Why Am I Getting Bounces for Viruses/E-mails I Didn't Send?

by Rob Zorn
from the July 2004 Newsletter

I've been plagued lately by dozens of bounces dumped suddenly in my inbox telling me that e-mails I have sent to all sorts of strange people were unable to be delivered or were rejected because they contained viruses. I've had a few customers inquire about the problem too. We don't recognise the addresses we're supposed to have sent the e-mails to, and the subjects and contents of the bounced e-mails are totally unfamiliar. Many of the bounce messages also contain attachments, and nowadays, when viruses seem to be lurking around every corner, these are also a concern. Just what is going on? Did my computer really send out those e-mails or viruses without my knowledge? Is my computer infected even though I run Nortons? What nefarious mischief is about to happen next?

This article will address these concerns. While this type of thing is becoming a nuisance of rising prevalence, the good news is that the person receiving all the sudden bounce messages probably isn't infected by the virus in question. This is all part of normal virus behaviour, and most will find that these unwieldy gluts of annoying bounces will come and go in groups. Keep reading to find out why.

Now imagine that Fred Blobbybottom, who's e-mail address is fred@blobbybottom.co.nz gets a virus on his computer. This virus is programmed to send itself on to every e-mail address it can find. But in order to send itself, it needs to include a "from" address. It could use the e-mail address on the machine it has hijacked, but that would be no good. If it did that, then everyone would be able to tell right away that Fred Blobbybottom's computer was infected. Lots of people would tell him and he would get his machine fixed. That would be the end of the virus on Fred's machine.

0407mandy.jpg (8089 bytes)
Mandy was sure something very odd was starting to happen...

A virus is programmed to hide itself so that it can carry on doing its mischief. So, rather than let everyone know where it lives, it forges the sending address when it sends itself out, and puts another e-mail address into the "from" field. Let's imagine Fred's girlfriend's e-mail address is mandy@mudapple.co.nz. Of course Fred has her in his address book. When the virus on Fred's machine sends itself out, it might send the first 100 versions of itself out and use Mandy's address in its from field. Ninety-five of these first 100 e-mails it sends itself through will probably be delivered successfully to other people. Five or so might bounce, but where will the bounces go? They won't go back to Fred because the virus didn't use fred@blobbybottom.co.nz as its sending address. Instead, the bounces will go to Mandy's inbox. Poor old Mandy gets all these bounces, and she wasn't even the one who sent out the virus.

There will also be plenty of cases, too, where people with up-to-date virus scanners will receive the disguised e-mails sent from Fred's machine. Their virus scanners, such as Norton or AVG, will send the message back saying that it couldn't be delivered because it had a virus attached. Poor old Mandy gets these returns, and it looks to her like she's the one who has been sending out the virus. Even if she's savvy enough about e-mail to know all about what I'm writing here, she isn't able to be of much help to Fred. There is nothing in the bounces or reject messages that makes it immediately obvious that they came from her boyfriend's machine. It's a pickle!

It gets more complicated because, as we noted already, the virus is pretty sophisticated at hiding its tracks. It may use Mandy's address for a while to send itself out, but then it will change and use another address it has pilfered from Fred's address book, say the e-mail address from one of his other girlfriends. This way, there aren't too many clues pointing in any one direction that might alert people to the virus's whereabouts. This is why you (or Mandy) might suddenly get inundated with a whole lot of bounce messages for e-mails that you (or she) didn't send, and then they will stop just as suddenly. The virus has finished with using the first address in its "from" field, and is now using someone else's. Don't feel slighted though. You or Mandy will probably get a turn again sometime soon.

Viruses are developed enough these days not to just rely on the address book of their host machine. Many lurk until they have the opportunity to connect to somewhere else online so that they can download a new set of e-mail addresses they can use to masquerade as coming from. This helps explain why many of the bogus bounces you receive appear so strangely to be from overseas, or why the bounce message is sometimes in another language.

Many ISPs, Actrix included, will turn the bounce function off on its virus scanners when the virus is known to fake its sending address (which is the case with just about all of them). Unfortunately, not all do this, and it just contributes to the problem. In most cases, they'll get around to it eventually, and the barrage of falsities will cease, but it can take time, and there's not a whole lot you can do about it.

And, unfortunately, there's just not a whole lot any individual can do to stop this occurring for them. The purpose of this article has not been to help you stop it happening, but rather to reassure you that if this happens, you're probably not the one who's infected or to blame. The best thing you can do is to make sure you don't get infected yourself and so become a part of the problem for others. To do this, you need to run up-to-date anti-virus software, and you need to keep your operating system up-to-date by installing all the security patches available free at http://windowsupdate.microsoft.com.