[THIN] Re: OT: viruses spoofing my e-mail addy

  • From: Michael Boggan <MBoggan@xxxxxxxxxxx>
  • To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
  • Date: Wed, 20 Aug 2003 15:46:51 -0500

hehe half the ones i am getting are spoofing dell.com addresses.

_________________________________ 
 
Michael Boggan
Network Engineer/Citrix Admin
Virtual Desktop Inc. 
Dallas, Texas 
Ph: (972) 960-6400 
Fax: (972) 960-6445 
email: mboggan@xxxxxxxxxxx 
http://www.virtualdesktopinc.com 
_________________________________ 
 
For Technical Support during business hours please send email to
support@xxxxxxxxxxx or call the above toll free number for afterhours
support.

-----Original Message-----
From: Magnus [mailto:magnus@xxxxxxxx]
Sent: Wednesday, August 20, 2003 2:06 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT: viruses spoofing my e-mail addy


Most of the mail that I have see has been coming from "known" Open Relay
mail servers.  We implemented a RBL and blacklist lookup program (on a
linux machine) to query the RBL and blacklist/blackhole databases if it
is in the list the mail gets refused / deleted .

If it is not on the list we wrote a custom perl script to check if it is
an open relay if so submit it to RBL and Blackhole to have them added to
the database.

It cut down on aboput 80% of our SPAM and infected emails.

Magnus

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Henry Sieff
Sent: Wednesday, August 20, 2003 12:56 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: OT: viruses spoofing my e-mail addy


Oh yeah, welcome to the brave new world.

Since Monday, we are seeing a 100 fold increase in spoofing massmailer
emails. Opening up the headers and examining the path of servers the
email took to its destination is the only way to identify the
originating machine or mail server (SOBIG.F has its own SMTP server, so
mostly it just contacts the destination mail server directly).

The problem is that there isn't a single mail server AV product out
there 'smart' enough to interpret these headers, and most people who run
mail servers don't understand that. So, they happily let the AV software
read the (easily forged) From: header and direct its alerts to whoever
is listed in there.

The amount of fun this can cause is amazing, as mail servers take one
mail message and multiply it by two (the alerts) or three (what happens
when the
From: doesn't exist but the domain does?) or more (the various
permutations are limited only by your imagination).

Basically, the only moral thing to do is turn off emailed autoalerts on
mail server AV software until it gets better.

Henry

> -----Original Message-----
> From: Ron Oglesby [mailto:roglesby@xxxxxxxxxxxx]
> Sent: Wednesday, August 20, 2003 11:06 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] OT: viruses spoofing my e-mail addy
> 
> 
> Just wondering if anyone else is getting messages from other people 
> gateways saying they got a virus attachment from your mail box addy.
> 
> I have gotten several this am and the exchange server,
> MetaFrame boxes I
> am using all show as clean. Which leads me to believe that since my
> address is out there so much on the internet that it is being 
> spoofed as
> the reply to:
> 
> Comments?
> 
> Ron Oglesby
> Senior Technical Architect
>  
> RapidApp
> Office 312.372.7188
> Mobile 815.325.7618
> email roglesby@xxxxxxxxxxxx
>  
> ********************************************************
> This Week's Sponsor:  RES PowerFuse, The Management Framework
> for Windows
> Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
> Manage, Control, and Secure an Entire Windows environment 
> with Ease, including Real-time Reporting and Documenting Components
> Validate a Meaningful ROI on All of your IT Investments with 
> RES PowerFuse.
> http://www.respowerfuse.com/
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thethin.net/links.cfm
> 
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thethin.net/citrixlist.cfm
> 
********************************************************
This Week's Sponsor:  RES PowerFuse, The Management Framework for
Windows Eliminate Multiple Tools, Multiple Support Channels and Multiple
Costs Manage, Control, and Secure an Entire Windows environment with
Ease, including Real-time Reporting and Documenting Components Validate
a Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm


********************************************************
This Week's Sponsor:  RES PowerFuse, The Management Framework for Windows
Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
Manage, Control, and Secure an Entire Windows environment with Ease,
including Real-time Reporting and Documenting Components
Validate a Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor:  RES PowerFuse, The Management Framework for Windows
Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
Manage, Control, and Secure an Entire Windows environment with Ease, including 
Real-time Reporting and Documenting Components
Validate a Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts: