Postmaster account sending emails

[fenstrat]

I looks like the postmaster account may be sending mail. An email with a virus attached was sent to a user and blocked by groupshield. It looks like the email came from postmaster but it was recieved from an external source.
Does anyone know what could cause this?


Microsoft Mail Internet Headers Version 2.0
thread-index: AcMSn9FC5kZ8ENuUQpuuEezrwbew0A==
Received: from mpls-qmqp-02.inet.qwest.net ([63.231.195.113]) by ulysses with Microsoft SMTPSVC(5.0.2195.5329); Sun, 4 May 2003 20:46:50 -0400
Content-Transfer-Encoding: 7bit
Received: (qmail 30651 invoked by uid 0); 5 May 2003 00:20:44 -0000
content-class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Received: from mpls-pop-06.inet.qwest.net (63.231.195.6) by mpls-qmqp-02.inet.qwest.net with QMQP; 5 May 2003 00:20:44 -0000
Received: from 0-1pool216-152.nas9.albuquerque1.nm.us.da.qwest.net (HELO Rfuauvvui) (67.0.216.152) by mpls-pop-06.inet.qwest.net with SMTP; 5 May 2003 00:46:16 -0000
From: &quot;postmaster&quot; <postmaster@sjca.edu>
To: <webmaster@sjca.edu>
Subject: Returned mail--&quot;look,my beautiful girl friend&quot;
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=&quot;QpgEs0Mu6K510x&quot;
Return-Path: <crucify@qwest.net>
Message-ID: <ULYSSESNMT6658EMJmA00000386@ulysses>
X-OriginalArrivalTime: 05 May 2003 00:46:50.0313 (UTC) FILETIME=[D077FB90:01C3129F]
Date: 4 May 2003 20:46:50 -0400

--QpgEs0Mu6K510x
Content-Type: text/html;
charset=&quot;iso-8859-1&quot;
Content-Transfer-Encoding: quoted-printable

--QpgEs0Mu6K510x
Content-Description: Replaced Blocked File.txt
Content-Type: text/plain;
name=&quot;Replaced Blocked File.txt&quot;
Content-Transfer-Encoding: quoted-printable
Content-ID: <G2F2cRoHj94vFM7G8kW>

--QpgEs0Mu6K510x
Content-Type: application/octet-stream;
name=&quot;featurefavorites09302[1].jpg&quot;
Content-Transfer-Encoding: base64
Content-ID: <G2F2cRoHj94vFM7G8kW>


--QpgEs0Mu6K510x--

 

[Whoopsie]

Did you find an answer to this problem? I am having the same problem right now.

 

[tencevaines]

I would susspect that this is the twisted methode of a know virus, could likely be &quot; W32.Klez.gen@mm &quot;

here is an excerpt from SARC's web site on Klez:

There have been several reports that, in some cases, if you receive a message that the virus has sent using its own SMTP engine, the message appears to be a &quot;postmaster bounce message&quot; from your own domain. For example, if your email address is jsmith@anyplace.com, you could receive a message that appears to be from postmaster@anyplace.com, indicating that you attempted to send email and the attempt failed. If this is the false message that is sent by the virus, the attachment includes the virus itself. Of course, such attachments should not be opened.

Hope that helps... here is the link to that sarc page:

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.a@mm.html

 

[Whoopsie]

Hmm, I don't believe it is a virus. I have done all the scans for virus/trojan/spyware and such. More than what is needed. Anyone else have any ideas?