original message!
 
I have an intra VLAN network which hops subnets and networks. All Cisco, all working normally.
We presently have a virus on one computer and we are trying to zero in on its origin on our LAN
QMail will tell us the user name ([EMAIL PROTECTED]) but not the original true IP address or computer name
Level = debug for both ClamAV and Qmail but the only origin IP we get is that of the gateway.
I have meticulously examined every possible log in /var/logs/./. and all ClamAV logs and all qmail scanner logs.
nothing
zip
zero
only gateway IP is available!
 
Does anyone know where to look for an email true origin or initialize a higher level of debug?
 
Brad Sumrall
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
second message
 
Log info and complete header and footer of message
 
 
This is an overview of the information provided by QMail and the emails.

> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Received: from adsl-66-120-105-146.dsl.sndg02.pacbell.net (HELO
> entekbuckets.com) (66.120.105.146)
>   by entekbuckets.com with SMTP; 14 Jun 2005 13:47:46 -0700
> From: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> Subject: YOUR ACCOUNT IS SUSPENDED FOR SECURITY REASONS
> Date: Tue, 14 Jun 2005 13:47:46 -0700
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
>         boundary="----=_NextPart_000_0009_099EFC25.1F26CD3D"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Qmail-Scanner-Message-ID: <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>>

> This is a multi-part message in MIME format.

> ------=_NextPart_000_0009_099EFC25.1F26CD3D
> Content-Type: text/plain;
>         charset="Windows-1252"
> Content-Transfer-Encoding: 7bit

> The original message has been included as an attachment.

>
> ------=_NextPart_000_0009_099EFC25.1F26CD3D
> Content-Type: application/octet-stream;
>         name="information.zip"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
>         filename="information.zip"

> begin blah blah blah blah the body of the message is here


> ------=_NextPart_000_0009_099EFC25.1F26CD3D--



> *** Qmail-Scanner Quarantine Envelope Details Begin ***
> X-Qmail-Scanner-Mail-From: "[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>" via samba.entekbuckets.com
> X-Qmail-Scanner-Rcpt-To: "[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>"
> X-Qmail-Scanner: 1.25-st-qms (clamdscan: 0.83/921. spamassassin: 3.0.2.
> perlscan: 1.25-st-qms.  virus Found. Processed in 1.378383 secs) process
> 2504
> Quarantine-Description: Worm.Mytob.CL
> *** Qmail-Scanner Envelope Details End ***

> *** Qmail-Scanner Envelope Details Begin ***
> X-Qmail-Scanner-Mail-From: "[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>" via samba.entekbuckets.com
> X-Qmail-Scanner-Rcpt-To: "[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>"
> X-Qmail-Scanner: 1.25-st-qms (clamdscan: 0.83/921. spamassassin: 3.0.2.
> perlscan: 1.25-st-qms.   Clear::RC:0(66.120.105.146):. Processed in
> 1.439189 secs)
> *** Qmail-Scanner Envelope Details End ***


> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>                                         error log


> Tue, 14 Jun 2005 16:50:43 PDT:4761:
> return-path='[EMAIL PROTECTED]'
> <mailto:return-path='[EMAIL PROTECTED]'>,
> recips='[EMAIL PROTECTED]'
> <mailto:recips='[EMAIL PROTECTED]'>
> Tue, 14 Jun 2005 16:50:43 PDT:4761: from='[EMAIL PROTECTED]'
> <mailto:from='[EMAIL PROTECTED]'>, subj='WVJXAIWEBPJMOTU', via
> SMTP from 66.120.105.146
> Tue, 14 Jun 2005 16:50:43 PDT:4761: clamdscan: there be a virus!
> (Worm.Mytob.CL)
> Tue, 14 Jun 2005 16:50:43 PDT:4761: clamdscan: finished scan in 0.23359 secs
> Tue, 14 Jun 2005 16:50:43 PDT:4761: ini_sc: finished scan of
> "/var/spool/qmailscan/tmp/samba.entekbuckets.com11187930417754761"...
>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                            Reply to this post

OK, I'm not a super-guru, but are you *certain* that someone on the
inside is sending these from their computer from the inside of your LAN?
Forward this to the list, so we can get some other eyeballs on it.
And are these the complete headers?

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                                Reply to reply
 
 
Yes this is the complete header and footer for the emails in question.
 
The Viruses are coming from one computer that has multiple login screen names on out domain.
They are coming from our LAN "DEFINATELY", no outside access to email is available.
The screen name sending them are
 
Our previous tech (already cleaned his "known" workstation which had the virus on it)
only problem is this guy would work from 20 different computers on those screen names which he created everywhere.
We just can't find this last one!
The originating IP address would look like one of these two;
 
192.168.1.
255.255.255.224
or
192.168.2.
255.255.255.224
 
There is no other possible location or network because he was only physically at these network locations.
 
QMail server resides at:
192.168.0.
255.255.255.0
 
Note:
Each network ID is a different VLAN site
site 1    192.168.0.   255.255.255.0
site 2    192.168.1.    255.255.255.224
site 3    192.168.2.    255.255.255.224
 
Brad Sumrall

Reply via email to