Security Basics mailing list archives

Re: email address "spoofed"

From: "Torry Crass" <torryc () paradigm-digital com>
Date: Mon, 8 Mar 2004 13:12:36 -0600

First off you need to know a few things:

1) Whether the e-mails are being internal to your network by an employee, or
someone's computer which has been infected with the worm or...
2)  If they are being sent by someone off-site unrelated to your network in
general.

If it is the second, the only thing you can do is contact whoever the host
is and ask them if they'd be kind enough to help you (chances are this won't
help but it's worth a shot).  As of right now there is not a way to stop a
random person from sending such messages and it can even be difficult to
track down where they're coming from if they do manage to spoof the headers.

Hopefully it's the first scenario, at this point you need to find out if
it's a virus that's actually sending copies of itself.  The order on this
really doesn't matter, since both are equaly important.  You "should" run a
virus scan on ALL computers on the network, if the scan fails to complete on
any of them you might have a virus which has disabled scanning or is somehow
blocking it; scan it on a 3rd party computer or consult a technician.  If
you don't want to spend the time to do a full network scan, then check the
mail server logs and find out where the message is being sent 'from', as in
the IP of the sender's computer.  Once found make sure it's not the
individual who works on it and make sure to run a thorough virus scan on it.

If this doesn't help you might post back to the list and ask for further
help citing the results you get from the above info.

Torry Crass
torryc () paradigm-digital com
Service Manager || Paradigm Digital Systems


----- Original Message ----- 
From: "Tim Laureska" <hometeam () goeaston net>
To: "security-basics" <security-basics () securityfocus com>
Sent: Friday, March 05, 2004 3:59 AM
Subject: email address "spoofed"


I'm not sure if "spoofing" is the correct term but here is what has
happened:

Someone is sending out email messages (with virus laden attachments)
using our domain name  ... they are addressed as coming from
support () ourdomainname com (ourdomainame would be our actual domain name)
which is an email address that we never set up.

My question is how is this done and is there anything we can do to
prevent this in the future?  The message header looks like this:

Received: from your-xhtr8hvc4p [68.55.1.207] by ourdomainname.com
  (SMTPD32-8.05) id A3C8DF0118; Fri, 05 Mar 2004 04:09:28 -0500
Date: Fri, 05 Mar 2004 04:07:07 -0500
To: info () ourdomainname com
Subject: E-mail account security warning.
From: support () ourdomainname com
Message-ID: <oruybbfoofisdsegtve () ourdomainname com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------hggfurquvkrsejwodibt"
X-RCPT-TO: <info () ourdomainname com>
Status: U
X-UIDL: 355598192


Tim




--------------------------------------------------------------------------

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or

less

to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the

skills

of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------------------

--



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

email address "spoofed" Tim Laureska (Mar 08)
- RE: email address "spoofed" David Gillett (Mar 08)
  - RE: email address "spoofed" Aditya, ALD [Aditya Lalit Deshmukh] (Mar 10)
    - RE: email address "spoofed" David Gillett (Mar 11)
    - RE: email address "spoofed" Aditya, ALD [Aditya Lalit Deshmukh] (Mar 15)
    - RE: email address "spoofed" David Gillett (Mar 15)
- Re: email address "spoofed" pablo gietz (Mar 08)
- Re: email address "spoofed" Torry Crass (Mar 08)
- RE: email address "spoofed" Panagiotis (Mar 09)
- Re: email address "spoofed" AgfTech Lists (Mar 09)
- Re: email address "spoofed" Luis E. Alvarado Day (Mar 09)
  - Re: email address "spoofed" Adrian Hall (Mar 11)
- <Possible follow-ups>
- RE: email address "spoofed" Chinnery, Paul (Mar 08)
- Re: email address "spoofed" Sean Earp (Mar 08)
- Re: email address "spoofed" Webb Wang CS (Mar 08)
- RE: email address "spoofed" Jeff McLaughlin (Mar 08)
- RE: email address "spoofed" Phil Waller (Mar 08)
- RE: email address "spoofed" Fields, James (Mar 08)

(Thread continues...)