cabou
asked on
554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has not been
Hi experts,
Since few days peolple are getting spam from my server.
What to do?
-----Original Message-----
From: MAILER-DAEMON@aol.com
To: gholateg@aol.com
Sent: Wed, 25 Oct 2006 11:27 AM
Subject: Returned mail: Service unavailable
The original message was received at Wed, 25 Oct 2006 05:27:31 -0400 (EDT)
from mail.onefamilyfund.org [212.150.194.198]
*** ATTENTION ***
Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".
The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".
The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.
Please direct further questions regarding this message to your e-mail
administrator.
--AOL Postmaster
----- The following addresses had permanent fatal errors -----
<gholateg@aol.com>
----- Transcript of session follows -----
... while talking to air-mb01.mail.aol.com.:
>>> DATA
<<< 554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has not been
sent.
554 <gholateg@aol.com>... Service unavailable
Final-Recipient: RFC822; gholateg@aol.com
Action: failed
Status: 5.0.0
Remote-MTA: DNS; air-mb01.mail.aol.com
Diagnostic-Code: SMTP; 554 TRANSACTION FAILED - Unrepairable Virus Detected.
Your mail has not been sent.
Last-Attempt-Date: Wed, 25 Oct 2006 05:27:49 -0400 (EDT)
Received: from office1.net (mail.onefamilyfund.org [212.150.194.198]) by
rly-mb06.mail.aol.com (v113.6) with ESMTP id MAILRELAYINMB68-6d6453f2df
Wed, 25 Oct 2006 05:27:27 -0400
Date: Wed, 25 Oct 2006 11:33:40 +0200
To: "Gholateg" <gholateg@aol.com>
From: "Nyspiv" <nyspiv@aol.com>
Subject: Sindony
Message-ID: <lpkxnlbpwdazcpvmfax@aol.c
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------epubktbe
X-AOL-IP: 212.150.194.198
X-AOL-SCOLL-SCORE: 0:2:420209672:14441827
X-AOL-SCOLL-URL_COUNT: 0
Since few days peolple are getting spam from my server.
What to do?
-----Original Message-----
From: MAILER-DAEMON@aol.com
To: gholateg@aol.com
Sent: Wed, 25 Oct 2006 11:27 AM
Subject: Returned mail: Service unavailable
The original message was received at Wed, 25 Oct 2006 05:27:31 -0400 (EDT)
from mail.onefamilyfund.org [212.150.194.198]
*** ATTENTION ***
Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".
The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".
The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.
Please direct further questions regarding this message to your e-mail
administrator.
--AOL Postmaster
----- The following addresses had permanent fatal errors -----
<gholateg@aol.com>
----- Transcript of session follows -----
... while talking to air-mb01.mail.aol.com.:
>>> DATA
<<< 554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has not been
sent.
554 <gholateg@aol.com>... Service unavailable
Final-Recipient: RFC822; gholateg@aol.com
Action: failed
Status: 5.0.0
Remote-MTA: DNS; air-mb01.mail.aol.com
Diagnostic-Code: SMTP; 554 TRANSACTION FAILED - Unrepairable Virus Detected.
Your mail has not been sent.
Last-Attempt-Date: Wed, 25 Oct 2006 05:27:49 -0400 (EDT)
Received: from office1.net (mail.onefamilyfund.org [212.150.194.198]) by
rly-mb06.mail.aol.com (v113.6) with ESMTP id MAILRELAYINMB68-6d6453f2df
Wed, 25 Oct 2006 05:27:27 -0400
Date: Wed, 25 Oct 2006 11:33:40 +0200
To: "Gholateg" <gholateg@aol.com>
From: "Nyspiv" <nyspiv@aol.com>
Subject: Sindony
Message-ID: <lpkxnlbpwdazcpvmfax@aol.c
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------epubktbe
X-AOL-IP: 212.150.194.198
X-AOL-SCOLL-SCORE: 0:2:420209672:14441827
X-AOL-SCOLL-URL_COUNT: 0
BTW, there are 'web-crawler' programs that search web-sites (such as this one) to capture email addresses.
When you make a post that includes actual email addresses, you are exposing those email address to capture.
That really sucks - I know, but it's a fact of Internet life.
When you make a post that includes actual email addresses, you are exposing those email address to capture.
That really sucks - I know, but it's a fact of Internet life.
ASKER
I did not sent any messages but most of the emails addresses that we are getting back are known by our organisation.
also the IP that is writen in the mail from AOL is my sever IP.
also the IP that is writen in the mail from AOL is my sever IP.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The "unrepairable virus detected" sounds a bit odd; how can a virus be detected before the message is delivered? It'd be nice to, sort of, know, in advance, that a message will be going to be detected as infected (difficult verb mode here) but I'm wary about that comment. Looks a bit like some kind of scam to me.
/RID
/RID
>>also the IP that is writen in the mail from AOL is my sever IP.
do you have any users who have their acct forwarded to their aol accts. If so, that is why aol thinks your server is the origination server
go to, http://postmaster.aol.com/
get your IP whitelisted for one then sign up for the feedback emails. this way anytime emails are determined as spam by aol as well you'll know about it. in this case of course you're trying to track down a mass mailing worm that is most likely on someone elses machine. So if my original assumption is incorrect (that you have accts forwarding to aol accts) then I honestly don't know what to say.
