I have one in house user that is getting a email with No From indicated Subject is Corrupt Message Detected Text is "A corrupt mail message, ID 1081948864406 from [EMAIL PROTECTED] has been detected.
Could this be the following virus.... [EMAIL PROTECTED] is a MAPI worm that emails itself out using different file names. It also creates the file \Windows\System\Kdll.dll. It uses functions from this file to log keystrokes. Here are some snap shot of the log Look at 4/13/04 as this start of it..... 0040414 112333 127.0.0.1 SMTP (01351918) 250 OK 20040414 112333 127.0.0.1 SMTP (01351918) >MAIL FROM:<[EMAIL PROTECTED]> 20040414 112333 127.0.0.1 SMTP (01351918) 250 2.1.0 [EMAIL PROTECTED] OK 20040414 112333 127.0.0.1 SMTP (01351918) >RCPT To:<[EMAIL PROTECTED]> 20040414 112333 127.0.0.1 SMTP (01351918) 250 2.1.5 [EMAIL PROTECTED] 20040414 112334 127.0.0.1 SMTP (01351918) >DATA 20040414 112334 127.0.0.1 SMTP (01351918) 354 Start mail input; end with <CRLF>.<CRLF> 20040414 112334 127.0.0.1 SMTP (01351918) >. 20040414 112334 127.0.0.1 SMTP (01351918) 250 2.6.0 <[EMAIL PROTECTED]> Queued mail for delivery 20040414 112334 127.0.0.1 SMTP (01351918) rdeliver future.ca [EMAIL PROTECTED] (1) <[EMAIL PROTECTED]> 4816 20040414 112334 127.0.0.1 SMTP (01351918) >QUIT 20040413 132525 127.0.0.1 SMTP (01351788) >MAIL FROM:<[EMAIL PROTECTED]> 20040413 132525 127.0.0.1 SMTP (01351788) 250 2.1.0 [EMAIL PROTECTED] OK 20040413 132525 127.0.0.1 SMTP (01351788) >RCPT To:<[EMAIL PROTECTED]> 20040413 132525 127.0.0.1 SMTP (01351788) 250 2.1.5 [EMAIL PROTECTED] 20040413 132525 127.0.0.1 SMTP (01351788) >DATA 20040413 132525 127.0.0.1 SMTP (01351788) 354 Start mail input; end with <CRLF>.<CRLF> 20040413 132525 127.0.0.1 SMTP (01351788) >. 20040413 132525 127.0.0.1 SMTP (01351788) 250 2.6.0 <[EMAIL PROTECTED]> Queued mail for delivery 20040413 132525 127.0.0.1 SMTP (01351788) rdeliver future.ca [EMAIL PROTECTED] (1) <[EMAIL PROTECTED]> 1969 20040413 132525 127.0.0.1 SMTP (01351788) >QUIT 20040413 132526 127.0.0.1 SMTP (01351788) 221 2.0.0 montremsg32.NA.FUTURE.CA Service closing transmission channel 20040413 132526 127.0.0.1 SMTP (01351788) finished D:\IMail\spool\Q228231c40214da92.SMD status=1 20040413 132551 127.0.0.1 SMTPD (8D3802A0) [192.168.11.3] connect 156.21.1.21 port 3031 20040413 134520 127.0.0.1 SMTP (0135179A) >MAIL FROM:<[EMAIL PROTECTED]> 20040413 134520 127.0.0.1 SMTP (0135179A) 250 2.1.0 [EMAIL PROTECTED] OK 20040413 134520 127.0.0.1 SMTP (0135179A) >RCPT To:<[EMAIL PROTECTED]> 20040413 134520 127.0.0.1 SMTP (0135179A) 250 2.1.5 [EMAIL PROTECTED] uture.ca 20040413 134520 127.0.0.1 SMTP (0135179A) >DATA 20040413 134520 127.0.0.1 SMTP (0135179A) 354 Start mail input; end with <CRLF>.<CRLF> 20040413 134520 127.0.0.1 SMTP (0135179A) >. 20040413 134520 127.0.0.1 SMTP (0135179A) 250 2.6.0 <[EMAIL PROTECTED]> Queued mail for delivery 20040413 134520 127.0.0.1 SMTP (0135179A) rdeliver future.ca [EMAIL PROTECTED] (1) <[EMAIL PROTECTED]> 3387 20040413 134520 127.0.0.1 SMTP (0135179A) >QUIT 20040413 134520 127.0.0.1 SMTP (0135179A) 221 2.0.0 montremsg32.NA.FUTURE.CA Service closing transmission channel 20040413 134521 127.0.0.1 SMTP (0135179A) finished D:\IMail\spool\Q272d91df02a0175b.SMD status=1 20040413 134536 127.0.0.1 SMTPD (91F402A0) [192.168.11.3] connect 156.21.1.21 port 3070 Thanks for any help. Greg Shepherd Engineering Manager Catalyst Manufacturing Services, Inc. 2507 Wayne Street Endicott, New York 13760 Phone: 607-786-6300 Fax: (607) 786-6313 or (607) 748-8557 Email: [EMAIL PROTECTED] -----Original Message----- From: Kathy Lees [SMTP:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 1:16 PM To: [EMAIL PROTECTED] Subject: RE: [IMail Forum] Processing Rule Question << File: ATT00010.html >> The link doesn't work. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Riddle Sent: Tuesday, April 13, 2004 12:38 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Processing Rule Question Kathy, I will wait to see if someone has a way to check that AND condition. For now you might want to use in-bound rules like mine that check both the body and the header. http://www.microworks.net.rules.ima As I told someone else though, redirect the caught mail to one of your own mailboxes. At 12:47 PM 4/13/2004, you wrote: We are being overwhelmed by emails with attachements with viruses. Subject line is many different things, but each mailbox will get 5-10 of each subject each day. How do I set a processing rule with a subject AND it has an attachment? To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ **************************************************************************** The contents of this email and any attachments may be privileged, Confidential, and protected from disclosure. It is intended only for the use of the individual to whom it is addressed. Access to this email by anyone else is unauthorized. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Additional assistance can be obtained by emailing [EMAIL PROTECTED] Thank you. **************************************************************************** To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
