Re: [Declude.JunkMail] Postmaster Account, Virus, and Logs Help

Wed, 13 Feb 2002 06:59:48 -0800 


>1. I picked up the following in my syslog. Does anyone know what is
>happening?
>
>LIST 1
>RETR 1
>DELE 1
>...

That is normal.  That's just a POP3 transaction, someone retrieving their 
E-mail.

>2. I am currently investigating why the postmaster account, for one of
>the domains we host, sent an e-mail with a virus attached to itself at
>the same Postmaster account?

My guess would be that the virus used the postmaster@ account, even though 
it wasn't sent from the postmaster account.  Several viruses will alter the 
return address of the E-mail.

>3. I am looking through the syslog and other logs trying to ID what and
>where exactly happened and difficult to figure out??

I'm not familiar with the syslog, just the standard IMail SMTP log 
file.  That should show you the original E-mail arriving, along with the IP 
address that it came from.

Also, looking at the original E-mail in the \IMail\spool\virus directory 
would provide clues as well.

>4. This is what I pick up in the log searching for the Spool file
>name...
>
>02:12 16:13 SMTPD(0C25012A) [216.201.29.172] f:\imail\spool\D92f812a.SMD
>97962

The lines before that will show you who it was sent to, received from, and 
the IP address of the sender.

>5. This is what I find when searching for 0C25012A...
>
>02:12 16:11 SMTPD(0C25012A) [216.30.105.167] connect 216.201.29.172 port2055
>02:12 16:11 SMTPD(0C25012A) [216.201.29.172] HELO mail.thedomain.com
>02:12 16:11 SMTPD(0C25012A) [216.201.29.172] MAIL 
>FROM:<[EMAIL PROTECTED]>
>02:12 16:11 SMTPD(0C25012A) [216.201.29.172] RCPT TO: [EMAIL PROTECTED]

So here you have someone from 216.201.29.172 that sent the virus (about 95K 
in length).  If you look at the original E-mail with the virus in it, you 
can probably get an idea if it was sent legitimately (from someone else who 
had opened it), or if it was sent intentionally.
                                     -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Reply via email to