IT Solutions
> Zum Inhalt

Blockierung

Für die von außerhalb der TU empfangenden Mailserver (Mailbastion, Incoming Mailrouter) werden virenbehaftete E-Mails durch Blockierung auf SMTP- (Simple Mail Transfer Protocol) Ebene abgewiesen.
Im Falle der Incoming Mailrouter, also bei Empfängern der Maildomains @tuwien.ac.at, @student.tuwien.ac.at und @alumni.tuwien.ac.at auch innerhalb des TUNETs! Beim Mailserver, der versucht hat diese E-Mail an die TU zu senden, wird eine Fehlernachricht generiert (Bounce mail), die dem Absender retourniert wird.

Im folgenden ist ein Beispiel einer solchen (exemplarisch durch den Mail Transfer Agent Sendmail generierten) Retour-E-Mail. Dabei gilt Folgendes:

der Absender: Ich@Somewhere.at
der Mailserver des Absenders: mail.somewhere.at
Bounce-E-Mail Absender: MAILER-DAEMON@somewhere.at
der Empänger: User@Subdomain.tuwien.ac.at
der Mailserver des Empfängers (Mailbastionsrechner): tuvok.kom.tuwien.ac.at

Date: Thu, 6 Nov 2003 17:16:09 +0100
From: Mail Delivery Subsystem    
To: Ich@Somewhere.at

Subject: Returned mail: Service unavailable
Auto-Submitted: auto-generated (failure)


[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.3K --]


The original message was received at Thu, 6 Nov 2003 17:16:02 +0100
from User@localhost

   ----- The following addresses had permanent fatal errors -----
User@Subdomain.tuwien.ac.at

   ----- Transcript of session follows -----
... while talking to tuvok.kom.tuwien.ac.at.:
>>> DATA
<<< 554 5.7.1 mail rejected - contains virus or worm signs

oder

<<< 554 5.7.1 mail rejected - contains virus or worm signs
554 User@Subdomain.tuwien.ac.at... Service unavailable


[-- Attachment #2 --]
[-- Type: message/delivery-status, Encoding: 7bit, Size: 0.3K --]


Reporting-MTA: dns; mail.somewhere.at
Arrival-Date: Thu, 6 Nov 2003 17:16:02 +0100

Final-Recipient: RFC822; User@Subdomain.tuwien.ac.at
Action: failed
Status: 5.0.0
Remote-MTA: DNS; tuvok.kom.tuwien.ac.at.
Diagnostic-Code: SMTP; 554 5.7.1 mail rejected - contains virus or worm signs
Last-Attempt-Date: Thu, 6 Nov 2003 17:16:09 +0100


[-- Attachment #3 --]
[-- Type: message/rfc822, Encoding: 7bit, Size: 88K --]


From: Ich@Somewhere.at
To: <User@Subdomain.tuwien.ac.at>
Subject: Re: Movies
Date: Sat, 11 Jan 2003 9:51:09 --0500
Importance: Normal
X-Priority: 3 (Normal)

[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.1K --]

Attached file:
[-- Attachment #2: Sample.pif --]
[-- Type: application/octet-stream, Encoding: base64, Size: 86K --]

[-- application/octet-stream is unsupported (use 'v' to view this part) --]

Empfänger-Alarmierung

Bei Empfang von Viren, werden dem Empfänger unter gewissen Umständen Alarmierungs-Mails zugestellt, die z.B. wie folgt aussehen (exemplarisches Beispiel, mit Kommentaren in roter Farbe).

Hinweis: Die Empfänger-Alarmierungen treten derzeit im realen Betrieb nicht auf.

 

 

From: virusalert@tuwien.ac.at                                
To: someone@any.tuwien.ac.at  <-- Empängeradresse, an die die Virusmail gerichtet war!

Subject: VIRUS IN MAIL FOR YOU FROM <office@hotel-gibts-nicht.at>  <--
		(vorgegebene) Absenderadresse - oftmals gefälscht/missbraucht!
Date: Fri, 19 Sep 2003 09:05:07 +0200
X-Mailer: Internet Mail Service (5.5.2656.59)
X-MS-Embedded-Report:
  
                           V I R U S  A L E R T
  
Our viruschecker found the
  
        W32/Swen@MM  <-- eine oder mehrere Virenbezeichnungen
  
virus(es) in an email to you from:
  
<office@hotel-gibts-nicht.at>  <-- Absenderadresse - oftmals gefälscht (siehe Subject:)!
  

