No it is just taking an entry of the address book or contacts file and using it as its reply to address. We get at least 300+ e-mails per day saying that one of our users sent this from our web server when in fact the IP address is not part of our LAN or any of the others that I permit. They are using another SMTP but because the reply to is from [EMAIL PROTECTED] we get a bounce message.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Wednesday, October 09, 2002 4:29 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Need HELP with rules WHAT??? You've got a copy of the Klez virus that is able to guess passwords, and send out mail using SMTP AUTH? Now that's big news! -Scott At 03:35 PM 10/9/2002, you wrote: >We're getting quite a bit of that from the good ol' KLez worm. > >According to the ipswtch tech the suspected spammer or virus is merely >using the reply to address of one of the internal users. > > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry >Sent: Wednesday, October 09, 2002 1:24 PM >To: [EMAIL PROTECTED] >Subject: Re: [IMail Forum] Need HELP with rules > > > >I have a customer who is on a shared Imail server with ~1000 other >customers. > > > >Recently someone has been impersonating him and sending porno spam. It >is > >not a trivial impersonation - they are actually able to relay mail via >his > >Imail server from a computer somewhere in Macedonia. The Imail server >is > >set to "No mail relay". So I guess the spammer is one of the 1000 other > > >customers on the same Imail server. Or someone who hacked/sniffed a > >legitimate customer's username and password? > >Rather than guessing, have you looked at the IMail log files to see how >the >mail was sent out? Have you checked to see if this E-mail was really >sent >from your server? > > >I can only see one way to stop this impersonation - to create a rule >that > >will check the From and the IP address in the header. The good customer > > >always sends mail from the same static IP address. > > > >I am trying to create an outbound rule. I have tried it on the >customer's > >virtual host as well as on the physical host. I can't seem to make the > >rule work. > >If, indeed, the password was guessed/hacked, a rule could patch the >problem. However, wouldn't it be easier to tell your user that they >need >to change their password? > >Note that sniffing passwords is not a trivial task unless you have >access >to the same LAN as the user whose password you are acquiring. > >I'm guessing this isn't what you think it is -- from the information >you've >provided, it sounds like standard spam (a spammer sending an E-mail with > >someone else's return address, or the return address the same as the >recipient's address). > > -Scott >--- >Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for >IMail. http://www.declude.com > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > > >To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html >List Archive: >http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ >Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > >To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html >List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ >Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
