virus mails looking like admin mails?

colm_c

Recently alot of people here have beeng getting emails from our domain such as mail@, MAIL-DAEMON@, administrator@ all saying slightly different things such as 'Security meaures' etc, and contain viruses. (even though we don't have any of these accounts set up). They seem to be targetting firstname@ by running loads of firstnames through it and hoping one gets through.

I've let everyone know to just delete these mails, as any system admin mails will come from me and not from some anonomous(Spelling?) address

I've asked our hosting company about these, and they've said they can't do much about them, but I thought they could check to see if they were spoofing their domain name?

Is there anything we can do, apart from reporting them to their ISP (which in lots of cases seems to be eircom customers) and they don't seem to be doing anything about them...

seamus

About the best you can do is set up filtering on your mail server to catch any mails with encrypted and/or zipped attachments.

Kali

They are viruses (Worm.MyTob.* variants).. which are rife at the moment (I just posted on the Security board a while ago).. either update your virus definitions or put in place an anti-virus mail gateway (do a google search)... whats your mail setup like? you need to be blocking these.

Stephen

A handful of these (minus their payload) got through to some of our users in work, generating a good few support calls. Bastards.
Usually from something in the form of administrator@<yourdomain>. I find it funny that our system strips out the virus itself but sends on the text portion of the mail to the users anyway. (our mail is filtered for spam and viruses by an external company... and virus scanned again when it reaches our exchange servers)

muckwarrior

colm_c wrote:

I thought they could check to see if they were spoofing their domain name?

Thats true. It's not very difficult to do either. I'm suprised some spam filters let these through as this is one of the first criteria messages should be checked for.

stevenmu

Viruses can attach themselves to legitimate mails aswell so it's often best to clean the mail and pass it on, imagine explaining to your users that they missed an important email from a customer a few weeks ago because it had a virus attached. Unless you've the most considerate users in the world they only care about how they look to the customer, not about the integrity of their computer systems (untill of course they get infected and send a virus to all the customers in their address book ).

Kali

stevenmu wrote:

Viruses can attach themselves to legitimate mails aswell so it's often best to clean the mail and pass it on, imagine explaining to your users that they missed an important email from a customer a few weeks ago because it had a virus attached.

If its got a virus the whole message should get quarantined. Cleaning is not a good option. Vast majority of mail viruses will not have any genuine content, I can't recall any major virus in the past three years that attachs itself to outbound mail traffic.

stevenmu

Kali wrote:

If its got a virus the whole message should get quarantined. Cleaning is not a good option. Vast majority of mail viruses will not have any genuine content, I can't recall any major virus in the past three years that attachs itself to outbound mail traffic.

I'd agree with that from a technical standpoint but I've gotten ear bashings before from people who didn't get important mails because their attachments contained viruses. This was back when word macro viruses were in fashion and people would often attach infected documents to their mails. I know it's a lot different these days but there should also be spam filters in effect to reduce the amount of junk. For example virus software could mark a cleaned mail as having been cleaned, the spam software could then have a rule only allowing mails marked as cleaned through if they're from a recognised address.

WizZard

stevenmu wrote:

For example virus software could mark a cleaned mail as having been cleaned, the spam software could then have a rule only allowing mails marked as cleaned through if they're from a recognised address.

That's actually quite a good feature! Well done.
Now, wonder what server AV vendor will offer it first.

Kali

I see your point, but the problem also lies with the fact that (enterprise) AV programs these days just aren't geared towards cleaning infected files... just detection (and subsequent removal from mail queues).. examples being Sophos, ClamAV, MessageLabs, Trend Micro IMSS.. etc.

For example virus software could mark a cleaned mail as having been cleaned, the spam software could then have a rule only allowing mails marked as cleaned through if they're from a recognised address.

That logic only makes sense if it doesn't subsequently trigger spam rules... otherwise you will get hundreds of blank messages with lovely subjects such as "Re:", "Your Email Account is Suspended", "IMPORTANT NOTIFICATION" etc... confusing your users, and generally causing a lot less confidence in your network and mail system.

Of course if you are the admin then its upto you to smack your directors around and tell them that the chances of a genuine mail getting caught is extremely unlikely (or else just disable any detection for his/her account and see how long it takes till they change their position)

Kali

WizZard wrote:

That's actually quite a good feature! Well done.
Now, wonder what server AV vendor will offer it first.

All SMTP gateways incorporating virus-checkers?

Amavisd-new adds the following to our mails (My setup uses both ClamAV and Sophie):
X-Virus-Scanned: amavisd-new at domain.com

Trend Micros IMSS and Messagelabs can both be configured to edit mail headers if required (its the default in the latter, as well as an annoying signature).

Capt'n Midnight

If your AV is set to "clean" emails you may still have the empty husk getting through. Also if you block certain types of attachments before you scan then the AV won't see any virus and so won't block them either.

Mimikyu

This post has been deleted.

colm_c

Just an update, I've been keeping records of ip addresses that the virus mails are coming from, and it seems to be the same bunch of IP's from Eircom which have been assigned to some company (the same company and contact person each time) and on the ripe.net lookup there is a name, phone number and email address...

Is it worth me calling them, they obviously have some of their machine(s) taken over by viruses and are unaware of what's going on...

I know it's a bit anal, but it really pissing me off!! I've adjusted the mail server to quarantine any mails that are coming from addresses that don't exist / originate on our network... so I can take a look at their headers when I get some free time...

zap

colm_c wrote:

Just an update, I've been keeping records of ip addresses that the virus mails are coming from, and it seems to be the same bunch of IP's from Eircom which have been assigned to some company (the same company and contact person each time) and on the ripe.net lookup there is a name, phone number and email address...

Is it worth me calling them, they obviously have some of their machine(s) taken over by viruses and are unaware of what's going on...

I know it's a bit anal, but it really pissing me off!! I've adjusted the mail server to quarantine any mails that are coming from addresses that don't exist / originate on our network... so I can take a look at their headers when I get some free time...

i would give em a call, they probably don't have a clue.

Kali

Yesterday was an even busier day for MyTob.. our mail server virus hits were upto 211 from a daily average of ~40

stevenmu

Kali wrote:

I see your point, but the problem also lies with the fact that (enterprise) AV programs these days just aren't geared towards cleaning infected files... just detection (and subsequent removal from mail queues).. examples being Sophos, ClamAV, MessageLabs, Trend Micro IMSS.. etc.



That logic only makes sense if it doesn't subsequently trigger spam rules... otherwise you will get hundreds of blank messages with lovely subjects such as "Re:", "Your Email Account is Suspended", "IMPORTANT NOTIFICATION" etc... confusing your users, and generally causing a lot less confidence in your network and mail system.

Of course if you are the admin then its upto you to smack your directors around and tell them that the chances of a genuine mail getting caught is extremely unlikely (or else just disable any detection for his/her account and see how long it takes till they change their position)

I suppose there's not really any win-win situation, it'd be nice if blocked mails could be bounced back to the sender informing them it was blocked, but even that's not very effective these days, we get plenty of bounce backs to mails that never originated here in the first place, some 3rd party has been sending out infected mails using our addresses as the sender.