Delivery of the email was stopped!
  
Please contact your system administrator for details.
  
  
  
For your reference, here are the headers from the email:
  
------------------------- BEGIN HEADERS -----------------------------
Received: from ([193.154.160.152]) <-- einzig verlässliche Information: der absendende Host!
          by tuvok.kom.tuwien.ac.at (via amavis-milter) id h8J74sme003236;
          Fri, 19 Sep 2003 09:05:05 (CEST)
Received: from wgow (dialup147.d1-Spl1.Spln.AT.KPNQwest.net [193.81.54.147])  <-- 
		kann gefälscht sein, via Nameservice auf Plausibilität prüfen!
        by laweleka.austria.eu.net (8.12.9/8.12.1) with SMTP id
h8J74Nab021183;
        Fri, 19 Sep 2003 09:04:33 +0200 (MEST)
Date: Fri, 19 Sep 2003 09:04:23 +0200 (MEST)
Message-Id: <200309190704.h8J74Nab021183@laweleka.austria.eu.net>
FROM: "Microsoft Public Assistance" <zjxtrgkpbnn@wnnt.msdn.net>  <-- oftmals 
		gefälschte Information!
TO: " " <client@wnnt.msdn.net>  <-- oftmals gefälschte Information - wird nicht für die 
		Zustellung verwendet!

SUBJECT: Last Network Security Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="txwsxmnkprqebabjw"
-------------------------- END HEADERS ------------------------------

Absender-Alarmierung

Als Absender einer virenbehafteten E-Mail - sofern die E-Mail tatsächlich (wissentlich) verschickt wurde - erhält man abhängig davon, welcher Server die E-Mail abgefangen hat, folgende Alarmierung (exemplarisches Beispiel):

Benachrichtigung an Absender xxx@yyy.tuwien.ac.at, dessen E-Mail an aaa@bbb.tuwien.ac.at abgefangen wurde ...

From MAILER-DAEMON@yyy.tuwien.ac.at  Thu Nov  6 18:32:19 2008
Return-Path: MAILER-DAEMON@yyy.tuwien.ac.at
X-Connecting-Host: mr1-n.kom.tuwien.ac.at [128.130.2.109]
X-Connecting-Addr: 128.130.2.109
X-Sent-To: <xxx@yyy.tuwien.ac.at>
Received: from vc6.kom.tuwien.ac.at (vc6-v.kom.tuwien.ac.at [192.168.3.16])
        by mr.tuwien.ac.at (8.13.7/8.13.7) with ESMTP id mA6HWEAF001591
        for <xxx@yyy.tuwien.ac.at>; Thu, 6 Nov 2008 18:32:14 +0100 (MET)
Received: from localhost (localhost [127.0.0.1])
        by vc6.kom.tuwien.ac.at (8.13.7/8.13.7) with ESMTP id mA6HWEt3013882
        for <xxx@yyy.tuwien.ac.at>; Thu, 6 Nov 2008 18:32:14 +0100
Content-Type: multipart/report; report-type=delivery-status;
        boundary="----------=_1225992733-13762-1"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Subject: VIRUS in message apparently from you (Eicar-Test-Signature)
From: "Content-filter at vc6.kom.tuwien.ac.at" <postmaster@tuwien.ac.at>
To: aaa@bbb.tuwien.ac.at
Date: Thu,  6 Nov 2008 18:32:05 +0100 (CET)

[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.6K --]

VIRUS ALERT

Our content checker found
    virus: Eicar-Test-Signature

in email presumably from you <xxx@yyy.tuwien.ac.at>
to the following recipient:
-> aaa@bbb.tuwien.ac.at

Our internal reference code for your message is mA6HW2RO017468/uGKW7rvdhVph

According to a 'Received:' trace, the message originated at: [128.131.34.74],
  t.t (tron1.kom.tuwien.ac.at [128.131.34.74])

Return-Path: <xxx@yyy.tuwien.ac.at>
Subject: Virus EICAR test

Delivery of the email was stopped!

Please check your system for viruses,
or ask your system administrator to do so.