If you suspect one of computers is compromised, Sysinternals TcpView is a great utility to see a live view of all tcp connections going on and you'll see the email connections. Another is to go to www.dnsstuff.com and check your mail servers IP to see if you're on any blacklists. I know when one of my clients got the Stration worm and brought it back inside, took about 24 hours to be put on 5 lists. So you might think about blocking outgoing port 25 at your perimeter as well except for your mail server.
just a few thoughts anyway
do you have any users who have their acct forwarded to their aol accts. If so, that is why aol thinks your server is the origination server
go to, http://postmaster.aol.com/
get your IP whitelisted for one then sign up for the feedback emails. this way anytime emails are determined as spam by aol as well you'll know about it. in this case of course you're trying to track down a mass mailing worm that is most likely on someone elses machine. So if my original assumption is incorrect (that you have accts forwarding to aol accts) then I honestly don't know what to say.
If you suspect one of computers is compromised, Sysinternals TcpView is a great utility to see a live view of all tcp connections going on and you'll see the email connections. Another is to go to www.dnsstuff.com and check your mail servers IP to see if you're on any blacklists. I know when one of my clients got the Stration worm and brought it back inside, took about 24 hours to be put on 5 lists. So you might think about blocking outgoing port 25 at your perimeter as well except for your mail server.
just a few thoughts anyway
Cyclops,
This appears to be a reject of a specific message (or messages), not a domain block.
This appears to be a reject of a specific message (or messages), not a domain block.
younghv, sorry for not being more clear.
AOL WILL block his IP eventually if this is not resolved. This is why you want to make sure to get your IP whitelisted as well as sign up for feedback to you can be aware of things AOL is processing with regards to your IP.
As for this issue, like I mentioned, its a worm that is causing the problem. But this worm will get his IP put onto blacklists regardless of even eliminating this worm and thus he needs to be aware of this. This is very important as it has been stated that aol is picking up his IP. look up dnsstuff.com
http://www.dnsstuff.com/tools/ip4r.ch?ip=212.150.194.198
That IP is on the SBL-XBL list. This is a very serious list to be on. That is what my point was. Sorry if I'm coming off as too offtopic, but I believe that the spam is the least of his worries right now as they are annoyances. Being blacklisted and having legit email blocked is more serious. At least in my mind.
So it needs to be tracked down exactly how that email is getting to aol. The feedback signup will make it so at least for spam messages the headers of blocked emails are sent to you, I assume its the same for virus emails like this. This will help in determining if it actually did orig from his IP or just traverse it with an aol forward or something else.
AOL WILL block his IP eventually if this is not resolved. This is why you want to make sure to get your IP whitelisted as well as sign up for feedback to you can be aware of things AOL is processing with regards to your IP.
As for this issue, like I mentioned, its a worm that is causing the problem. But this worm will get his IP put onto blacklists regardless of even eliminating this worm and thus he needs to be aware of this. This is very important as it has been stated that aol is picking up his IP. look up dnsstuff.com
http://www.dnsstuff.com/tools/ip4r.ch?ip=212.150.194.198
That IP is on the SBL-XBL list. This is a very serious list to be on. That is what my point was. Sorry if I'm coming off as too offtopic, but I believe that the spam is the least of his worries right now as they are annoyances. Being blacklisted and having legit email blocked is more serious. At least in my mind.
So it needs to be tracked down exactly how that email is getting to aol. The feedback signup will make it so at least for spam messages the headers of blocked emails are sent to you, I assume its the same for virus emails like this. This will help in determining if it actually did orig from his IP or just traverse it with an aol forward or something else.
Understood -
The reason I did the whole malware/worm/spoofing discussion was because we got our Exchange Server 'Black-listed' a few years ago (try explaining THAT to a General).
"Spoofing" is probably WHY this is going on.
"White-listing" is definitely WHAT to do next.
Good suggestion
Vic
The reason I did the whole malware/worm/spoofing discussion was because we got our Exchange Server 'Black-listed' a few years ago (try explaining THAT to a General).
"Spoofing" is probably WHY this is going on.
"White-listing" is definitely WHAT to do next.
Good suggestion
Vic
Yeah, better make sure a jeep is nearby :)
>>"Spoofing" is probably WHY this is going on.
agreed, like you mentioned in your post, that is what most viruses/worms do
>>"Spoofing" is probably WHY this is going on.
agreed, like you mentioned in your post, that is what most viruses/worms do
Did you actually send that particular message?
If not, this could just be a case of email address 'spoofing'.
Several versions of 'malware' will capture a bunch of email addresses and then send out infected emails using those stolen email addresses as 'return addresses'.
If that is the case, there is nothing you can do about it.
The infection happens on a computer somewhere in the world with YOUR email address stored on it, and all of the 'warning messages' get sent back to YOU.
If you did send the message, then you need to so a complete update of all your security application definitions (AV and anti-spyware), then re-boot to safe mode, then do a full HDD scan.
Vic