your opinion though, it's perfectly normal and acceptable
for a virus scanner to send messages to the sender and recipient of any
email that it has caught in it's filter.  If the sender or recipient
happens to be a list, so what?

I still say it's the lists job to NOT accept emails from non
subscribers, and I still see that even my messages (I am not a
subscriber) have been showing up in the list archives.

I'm not claiming that I don't know where it came from.  I checked, and
it did come from us, but I also know it doesn't "forge" anything as you
suggest.  But don't take my word for it (I know you won't anyway...
you're not the type to trust anyone, and no, that's not an insult, just
a statement).

> -----Original Message-----
> From: Karl Anderson [mailto:kra@monkey.org]
> Sent: Sunday, October 28, 2001 8:25 PM
> To: Aaron Blosser
> Cc: Karl Anderson; fork@xent.com; mark@is2inc.com
> Subject: Re: Antigen found =3D*.exe file
>=20
> "Aaron Blosser" <ablosser@virtuoso.com> writes:
>=20
> > Did that message look like spam?
>=20
> It was an unsolicited forgery sent to the fork@xent.com mailing list.
>=20
> > I have no idea where the message came
> > from except that it looked like someone sent an email to someone on
our
> > system that contained an EXE, and the failure message bounced back
to
> > the list.
>=20
> An autoresponder is not a bounce.  An autoresponder that claims to be
> from antigen@xent.com, when in fact it comes from virtuoso.com, is not
> sending bounce messages, it is being annoying.  I admit that I am not
> up to date on bounce message standards - all I know is that Mailman is
> very good at finding bounce messages, including those that conform to
> RFC 1894, and that message doesn't trigger its bounce detection.
>=20
> > I assume that if someone were going to go to all the trouble of
forging
> > some headers, they'd do something far more interesting than send out
a
> > message indicating an EXE had been removed from an email.
>=20
> This appears to be a problem of stupid software, not a stupid human
> problem.  I don't need to know why the software goes to the trouble to
> forge its mail.  All I need to know is that you're the postmaster at
> the site it's originating from, and you admit that you don't have a
> clue about where it comes from.
>=20
> > I still say it's the list's job to block emails from unsubscribed
> > people, so if an automated bounce made it to the list, that's the
list's
> > problem.  I'd be more than happy to block ANY email coming from
whatever
> > list this is if you'd just give me the email address of that list (I
> > don't even know if I'm replying to a list or not).
>=20
> fork@xent.com, be my guest.
>=20
> --
> Karl Anderson      kra@monkey.org
http://www.monkey.org/~kra/