[-- Attachment #2: Delivery error report --]
[-- Type: message/delivery-status, Encoding: 7bit, Size: 0.4K --]

Reporting-MTA: dns; vc6.kom.tuwien.ac.at
Arrival-Date: Thu,  6 Nov 2008 18:32:05 +0100 (CET)

Original-Recipient: rfc822;aaa@bbb.tuwien.ac.at
Final-Recipient: rfc822;aaa@bbb.tuwien.ac.at
Action: failed
Status: 5.7.0
Diagnostic-Code: smtp; 554-5.7.0 Reject, id=mA6HW2RO017468 - VIRUS:
 554 5.7.0 Eicar-Test-Signature
Last-Attempt-Date: Thu,  6 Nov 2008 18:32:05 +0100 (CET)

[-- Attachment #3: Message headers --]
[-- Type: text/rfc822-headers, Encoding: 7bit, Size: 0.3K --]

Return-Path: <xxx@yyy.tuwien.ac.at>
Received: from t.t (tron1.kom.tuwien.ac.at [128.131.34.74])
        by mr.tuwien.ac.at (amavis-milter) id mA6HW2RO017468; Thu,  6 Nov 2008 18:32:03 +0100
From: xxx@yyy.tuwien.ac.at
Date: Wed, 5 Nov 2008 12:01:09 +0100 (MET)
Subject: Virus EICAR test

[..]

Absender-Alarmierung wegen Header/Body-Syntax

Im Falle von Überprüfungen der RFC-Konformität des Headers und der MIME-Struktur im Body einer Nachricht, für ausgehende Mails via mr.tuwien.ac.at, gibt es eine Reihe unterschiedlicher Meldungsvarianten. Hier eine Auswahl von typischen Meldungen, die in einem None Delivery Report an den Absender zurückgeschickt werden:


INVALID HEADER: BAD MIME HEADERS OR BAD MIME STRUCTURE


MIME error: error: multipart boundary is missing, or contains CR or LF


INVALID HEADER: BAD MIME HEADERS OR BAD MIME STRUCTURE

MIME error: error: illegal encoding [quoted-printable] for MIME type
message/rfc822


INVALID HEADER: BAD MIME HEADERS OR BAD MIME STRUCTURE

MIME error: error: illegal encoding [base64] for MIME type message/rfc822


INVALID HEADER: BAD MIME HEADERS OR BAD MIME STRUCTURE

MIME error: error: part did not end with expected boundary


INVALID HEADER: FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE

Improper folded header field made up entirely of whitespace: Subject: ...
\n \n
Return-Path: <xxx@yyy.tuwien.ac.at>
Subject: zzz

IMPROPER FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE

The RFC 2822 standard specifies rules for forming internet messages.
In section '3.2.3. Folding white space and comments' it explicitly
prohibits folding of header fields in such a way that any line of a
folded header field is made up entirely of white-space characters
(control characters SP and HTAB) and nothing else.


INVALID HEADER: FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE

Non-encoded 8-bit data (char E4 hex): Date: ...8 09:26:00 +0100
(Westeurop\344ische Normalzeit)\n
Improper folded header field made up entirely of whitespace (char 09 hex):
Subject: =?iso-8859-1?B?QmV0cmVmZjogc/ZsZGVu?=\n\t\n

Return-Path: <xxx@yyy.tuwien.ac.at>
Message-ID: <4917F017.000003.02420@ALM>
Subject: =?iso-8859-1?B?QmV0cmVmZjogc/ZsZGVu?=

IMPROPER FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE

The RFC 2822 standard specifies rules for forming internet messages.
In section '3.2.3. Folding white space and comments' it explicitly
prohibits folding of header fields in such a way that any line of a
folded header field is made up entirely of white-space characters
(control characters SP and HTAB) and nothing else.


INVALID HEADER: INVALID CONTROL CHARACTERS IN HEADER

Improper use of control character (char 0D hex): Subject:
...ation_der_deutschen_Fassu?=\r =?utf-8?Q?ng...

