Home page logo
/

basics logo Security Basics mailing list archives

RE: email address "spoofed"
From: "Josh Mills" <JMills () cnbwaco com>
Date: Mon, 8 Mar 2004 20:06:01 -0600

actually most of this wont really help because most of the viruses do not use your mail server they use there own 
internal smtp engine so there are no logs to trace. If you try to run a scan and it dosent complete or the service will 
not load then that is a pretty good sign something is wrong. The best thing you can do is set your mail server to strip 
all attachments at the gateway and then you can easily tell wether the message was from inside or outside by looking at 
which rule the attachment tripped. I made a seperate rule for inside and outside e-mail and gave them unique names so i 
can easily tell which direction the message was going. another possibility is using a spam filter to block the known 
messages such as admin () yourdomain com, this can become very time consuming and isnt absolutley perfect. This is the 
method i choose to use and i currently have over about 100 custom rules setup just to block messages generated by 
virii. One other method i use is dns blacklist and they work wonders, you have to be carefull when you pick which lists 
to use and be sure to monitor the results they produce but they have really reduced the amount of spam and virii i see 
in a day.

unfortunately there is currently very little you can do to eliminate this problem with out creating a ton of false 
positives and blocking legitimate e-mail. 

-----Original Message-----
From: Torry Crass [mailto:torryc () paradigm-digital com]
Sent: Monday, March 08, 2004 1:13 PM
To: security-basics () securityfocus com
Subject: Re: email address "spoofed"


First off you need to know a few things:

1) Whether the e-mails are being internal to your network by an employee, or
someone's computer which has been infected with the worm or...
2)  If they are being sent by someone off-site unrelated to your network in
general.

If it is the second, the only thing you can do is contact whoever the host
is and ask them if they'd be kind enough to help you (chances are this won't
help but it's worth a shot).  As of right now there is not a way to stop a
random person from sending such messages and it can even be difficult to
track down where they're coming from if they do manage to spoof the headers.

Hopefully it's the first scenario, at this point you need to find out if
it's a virus that's actually sending copies of itself.  The order on this
really doesn't matter, since both are equaly important.  You "should" run a
virus scan on ALL computers on the network, if the scan fails to complete on
any of them you might have a virus which has disabled scanning or is somehow
blocking it; scan it on a 3rd party computer or consult a technician.  If
you don't want to spend the time to do a full network scan, then check the
mail server logs and find out where the message is being sent 'from', as in
the IP of the sender's computer.  Once found make sure it's not the
individual who works on it and make sure to run a thorough virus scan on it.

If this doesn't help you might post back to the list and ask for further
help citing the results you get from the above info.

Torry Crass
torryc () paradigm-digital com
Service Manager || Paradigm Digital Systems


----- Original Message ----- 
From: "Tim Laureska" <hometeam () goeaston net>
To: "security-basics" <security-basics () securityfocus com>
Sent: Friday, March 05, 2004 3:59 AM
Subject: email address "spoofed"



I'm not sure if "spoofing" is the correct term but here is what has
happened:

Someone is sending out email messages (with virus laden attachments)
using our domain name  ... they are addressed as coming from
support () ourdomainname com (ourdomainame would be our actual domain name)
which is an email address that we never set up.

My question is how is this done and is there anything we can do to
prevent this in the future?  The message header looks like this:

Received: from your-xhtr8hvc4p [68.55.1.207] by ourdomainname.com
  (SMTPD32-8.05) id A3C8DF0118; Fri, 05 Mar 2004 04:09:28 -0500
Date: Fri, 05 Mar 2004 04:07:07 -0500
To: info () ourdomainname com
Subject: E-mail account security warning.
From: support () ourdomainname com
Message-ID: <oruybbfoofisdsegtve () ourdomainname com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------hggfurquvkrsejwodibt"
X-RCPT-TO: <info () ourdomainname com>
Status: U
X-UIDL: 355598192


Tim




--------------------------------------------------------------------------
-
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------------------
--



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault