We're getting quite a bit of that from the good ol' KLez worm. According to the ipswtch tech the suspected spammer or virus is merely using the reply to address of one of the internal users.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Wednesday, October 09, 2002 1:24 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Need HELP with rules >I have a customer who is on a shared Imail server with ~1000 other customers. > >Recently someone has been impersonating him and sending porno spam. It is >not a trivial impersonation - they are actually able to relay mail via his >Imail server from a computer somewhere in Macedonia. The Imail server is >set to "No mail relay". So I guess the spammer is one of the 1000 other >customers on the same Imail server. Or someone who hacked/sniffed a >legitimate customer's username and password? Rather than guessing, have you looked at the IMail log files to see how the mail was sent out? Have you checked to see if this E-mail was really sent from your server? >I can only see one way to stop this impersonation - to create a rule that >will check the From and the IP address in the header. The good customer >always sends mail from the same static IP address. > >I am trying to create an outbound rule. I have tried it on the customer's >virtual host as well as on the physical host. I can't seem to make the >rule work. If, indeed, the password was guessed/hacked, a rule could patch the problem. However, wouldn't it be easier to tell your user that they need to change their password? Note that sniffing passwords is not a trivial task unless you have access to the same LAN as the user whose password you are acquiring. I'm guessing this isn't what you think it is -- from the information you've provided, it sounds like standard spam (a spammer sending an E-mail with someone else's return address, or the return address the same as the recipient's address). -Scott --- Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for IMail. http://www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
