RE: E-mail Spoofing
- From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
- To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
- Date: Sat, 26 Jun 2004 10:46:46 -0700
A couple of things come to mind right off the bat.
<Blast shields up>
1. You should not be using Exchange server if you do not know the basics,
like how to figure out what mail box outgoing e-mail is going through.
2. You should not be using Exchange server (or any e-mail server) these days
unless you have a competent Anti-Virus software that is scanning incoming
and outgoing messages for viruses and vulnerabilities.
3. You should not be using Exchange server unless you know how to start
changing passwords in an urgent situation such as the one you are in to STOP
the spread of viruses NOW, and then take a breath and start investigating
what is going on.
4. You should not be using any e-mail server unless you know how to read
message headers to even figure out in the first place if the messages are
indeed even flowing through your server.
<Blast shields down>
First, you have to make sure that these are actually flowing through your
server. Most of the viruses out there right now forge the return address,
meaning it is saying it is coming from
myfriendlybuddyihaveknownsincesecondgrade@xxxxxxxxxxxxxxxxx
<mailto:myfriend@xxxxxxxxxxxxxxxxx> when it is really from
heyeveryoneiaminfectedwithavirusanddonotknowaboutitbutohwell@bigfatmajorstup
idisp.net.
2nd, you need to look at the logs and message tracking to see which account
they are going through. Is it a workstation on the LAN or remote?
You said you do not have a virus on the server. Goody. Unless you have an
e-mail account set up on the server in Outlook or Outlook Express and opened
e-mail in that account on the server, the virus that is sending out these
infected e-mails is not going to be on the server anyways. You need to look
at computers on the LAN or remote users or what ever it is you have. (This
is not to say you do not need anti-virus on the server to protect the server
itself, you do. But that has no affect on message flowing through Exchange.
You have to have specific AV software designed for Exchange or working in a
gateway mode for that.)
You mentioned anonymous access. There are several places where that is
configured. Now, if you are talking about relay settings, then blast shields
back up. YOU BETTER UNDERSTAND WHAT RELAYING IS AND HOW TO CONTROL/PREVENT
IT, or you have no business running an e-mail server.
OK, my heat shields are up and ready. Fire away.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-----Original Message-----
From: Basiru Ndow [mailto:bndow@xxxxxxxxxxxx]
Sent: Saturday, June 26, 2004 5:26 AM
To: [ExchangeList]
Subject: [exchangelist] E-mail Spoofing
http://www.MSExchange.org/
Hi All,
I am using exchange 2003 and one of my e-mail accounts is been used to send
out msgs with virus attachments to a mailing list that I subscribe to. I
know I am not sending those msgs and also my server does not have any
viruses. I have try turning off anonymous access but not sure if that will
help. any help will be appreciated.
Thanks
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Other related posts:
