> I am forwarding a message that declude has been sending me. I just want
>to see if I interpret this correctly. I have been getting hundreds of these
>virus messages, all from the jleclair05 account. I do have a user here by
>that name AND, to make matters worse, the 10.200.11.65 address is an
>internal DHCP address, but is non routable and would be natted to a
>different address in our firewall.
I hate to say it, but I can say with about 99.9% certainty that the virus
is on the computer at 10.200.11.65:
> > Headers:
> > Received: from Yik [10.200.11.65] by mcgraw.elmira.edu
> > (SMTPD32-7.05) id A84FB4901FE; Thu, 05 Sep 2002 08:04:34 -0400
> > From: webmaster <[EMAIL PROTECTED]>
Since there is only one Received: header, that means that the virus's SMTP
engine connected directly to your mailserver. As far as I know, Klez
doesn't attempt to forge IP addresses (which would be *extremely* difficult
to do on Windows machines, which are the ones that Klez infects, and
wouldn't do much to help increase the spread of Klez).
If all of the messages are from the jleclair05 account, there's a very good
chance that account is the one that is infected, so that would be a good
place to start. But, I can almost guarantee that the IP 10.200.11.65 does
exist on your network, and is the source of the virus.
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
