I found the following in my inbox, seemingly from MAILER-DAEMON@ my
domain:
<HTML><HEAD></HEAD><BODY>
<FONT></FONT>
This message was created automatically by mail delivery software
(Exim).<BR><BR>A message that you sent could
not be delivered to one or more of its recipients.<BR>This is a permanent
error. The following address(es)
failed:someaddress@fqdn<BR><BR>For further assistance, please contact <
postmaster@yourdomain ><BR>If you
do so, please include this problem report. You can<BR>delete your own text
from the message returned
below.<BR><BR>Copy of your message, including all the headers is
attached<BR></BODY></HTML>
[ Part 2, Message/RFC822 346bytes. ]
[ Not Shown. Use the "V" command to view or save this part. ]
<HTML><HEAD></HEAD><BODY>
<iframe src=cid:wssv height=0 width=0>
</iframe>
<FONT></FONT>
</BODY></HTML>
(formatting munged a bit by linewrapping)
Now, that's not how Exim sends out DSNs, in HTML. Turns out that it's the
work of a new virus, W32/Yaha.E or W32/Lentin.F@mm as it's also known.
(Thanks to Nick FitzG at Virus-L for identifying the critter.)
The virus tries to take advantage of unpatched IE/OE installations, with
the IFRAME code that executes when you view the message.
Thought it might be a good idea to warn the list about these fake DSNs.
--
Juha Saarinen
