> Those mailbox-names are a bit peculiar, but my first guess would be
SPAM
> and/or virus/trojan traffic where your 'XXXXXX' list was forged in the
> From field and the addresses shown in your DEMR were in the To field.
> However, showing "no such list" as the error condition discredits that
> idea somewhat - usually such DEMR entries (at least when seen on the
site
> I administer) are the result of a remote mailer sending a
non-delivery-
> notice after accepting the spam/malware message - this looks like your
> site was actually trying to deliver a message to the CUNY machine and
got
> a reject in the SMTP conversation.
>
> You might try a search of your site LISTSERV log files, and the logs
on
> the outbound-mail-handler system your LISTSERV delivers through, to
glean
> a bit more detail about what is happening.

I did a search of the last two weeks of email delivery logs for an
occurrence of "[log in to unmask]" (from an example cited) and
got no hits.  On 5-NOV someone externally tried to use that address as a
FROM to a non-existent userid here, and it was simply rejected as a
"5.7.1 Unknown userid" by our email server.  Perhaps another spammer
faked the FROM as some of our valid listnames (as you mentioned above)
and sent his junk to "[log in to unmask]" for delivery.  It
bounces back(?) to us and LISTSERV posts it as a delivery error under a
valid list's delivery report -- even though that entry is not a valid
subscriber address for the list.

Yet another wrinkle in the spam plague.
-Rich
--
Richard A. Helmke                Internet: [log in to unmask]
Assoc Prof, Computer Science              [log in to unmask]
System Manager, Technical Services              Voice: 708-209-3221
Concordia Administrative Information Systems    Fax:   708-209-3177
River Forest, IL 60305-1499

Bugs come in through open Windows.