Re: Virus infected email from internal user
From: Rob Bordwell (atomicdawg_at_pacbell.net)
Date: 11/02/04
- Next message: Rob Bordwell: "Re: Email Flood"
- Previous message: Jeff Middleton [SBS-MVP]: "Re: Upgrading to SBS2003 - realistic to do ourselves?"
- In reply to: Jamesh: "Virus infected email from internal user"
- Next in thread: Michael Jenkin [SBS-MVP]: "Re: Virus infected email from internal user"
- Reply: Michael Jenkin [SBS-MVP]: "Re: Virus infected email from internal user"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 1 Nov 2004 21:17:40 -0800
With SMTP, email can be made to look like it comes from any user from
any domain. An interesting thing to do is to telnet to your mail server
and try it using SMTP commands. To do this, do the following commands
from DOS prompt:
telnet <your_email_servers_ip> 25
ehlo any.server.com
mail from:<joe_blow@any.domain.com>
rcpt to:<your email addres>
data
>From here, press enter and type a message. Press <cr>.<cr> (enter-
period-enter) on a new line to end. Finally, type quit.
You've now spammed yourself. I was shocked when I first learned how
easy it was to appear to be someone else. If the email is relayed
through another server, spammers can even hide their IP.
So what can you do? As Marina suggested, get some anti virus software.
I get so many viruses sent to my Exchange server, I couldn't imagine
running without Exchange anti-virus software for a day! As far as
people spoofing your users and domain, you should implement SPF. (See
spf.pobox.com) In a nutshell, SPF uses DNS TXT records to specify which
servers can legitimately send mail for your domain. Unfortunately, most
servers do not verify an mail server using SPF. SPF is a relatively new
thing. Also, for Exchange 2000, you need third party software to verify
email server using SPF. At any rate, you should at least create a SPF
record for your domain. This will stop spammers from spoofing your
domain on servers who verify mail using SPF.
In article <336e01c4c071$865f5a90$a301280a@phx.gbl>,
anonymous@discussions.microsoft.com says...
> Occasionally we are receiving emails that appear to come
> from one email user to another. However, I have anti-
> virus on our email server and on clients. It is detected
> when the recipient receives the email, so I know the
> other internal user is not sending the infected email.
> After looking at the virus infected email, going to
> <View> <Options>. It appears that they are comingn from
> another server and it lists the IP address. It is
> received by our email server and delivered. The domains
> sending the virus are lily.com, lily.org, lily.net,
> pavilion.org, and bosslady.com.
>
> How can I disallow these emails from being delivered in
> Exchange? Is it possible?
>
> Also we've received emails from a domain name that is the
> same as ours, but with a different IP. What is up with
> that?
>
> Any repsonses would be much appreciated.
>
> Thank you,
> JamesH
- Next message: Rob Bordwell: "Re: Email Flood"
- Previous message: Jeff Middleton [SBS-MVP]: "Re: Upgrading to SBS2003 - realistic to do ourselves?"
- In reply to: Jamesh: "Virus infected email from internal user"
- Next in thread: Michael Jenkin [SBS-MVP]: "Re: Virus infected email from internal user"
- Reply: Michael Jenkin [SBS-MVP]: "Re: Virus infected email from internal user"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
