Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

virus mails looking like admin mails?

  • 14-06-2005 1:33pm
    #1
    Registered Users, Registered Users 2 Posts: 2,015 ✭✭✭


    Recently alot of people here have beeng getting emails from our domain such as mail@, MAIL-DAEMON@, administrator@ all saying slightly different things such as 'Security meaures' etc, and contain viruses. (even though we don't have any of these accounts set up). They seem to be targetting firstname@ by running loads of firstnames through it and hoping one gets through.

    I've let everyone know to just delete these mails, as any system admin mails will come from me and not from some anonomous(Spelling?) address

    I've asked our hosting company about these, and they've said they can't do much about them, but I thought they could check to see if they were spoofing their domain name?

    Is there anything we can do, apart from reporting them to their ISP (which in lots of cases seems to be eircom customers) and they don't seem to be doing anything about them...


Comments

  • Registered Users, Registered Users 2 Posts: 68,190 ✭✭✭✭seamus


    About the best you can do is set up filtering on your mail server to catch any mails with encrypted and/or zipped attachments.


  • Closed Accounts Posts: 6,601 ✭✭✭Kali


    They are viruses (Worm.MyTob.* variants).. which are rife at the moment (I just posted on the Security board a while ago).. either update your virus definitions or put in place an anti-virus mail gateway (do a google search)... whats your mail setup like? you need to be blocking these.


  • Registered Users, Registered Users 2 Posts: 18,484 ✭✭✭✭Stephen


    A handful of these (minus their payload) got through to some of our users in work, generating a good few support calls. Bastards.
    Usually from something in the form of administrator@<yourdomain>. I find it funny that our system strips out the virus itself but sends on the text portion of the mail to the users anyway. (our mail is filtered for spam and viruses by an external company... and virus scanned again when it reaches our exchange servers)


  • Registered Users, Registered Users 2 Posts: 4,109 ✭✭✭muckwarrior


    colm_c wrote:
    I thought they could check to see if they were spoofing their domain name?
    Thats true. It's not very difficult to do either. I'm suprised some spam filters let these through as this is one of the first criteria messages should be checked for.


  • Moderators, Society & Culture Moderators Posts: 9,689 Mod ✭✭✭✭stevenmu


    Viruses can attach themselves to legitimate mails aswell so it's often best to clean the mail and pass it on, imagine explaining to your users that they missed an important email from a customer a few weeks ago because it had a virus attached. Unless you've the most considerate users in the world they only care about how they look to the customer, not about the integrity of their computer systems (untill of course they get infected and send a virus to all the customers in their address book :) ).


  • Advertisement
  • Closed Accounts Posts: 6,601 ✭✭✭Kali


    stevenmu wrote:
    Viruses can attach themselves to legitimate mails aswell so it's often best to clean the mail and pass it on, imagine explaining to your users that they missed an important email from a customer a few weeks ago because it had a virus attached.

    If its got a virus the whole message should get quarantined. Cleaning is not a good option. Vast majority of mail viruses will not have any genuine content, I can't recall any major virus in the past three years that attachs itself to outbound mail traffic.


  • Moderators, Society & Culture Moderators Posts: 9,689 Mod ✭✭✭✭stevenmu


    Kali wrote:
    If its got a virus the whole message should get quarantined. Cleaning is not a good option. Vast majority of mail viruses will not have any genuine content, I can't recall any major virus in the past three years that attachs itself to outbound mail traffic.
    I'd agree with that from a technical standpoint but I've gotten ear bashings before from people who didn't get important mails because their attachments contained viruses. This was back when word macro viruses were in fashion and people would often attach infected documents to their mails. I know it's a lot different these days but there should also be spam filters in effect to reduce the amount of junk. For example virus software could mark a cleaned mail as having been cleaned, the spam software could then have a rule only allowing mails marked as cleaned through if they're from a recognised address.


  • Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    stevenmu wrote:
    For example virus software could mark a cleaned mail as having been cleaned, the spam software could then have a rule only allowing mails marked as cleaned through if they're from a recognised address.
    That's actually quite a good feature! Well done.
    Now, wonder what server AV vendor will offer it first.


