Why did I receive an undeliverable notification for an email that I have never sent?

You may have experience in receiving an undeliverable email notification from an email server (e.g. Mailer-Daemon) saying that your email sent to someone was rejected because it contains a virus or an unsafe file. However, you have never sent such email!

This kind of email is in fact related to the spreading of some massing-mailing virus/worms (e.g. Netsky, Bagle). The virus-infected email was actually sent by the virus itself from an infected computer (this neither means it is your computer, nor means it is located in the CityU network) automatically! The sender address that appeared in the infected email was randomly chosen by the virus from the address book or mailbox of the infected computer. If your email address was found in the infected computer, it could be picked up by the virus to fake the sender address. As a standard procedure, when a mail server detects an email with virus or unsafe file, it will reject the mail and send an undeliverable notification to the "sender". That is why you received an undeliverable notification for an email that you have never sent.

Those worms/viruses have caused a lot of disturbance, annoyance, confusion and misunderstanding to email users as well as administrators! You can obtain more information of them from the following links: http://www.hkcert.org/ , http://www.sophos.com.

When you receive such an email undeliverable notification, you can:

(a) If you are sure your computer has not been infected by any virus, you may simply discard the notification.

(b) If you want to find out the source machine of the virus-infected email, please:

  1. Read the full headers of the concerned email which usually is enclosed in the notification. The following is an example:
    Return-path: ...
    ...
    Received: ...
    Received: ...
    Received: from apparent_hostname ( real_hostname [ IP_Address ] ) by ... with ... for ....
    Date: ...
    From: ...
    Subject: ...
    To: ...

    Note: (i) Sometimes the "real_hostname" is absent. (ii) If the "real_hostname" presents but differs from the "apparent_hostname", trust the "real_hostname".

  2. You should focus on the last "Received:" header line (the one before the "Date:" header), especially the IP address (usually shown in the format as [a.b.c.d]).
  3. If the IP address starts with 144.214 (e.g. [144.214.1.2]), it means the computer was connected with the CityU main campus network (including dial-up service and VPN). If the concerned IP address belongs to your computer (e.g. your office PC), please take immediate action to clean up the virus.
  4. If the IP address does not start with 144.214, that means the computer was NOT connected to the CityU main campus network, and in most cases it does not belong to CityU. If you want to find out which network/domain owns the concerned IP address, you can use the Whois tools provided by some sites on the Internet, such as http://www.whois.sc/ .

Example: The following is a sample undeliverable notification message. From the last "Received:" line, we know that the original virus-email was sent by a machine named 056-078.dummy.com. The IP address of the machine is [12.34.56.78]. This machine is NOT belongs to CityU. (The spoofed apparent_hostname "cityu.edu.hk" and the spoofed sender email address "50123456@student.cityu.edu.hk" were made-up by the virus.)

This report relates to a message you sent with the following header fields:

Return-path: <50123456@student.cityu.edu.hk>
Received: from conversion-daemon.mailgw1.cityu.edu.hk by mailgw1.cityu.edu.hk (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) id <0HTD00H011A1Q3@mailgw1.cityu.edu.hk> (original mail from 50123456@student.cityu.edu.hk); Fri, 20 Feb 2004 09:50:32 +0800 (CST)
Received: from cityu.edu.hk (056-078.dummy.com [12.34.56.78]) by mailgw1.cityu.edu.hk (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) with SMTP id <0HTD11JL77CH5U@mailgw1.cityu.edu.hk> for chantaiman@hotmail.com; Fri, 20 Feb 2004 09:50:30 +0800 (CST)
Date: Fri, 20 Feb 2004 09:43:27 +0800
From: 50123456@student.cityu.edu.hk
Subject: something for you
To: chantaiman@hotmail.com
Message-id: <0HTD00JL81CH5U@mailgw1.cityu.edu.hk>
MIME-version: 1.0
Content-type: multipart/mixed;
boundary="Boundary_(ID_XCKVEQphE4B2OgXVrzzunQ)"

Your message cannot be delivered to the following recipients:

Recipient address: 50123456@student.cityu.edu.hk
Reason: Virus W32/Bagle-E is detected!

 

Note: For safety, you should protect all your computers (including your home PC, office PC, and notebook computers) with an updated anti-virus software. If you are not sure your computer is virus free, you may perform a virus-scanning on it.

Return to University In-house Email Service FAQ page

IT.ServiceDesk@cityu.edu.hk