[lizzeydripping]

Hi there!

I don't know if anyone can help me with this, but I really do hope so.

I am IT manager for a very small firm - we have 4 members of staff and run a small network on XP. Obviously, we are quite used to being bombarded with spam and viruses, most of which gets intercepted at the gateway by our AV software.

However, over the last few days we have had a disturbing new development. One of the partners here keeps getting "message undeliverable" messages for addresses he has not sent any emails to. Obviously, we are being spoofed and while this would not normally cause me too much heartache as I just see it as one of those things you have to put up with (unless anyone can advise otherwise!) the subject and contents of the emails are particularly offensive - some sort of [bleep] propaganda from my limited understanding of German - as opposed to just the usual crap about viagra and cialis.

I am very keen to stop this but I do not know how or whether it is possible.

Can anyone please help?

[Advertisements]

E-mail spoofing seems to be quite popular these days with the proliferation of the Sober family of worms, as well as many others. Most of these worms package their own SMTP engines to send their mass mailings from an infected host. You may want to check your e-mail server logs to see if any of this traffic is coming from your servers. Most likely, it's coming from an external source, making tracing virtually impossible.

There's no easy way to stop this (other than changing the affected user's e-mail address, but that's not very desirable), but if you receive complaints from any actual people who receive the spam, you can always look in the headers to find the source IPs. This doesn't really stop you from being spoofed, but at least you can use it to show that it didn't come from your e-mail server.

That's just my 2 cents. Maybe someone else has a solution...

[back2killah]

E-mail spoofing seems to be quite popular these days with the proliferation of the Sober family of worms, as well as many others. Most of these worms package their own SMTP engines to send their mass mailings from an infected host. You may want to check your e-mail server logs to see if any of this traffic is coming from your servers. Most likely, it's coming from an external source, making tracing virtually impossible.

There's no easy way to stop this (other than changing the affected user's e-mail address, but that's not very desirable), but if you receive complaints from any actual people who receive the spam, you can always look in the headers to find the source IPs. This doesn't really stop you from being spoofed, but at least you can use it to show that it didn't come from your e-mail server.

That's just my 2 cents. Maybe someone else has a solution...

[lizzeydripping]

Thanks very much for your help. From my own research, that's pretty much the conclusion I have come to as well. Frustrating though!

Thanks again

Adding a PS - seems you may be right - looks like this has something to do with the sober.q virus - see this article Sober.Q Spreads Hate Messages in German, English

Can't think how it got through our AV (if it has) but seems fairly new so will post to let people know how I get on!

Edited by lizzeydripping, 21 May 2005 - 03:35 AM.

[back2killah]

Keep in mind that it's not necessarily bypassing your AV system. Chances are that the email address could have been picked up almost anywhere and not necessarily from within your corporate network. I'm assuming that the spoofed e-mail is from an account that has been around for a while. You mentioned that it was a partner in the company. It's highly likely that a lot of ppl have his/her address in their contacts and they're the ones who were infected. Also, I'm sure you've seen those spam letters where people are selling "millions of legitimate e-mail addresses" for marketing (shady) purposes, hehe.

Not sure if that made any sense, but I doubt it came from within your company, especially if it's just one person being spoofed so far.