  • Closed Accounts Posts: 6,601 ✭✭✭Kali


    I see your point, but the problem also lies with the fact that (enterprise) AV programs these days just aren't geared towards cleaning infected files... just detection (and subsequent removal from mail queues).. examples being Sophos, ClamAV, MessageLabs, Trend Micro IMSS.. etc.
    For example virus software could mark a cleaned mail as having been cleaned, the spam software could then have a rule only allowing mails marked as cleaned through if they're from a recognised address.

    That logic only makes sense if it doesn't subsequently trigger spam rules... otherwise you will get hundreds of blank messages with lovely subjects such as "Re:", "Your Email Account is Suspended", "IMPORTANT NOTIFICATION" etc... confusing your users, and generally causing a lot less confidence in your network and mail system.

    Of course if you are the admin then its upto you to smack your directors around and tell them that the chances of a genuine mail getting caught is extremely unlikely (or else just disable any detection for his/her account and see how long it takes till they change their position) :)


  • Closed Accounts Posts: 6,601 ✭✭✭Kali


    WizZard wrote:
    That's actually quite a good feature! Well done.
    Now, wonder what server AV vendor will offer it first.

    All SMTP gateways incorporating virus-checkers?

    Amavisd-new adds the following to our mails (My setup uses both ClamAV and Sophie):
    X-Virus-Scanned: amavisd-new at domain.com

    Trend Micros IMSS and Messagelabs can both be configured to edit mail headers if required (its the default in the latter, as well as an annoying signature).


  • Advertisement
  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 94,272 Mod ✭✭✭✭Capt'n Midnight


    If your AV is set to "clean" emails you may still have the empty husk getting through. Also if you block certain types of attachments before you scan then the AV won't see any virus and so won't block them either.


  • Registered Users, Registered Users 2 Posts: 18,991 ✭✭✭✭Mimikyu


    This post has been deleted.


  • Registered Users, Registered Users 2 Posts: 2,015 ✭✭✭colm_c


    Just an update, I've been keeping records of ip addresses that the virus mails are coming from, and it seems to be the same bunch of IP's from Eircom which have been assigned to some company (the same company and contact person each time) and on the ripe.net lookup there is a name, phone number and email address...

    Is it worth me calling them, they obviously have some of their machine(s) taken over by viruses and are unaware of what's going on...

    I know it's a bit anal, but it really pissing me off!! I've adjusted the mail server to quarantine any mails that are coming from addresses that don't exist / originate on our network... so I can take a look at their headers when I get some free time...


  • Closed Accounts Posts: 839 ✭✭✭zap


    colm_c wrote:
    Just an update, I've been keeping records of ip addresses that the virus mails are coming from, and it seems to be the same bunch of IP's from Eircom which have been assigned to some company (the same company and contact person each time) and on the ripe.net lookup there is a name, phone number and email address...

    Is it worth me calling them, they obviously have some of their machine(s) taken over by viruses and are unaware of what's going on...

    I know it's a bit anal, but it really pissing me off!! I've adjusted the mail server to quarantine any mails that are coming from addresses that don't exist / originate on our network... so I can take a look at their headers when I get some free time...

    i would give em a call, they probably don't have a clue.


  • Closed Accounts Posts: 6,601 ✭✭✭Kali


    Yesterday was an even busier day for MyTob.. our mail server virus hits were upto 211 from a daily average of ~40 :)

    virus_totals-week.png


  • Moderators, Society & Culture Moderators Posts: 9,689 Mod ✭✭✭✭stevenmu


    Kali wrote:
    I see your point, but the problem also lies with the fact that (enterprise) AV programs these days just aren't geared towards cleaning infected files... just detection (and subsequent removal from mail queues).. examples being Sophos, ClamAV, MessageLabs, Trend Micro IMSS.. etc.



    That logic only makes sense if it doesn't subsequently trigger spam rules... otherwise you will get hundreds of blank messages with lovely subjects such as "Re:", "Your Email Account is Suspended", "IMPORTANT NOTIFICATION" etc... confusing your users, and generally causing a lot less confidence in your network and mail system.

    Of course if you are the admin then its upto you to smack your directors around and tell them that the chances of a genuine mail getting caught is extremely unlikely (or else just disable any detection for his/her account and see how long it takes till they change their position) :)
    I suppose there's not really any win-win situation, it'd be nice if blocked mails could be bounced back to the sender informing them it was blocked, but even that's not very effective these days, we get plenty of bounce backs to mails that never originated here in the first place, some 3rd party has been sending out infected mails using our addresses as the sender.


Advertisement