Re: Ongoing Virus problem
From: susan (smcrey_at_mindspring.com)
Date: 08/31/04
- Next message: Lise: "Re: Alerts in SharePoint and other services additional clues"
- Previous message: john.pope_at_otglass.com: "SBS Email Setting for Internet Mail"
- In reply to: Les Connor [SBS MVP]: "Re: Ongoing Virus problem"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Ongoing Virus problem"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 30 Aug 2004 19:49:25 -0500
I trap it in my filter and then scan the dir that the filter puts it in and
that's when eTrust tells me what infection the attachment has (yes, all have
attachments)...This antivirus software will NOT delete the email
(unfortunately, not an option). Before I put the filter in place, the AV
would catch some and send the mail with a "removedattachment.txt"
attachment -- but sometimes would miss it entirely and deliver the infected
mail...My CEO wanted to see NONE of these things anymore.
That address is a mail-enabled public folder that all website responses
(hosted elsewhere) are delivered to. Critical mailbox. (But not ALL infected
mail is addressed to that particular mailbox.)
I believe I have the AD filter on. Before then, I would get these emails
addressed to bogus domain users (and they were getting delivered to random
user's mailboxes).
This issue is ruining my job.
"Les Connor [SBS MVP]" <les.connor@DEL.cfive.ca> wrote in message
news:%23pN5gJvjEHA.632@TK2MSFTNGP12.phx.gbl...
> Is this email infected ? Does your A/V say so, or how do you know it's
> infected ? Is there an attachment ? Is the A/V product configured to
delete
> infected email, or clean it and send it to you anyway? (delete is the way
to
> go).
>
> If this address quoin@quoin.org is not in your active directory, then why
> not turn on AD filter in exchange? Not really the solution if the A/V
> product isn't working right, but at least you can refuse a whole bunch of
> crap before relying on A/V.
>
> --
> Les Connor [SBS MVP]
> -------------------------------------
> SBS Rocks !
>
>
>
> "susan" <smcrey@mindspring.com> wrote in message
> news:%23cHWn%23ujEHA.4092@TK2MSFTNGP10.phx.gbl...
> > Yes...I have gone round n round with CA and won't call them again...and
> > not
> > offended by the gender identity confusion (LOL). Virus sigs are updated
> > daily and i have 3rd party utility in place to block these messages.
> >
> > Popped out to the server and copied the headers from an infected mail
that
> > came in while i wasn't looking...replaced my domain name with ***
> >
> > x-sender:dvpreaclxxst@onujj.net
> > x-receiver:****@****.org
> > thread-index: AcSO6mqj+4+RhmipTTqOkc5RtgfAvQ==
> > x-pp-ruleid: 1034
> > x-pp-ruleorderid: 1
> > x-pp-smtpvs: 1
> > x-pp-fromip: 128.111.142.137
> > Content-Transfer-Encoding: 7bit
> > x-pp-sclvalue: 1
> > Received: from *****.org ([128.111.142.137]) by mail.****.org with
> > Microsoft
> > SMTPSVC(6.0.3790.0); Mon, 30 Aug 2004 18:38:12 -0500
> > Content-Class: urn:content-classes:message
> > From: dvpreaclxxst@onujj.net
> > Importance: normal
> > Priority: normal
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181
> > To: quoin@quoin.org
> > Subject: Yep
> > Date: Mon, 30 Aug 2004 16:33:23 -0700
> > MIME-Version: 1.0
> > Content-Type: multipart/mixed;
> > boundary="----=_NextPart_000_0007_000057A0.00007D6D"
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > Return-Path: dvpreaclxxst@onujj.net
> > Message-ID: *******8aZRhQdOgl4r0000003a@mail.*****.org
> > X-OriginalArrivalTime: 30 Aug 2004 23:38:12.0953 (UTC)
> > FILETIME=[6A43B490:01C48EEA]
> >
> > Does this give anyone a clue? Do i just have to live with this?
> >
> >
> >
> > "Lanwench [MVP - Exchange]"
> > <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
> > message
> > news:e2Uq$4ujEHA.2340@TK2MSFTNGP11.phx.gbl...
> >> susan wrote:
> >> > Correct.
> >>
> >> Whoops - sorry for the gender identity confusion. Susan. :-)
> >> >
> >> > No way of stopping this?
> >>
> >> Did you see my reply w/r/t how to block attachments & update the sig
> > files?
> >> Did you check with CA <cough> support?
> >> >
> >> >
> >> > "Lanwench [MVP - Exchange]"
> >> > <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
> >> > message news:%23b8j5VujEHA.3456@TK2MSFTNGP12.phx.gbl...
> >> >> Kevin Weilbacher [SBS-MVP] wrote:
> >> >>> what do you mean when you say -- "except exchange of course"?
> >> >>
> >> >> I presume he meant except the dangerous Exchange folders one should
> >> >> never scan with file-based software.
> >> >>>
> >> >>> If you are not running an Exchange based mail scanner, then you're
> >> >>> not catching anything until it gets into the user's mailbox and
> >> >>> they pick it up with Outlook. Not quite the optimal situation, in
> >> >>> my view.
> >> >>
> >> >> etrust is an Exchange aware AV product, I believe - and if he's
> >> >> getting some attachments stripped, he has it.
> >> >>>
> >> >>> "susan" <smcrey@mindspring.com> wrote in message
> >> >>> news:egpsmCujEHA.3348@TK2MSFTNGP12.phx.gbl...
> >> >>>> I'm having a problem in that we receive 5-15 virus infected emails
> >> >>>> every day. Yes, I do have antivirus and sometimes it strips the
> >> >>>> attachment and sometimes it doesn't (eTrust antivirus by CA).
> >> >>>> Sometimes the virus identified is Netsky.P and sometimes Netsky.C
> >> >>>> and i've had a few id'd as Netsky.Z -- some say "trojan", some say
> >> >>>> "worm" ! I have virus scanned (and online scanned using Symantec's
> >> >>>> online scanner) every workstation, laptop and the server (except
> >> >>>> exchange of course) and can
> >> >>>> find NOTHING! I've researched the virus'es and know what to look
> >> >>>> for in the
> >> >>>> registry etc. and find nothing indicating infection at any
station.
> >> >>>>
> >> >>>> These infected emails sometimes have a "sender" address that is
> >> >>>> familiar, but most often not.
> >> >>>>
> >> >>>> I check the headers and what's puzzling is that they read: sent
> >> >>>> from "mydomain.org" received by "mail.mydomain.org".... does this
> >> >>>> automatically mean that they are happening WITHIN the network???
> >> >>>> The ip address of the supposed "sender" is not a valid internal
> >> >>>> address, but i realize all this stuff could be spoofed...
> >> >>>>
> >> >>>> I'm puzzled and don't know what else to do. I just have to find
out
> >> >>>> what I can do about this as babysitting the mail is tiring.
> >> >>>>
> >> >>>> Any ideas, suggestions, advice??
> >>
> >>
> >
> >
>
>
- Next message: Lise: "Re: Alerts in SharePoint and other services additional clues"
- Previous message: john.pope_at_otglass.com: "SBS Email Setting for Internet Mail"
- In reply to: Les Connor [SBS MVP]: "Re: Ongoing Virus problem"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Ongoing Virus problem"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
