WHAT???
You've got a copy of the Klez virus that is able to guess passwords, and
send out mail using SMTP AUTH? Now that's big news!
-Scott
At 03:35 PM 10/9/2002, you wrote:
>We're getting quite a bit of that from the good ol' KLez worm.
>
>According to the ipswtch tech the suspected spammer or virus is merely
>using the reply to address of one of the internal users.
>
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry
>Sent: Wednesday, October 09, 2002 1:24 PM
>To: [EMAIL PROTECTED]
>Subject: Re: [IMail Forum] Need HELP with rules
>
>
> >I have a customer who is on a shared Imail server with ~1000 other
>customers.
> >
> >Recently someone has been impersonating him and sending porno spam. It
>is
> >not a trivial impersonation - they are actually able to relay mail via
>his
> >Imail server from a computer somewhere in Macedonia. The Imail server
>is
> >set to "No mail relay". So I guess the spammer is one of the 1000 other
>
> >customers on the same Imail server. Or someone who hacked/sniffed a
> >legitimate customer's username and password?
>
>Rather than guessing, have you looked at the IMail log files to see how
>the
>mail was sent out? Have you checked to see if this E-mail was really
>sent
>from your server?
>
> >I can only see one way to stop this impersonation - to create a rule
>that
> >will check the From and the IP address in the header. The good customer
>
> >always sends mail from the same static IP address.
> >
> >I am trying to create an outbound rule. I have tried it on the
>customer's
> >virtual host as well as on the physical host. I can't seem to make the
> >rule work.
>
>If, indeed, the password was guessed/hacked, a rule could patch the
>problem. However, wouldn't it be easier to tell your user that they
>need
>to change their password?
>
>Note that sniffing passwords is not a trivial task unless you have
>access
>to the same LAN as the user whose password you are acquiring.
>
>I'm guessing this isn't what you think it is -- from the information
>you've
>provided, it sounds like standard spam (a spammer sending an E-mail with
>
>someone else's return address, or the return address the same as the
>recipient's address).
>
> -Scott
>---
>Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
>IMail. http://www.declude.com
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>
>To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
>List Archive:
>http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
>
>
>To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
>List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
