Anti-virus stuff

[Sawyer]

Norton had been doing really well for us until a few weeks ago. Now everyone is getting obvoius virus e-mail that are getting through the e-mail scanner. We still get notifications that the scanner caught one or 2 a week but everyday we get 3-4 e-mails with .pif attachemnts. Now this morning I got an e-mail from someone elses computer that the file I sent them was infected. I did not send this file I had never heard of this person and my cpu was not on at the time of the e-mailing. Our company does have a web site but my name is not on it. What is going on & how do I stop it?

 

 

Thanks

[himom]

Sounds like it's spoofing to me. On occasion, we will recieve email that has our address in the email header being returned because of viral attachments. The email did not originate within our organization. Either way, if you check the details in the email header, that can usually give you a clue to whether this is a spoofing incident or worse. If you are using Outlook, select your message in question and go to View/Options; this will bring up the Message Options dialog where you can view the return path and origination details.

 

On a side note, it is best not to use the Outlook "Preview Pane" feature, as that can lead to multiple bad things happening -- use the "AutoPreview" instead.

 

Hope that helps - good luck!

[Sawyer]

So here is another mail that I think has been spoofed through us. I see a few things and it looks like the dmotorworks id is what is suspect but I am not sure how to read this (this is the "option view" of the mail I received today).

 

Mostly I would like to be able to read this for future problems so if there is a code translation page somewhere please let me know.

 

Thanks,

 

 

 

Return-Path:

Received: from mx28.stngva01.us.mxservers.net (204.202.242.9)

by mail26c.sbc-webhosting.com (RS ver 1.0.95vs) with SMTP id 0-0547454675

for ; Mon, 6 Jun 2005 12:17:55 -0400 (EDT)

Received: from mx01.dmotorworks.com [66.45.71.216] (EHLO mx01.dmotorworks.com)

by mx28.stngva01.us.mxservers.net (mxl_mta-1.3.8-10p4) with ESMTP id 23774a24.2968.347.mx28.stngva01.us.mxservers.net;

Mon, 06 Jun 2005 12:17:54 -0400 (EDT)

MIME-Version: 1.0

From: MAILER DAEMON

Message-Id:

Subject: Banned file: document.pif in mail from you

Content-Type: multipart/report; report-type=delivery-status;

charset=utf-8;

boundary="----------=_1118074674-7898-1"

To:

Date: Mon, 6 Jun 2005 11:17:54 -0500 (CDT)

X-Spam: [F=0.0277487688; heur=0.868(3800); stat=0.010; spamtraq-heur=0.300(2005060603)]

X-MAIL-FROM:

X-SOURCE-IP: [66.45.71.216]

From:@mx28.stngva01.us.mxservers.net

X-Loop-Detect:1

X-DistLoop-Detect:1

Status:

[AJLynn]

These are the headers of the email you received that was the notice of a failed send, right? They won't tell you where the spoofer was - what this means is that the email address that it couldn't be delivered to was served by mx01.dmotorworks.com. You would need to see the header of the original message to get any leads on the spoofer. (Not that there's anything really useful you can do with that information.)

 

But since most mail servers these days block spoof mail, it's fairly likely that the mail came from within your company, from somebody who has a virus that sends email with spoof addresses from their address book.