Sci-fi, comics, humor, photos…it's all fair game.

Sometimes viruses can’t read either

June 15th, 2005 by Kelson. Posted in Viruses

Over the last few days, one of the viruses going around (probably a Mytob variant) has been trying to send its “Your account is being suspended! Open this file now!” come-ons. It forges the return address as support@example.net, admin@example.net, etc. We block any incoming mail using these addresses before it even gets to our virus scanner.

Now here’s the weird part. We’re also getting bounces sent to another domain we manage, let’s say another-example.com. Both sets are coming from someserver.another-example.com.br!

I think that the virus is finding itself on another-example.com.br and not recognizing the country-specific domain name, misreading it as just another-example.com. It then looks up the mail server, finds our domain, and targets both.

Mytob is supposed to use its own SMTP engine, but the headers show an intranet trail, so maybe they have a proxy that forces all outgoing mail through their server.

Of course, a more mundane explanation might be that someone at another-example.com.br was checking out companies with similar names, and the contact page was sitting in their web cache when the virus arrived. But seriously, which explanation is more interesting?

Related Posts

RSS feed for comments on this post.

Post a Comment

Note: This post is over 4 years old. You may want to check later in this blog to see if there is new information relevant to your comment.

« Opera Cookie Weirdness Explained (sort of)
Fixing broken sites in the browser »