Pete Weiss wrote:

> something generated a "bounce" report perhaps sending to a bogus to: that
> made it appear that it came from the owner-listname.
>
> I have a bunch of bounces from FIRSTNAME@SOME_ISP that aren't subscribed.

The MyDoom virus forges sender addresses using addresses it finds in files
on the infected computer. It could have found 'owner-listname@listhost' in
list message saved by the owner of the infected system, and used that as
the forged return address on a virus carrier message which was sent to an
invalid address. Result: a delivery error message to owner-listname for an
address which is not subscribed to the list.

The MyDoom virus also randomly generates both sender and recipient addresses
using the following usernames, prepended to harvested domain names:

        adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian,
        claudia, dan, dave, david, debby, fred, george, helen, jack, james,
        jane, jerry, jim, jimmy, joe, john, jose, julie, kevin, leo, linda,
        maria, mary, matt, michael, mike, peter, ray, robert, sam, sandra,
        serg, smith, stan, steve, ted, tom

--
Paul Russell
Senior Systems Administrator
University of Notre Dame