The virus-carrier messages may have been sent from one or more computers
infected with the Klez, Exploit-Mime, or similar viruses. These are
mass-mailing viruses which send copies of themselves to addresses which
they find in files on the infected system. They also forge the return
addresses, using - you guessed it - addresses which they find in files on
the infected system. This would explain why one message had a return
address that used to be valid, and the other had a return address on a
system that was not powered on when the message was sent.

Between Sunday morning and Tuesday afternoon, our email anti-virus server
trapped approximately 4000 copies of these two viruses. In addition, our
Help Desk was being inundated with phone calls and email messages from
people whose addresses had been forged, and who were now receiving
delivery error or "virus detected" messages. We thought we had a major
epidemic on our hands, until we analyzed the logs and found that over
3700 of the virus-carrier messages came from one system, about 200 came
from another system, and the rest came from less than 20 other systems,
most at other sites.

We have found that "Language= NoHTML" and "Attachments= No" are also
effective tools for preventing a list from being used a vector for
the distribution of most email-borne viruses, particularly since they
do not require the list to be configured for full moderation.

Never attribute to malice that which can be explained by stupidity.

--
Paul Russell
Senior System Administrator
University of Notre Dame