Over the last few days, one of the viruses going around (probably a Mytob variant) has been trying to send its “Your account is being suspended! Open this file now!” come-ons. It forges the return address as support@example.net, admin@example.net, etc. We block any incoming mail using these addresses before it even gets to our virus scanner.
Now here’s the weird part. We’re also getting bounces sent to another domain we manage, let’s say another-example.com. Both sets are coming from someserver.another-example.com.br!
I think that the virus is finding itself on another-example.com.br and not recognizing the country-specific domain name, misreading it as just another-example.com. It then looks up the mail server, finds our domain, and targets both.
Mytob is supposed to use its own SMTP engine, but the headers show an intranet trail, so maybe they have a proxy that forces all outgoing mail through their server.
Of course, a more mundane explanation might be that someone at another-example.com.br was checking out companies with similar names, and the contact page was sitting in their web cache when the virus arrived. But seriously, which explanation is more interesting?