Klez has its own SMTP engine, you'd need to look at the message headers to determine the IP address of the person infected.
> -----Original Message----- > From: Jeremy Pinquist [mailto:[EMAIL PROTECTED]] > Sent: Thursday, July 18, 2002 9:25 AM > To: Exchange Discussions > Subject: Tracking Klez on exchange 2k. > > Yes, I'm running antivirus, as well as blocking extentions. (norton for > exchange 2.5) > I have a sneaking suspicion that a user, perhaps a remote access machine > that's connecting to exchange may be infected. I'd like to hunt down the > offender and chew them out. Does the message tracking center in System > Manager pull the true sender's email addy, or the klez'ed spoofed one? > I've got NAV CE running on all the on site workstations, so i'm moderately > sure it's no one in my building, but i want to make sure. Question: If a > user who is using Outlook for Corp/Workgroup settings is infected, will > Klez send itself out via the Outlook-Exchange connection, or will it still > use SMTP to distribute itself. If it does worm thru Outlook, does it > still spoof the name? If it does, how can you tell the true originator > without any headers? Couldn't find anything on Symantec's website about > this. > > Jeremy > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
