Where is the virus?

I have a domain that I use for personal email and some other uses. I pick up my email using yahoo as a client to grab the mail from the pop server. For some time now I have been getting messages from various nonexistant accounts in my domain. They all go to the address I use as that is a catchall account. Each messages has a subject line such as "!ClamAV:VIRUS found:Worm.Mytob.CL! Account Alert " and often adds that my account has been suspended. Each message contains a virus, oddly enough with .VIRUS in the file name. No one has reported getting a message with a virus like this from one of my accounts and in no case has the messagae appeared to come from an actual email account on this domain. So far it has been pretty easy to ignore but where is it coming from? Does my host provider have an infected machine or is someone’s email client infected?

It’s quite possible that someone is forging headers using your domain.

Mytob arrives as an e-mail, usually from an account such as “administrator@yourdomain.com” or “e-mail@yourdomain.com” of various other official sounding addresses from the same domain that is receiving the virus. The idea is to make it seem like this is an official mailing, so you’ll click on the link.

Thus, is an e-mail was sent by the virus to “youraccount@yourdomain.com,” it would look like an account on your domain was sending it.

The infected computer can be any one that has your e-mail address anywhere on its hard drive (including cached Internet files).

As for the mention of Mytob in the heading, either Yahoo is finding it and warning you, or Mytob itself is giving the virus message to help trick you.

The messages need to be deleted, but it’s unlikely they’re a sign of an infection on your server or anything.

It’s difficult to give a good answer without the full message header. A couple of possible explainations:

  1. Someone has sent you (or rather, a random user on your domain) an email with a virus. The server software have intercepted the virus and informs you that of this.

  2. Someone is sending you a virus that is forged to look like an important message from the system administrator, like telling you that a virus have been intercepted. I remember getting quite a lot on various domains during the fall of 2003.

  3. The reply-to path of any email message can easily be altered. Somebody may be distributing viruses with an account on your domain as the reply-to path.

I don’t think anyone is using your account to send messages, you’d probably heard for someone by now if that was the case.

… and you can turn off catchall and instead route incoming email to any non-existant accounts to the blackhole. This deletes them automatically.