Return-Path: <xxx@yyy.tuwien.ac.at>
Message-ID: <49002D04.2050709@yyy.tuwien.ac.at>
Subject: Return Receipt (displayed) -
=?utf-8?Q?Re:_[Fwd:_Pr=C3=A4sentation_der_deutschen_Fassu?=\015
=?utf-8?Q?ng?=

IMPROPER USE OF CONTROL CHARACTER IN MESSAGE HEADER

The RFC 2822 standard specifies rules for forming internet messages.
It does not allow the use of control characters NUL and bare CR
to be used directly in mail header.

    

Eine exemplarische, vollständige None Delivery Report E-Mail an den Absender x@y.tuwien.ac.at, wobei Empfänger a@b.tuwien.ac.at die Nachricht nicht erhalten hat:

Subject: Mail rejected: bad formated mail, invalid header: all-whitespace
        header field
From: "Content-filter at vc6.kom.tuwien.ac.at" <postmaster@tuwien.ac.at>
To: x@y.tuwien.ac.at
Date: Wed, 22 Apr 2009 09:22:49 +0200 (CEST)

[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 1.1K --]

******* AN ERROR OCCURED! *********

Your message WAS *NOT* DELIVERED to:

  <a@b.tuwien.ac.at>

This non delivery report was generated by the program amavisd-new at host
vc6.kom.tuwien.ac.at. Our internal reference code for your message is
n3M7MmoM000004/RMS-b12kvT0i

INVALID HEADER: FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE

  Non-encoded 8-bit data (char E4 hex): Date: ...9 09:22:46 +0200
    (Westeurop\344ische Sommerzeit)\n
  Improper folded header field made up entirely of whitespace (char 09 hex):
    Subject: ...8859-1?B?QmV0cmVmZjog1ldBVyBNYW51c2tyaXB0?=\n\t\n

Return-Path: <x@y.tuwien.ac.at>
Message-ID: <49EEC5C6.000003.05568@XXX>
Subject: =?ISO-8859-1?B?QmV0cmVmZjog1ldBVyBNYW51c2tyaXB0?=

IMPROPER FOLDED HEADER FIELD MADE UP ENTIRELY OF WHITESPACE

  The RFC 2822 standard specifies rules for forming internet messages.
  In section '3.2.3. Folding white space and comments' it explicitly
  prohibits folding of header fields in such a way that any line of a
  folded header field is made up entirely of white-space characters
  (control characters SP and HTAB) and nothing else.

[-- Attachment #2: Delivery error report --]
[-- Type: message/delivery-status, Encoding: 7bit, Size: 0.4K --]

Reporting-MTA: dns; vc6.kom.tuwien.ac.at
Arrival-Date: Wed, 22 Apr 2009 09:22:49 +0200 (CEST)

Original-Recipient: rfc822;a@b.tuwien.ac.at
Final-Recipient: rfc822;a@b.tuwien.ac.at
Action: failed
Status: 5.6.0
Diagnostic-Code: smtp; 554-5.6.0 Reject, id=n3M7MmoM000004 - BAD_HEADER:
 554-5.6.0 Non-encoded 8-bit data (char E4 hex): Date: ...9 09:22:46 +0200
 554 5.6.0 (Westeurop\344ische Somm...
Last-Attempt-Date: Wed, 22 Apr 2009 09:22:49 +0200 (CEST)

[-- Attachment #3: Message headers --]
[-- Type: text/rfc822-headers, Encoding: quoted-printable, Size: 0.7K --]

Return-Path: <x@y.tuwien.ac.at>
Received: from XXX (a.y.tuwien.ac.at [128.130.114.23])
        by mr.tuwien.ac.at (amavis-milter) id n3M7MmoM000004; Wed, 22 Apr 2009 09:22:49 +0200
MIME-Version: 1.0
Message-Id: <49EEC5C6.000003.05568@XXX>
Date: Wed, 22 Apr 2009 09:22:46 +0200 (Westeuropäische Sommerzeit)
Content-Type: Multipart/Alternative;
  charset="ISO-8859-1";
  boundary="------------Boundary-00=_Y5RHG6G0000000000000"
X-Mailer: IncrediMail (5853806)
From: "Mr. X" <x@y.tuwien.ac.at>
References: <49EC9A92.4090408@y.tuwien.ac.at>
X-FID: FLAVOR00-NONE-0000-0000-000000000000
X-Priority: 3
To: "Mr. A" 
Subject: =?ISO-8859-1?B?QmV0cmVmZjog1ldBVyBNYW51c2tyaXB0?=