Email assault?

TheMSsForum.com: The Microsoft Software Forum

Our company's SBS2K exchange server is being bombarded at the rate of 1
email every 3 minutes. I receive all the undeliverable.
The emails are addressed on a first name basis i.e.... bob @
gmenterprises.com. They have the company address correct, but we use first
name and last name in our email.
What kind of an assault is this. Each email has a file attached that is
either *.pif or *.scr as an attachment (which Symantec nicely blocks).
Obviously, I know it must be a virus or Trojan of some sort.
Why is this assault continuing? Why so many emails? The headers do not
even show common return address.

-nn
Top

Re: Email assault? by SuperGumby

SuperGumby
Tue Jan 27 16:33:41 CST 2004

look around for references to MyDoom/Novarg, or search SARC for it.

"NetNathan" <n.a.smith@nospam-att.net> wrote in message
news:e2KHIAS5DHA.2392@TK2MSFTNGP11.phx.gbl...
> Our company's SBS2K exchange server is being bombarded at the rate of 1
> email every 3 minutes. I receive all the undeliverable.
> The emails are addressed on a first name basis i.e.... bob @
> gmenterprises.com. They have the company address correct, but we use
first
> name and last name in our email.
> What kind of an assault is this. Each email has a file attached that is
> either *.pif or *.scr as an attachment (which Symantec nicely blocks).
> Obviously, I know it must be a virus or Trojan of some sort.
> Why is this assault continuing? Why so many emails? The headers do not
> even show common return address.
>
> -nn
>
>


Top

Re: Email assault? by NetNathan

NetNathan
Tue Jan 27 16:46:23 CST 2004

Is there a location in ISA Server to find out what ports are open? Where is
this location?
Thanks,

-nn

"SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
news:ePL20WS5DHA.1368@TK2MSFTNGP10.phx.gbl...
> look around for references to MyDoom/Novarg, or search SARC for it.
>
> "NetNathan" <n.a.smith@nospam-att.net> wrote in message
> news:e2KHIAS5DHA.2392@TK2MSFTNGP11.phx.gbl...
> > Our company's SBS2K exchange server is being bombarded at the rate of 1
> > email every 3 minutes. I receive all the undeliverable.
> > The emails are addressed on a first name basis i.e.... bob @
> > gmenterprises.com. They have the company address correct, but we use
> first
> > name and last name in our email.
> > What kind of an assault is this. Each email has a file attached that is
> > either *.pif or *.scr as an attachment (which Symantec nicely blocks).
> > Obviously, I know it must be a virus or Trojan of some sort.
> > Why is this assault continuing? Why so many emails? The headers do not
> > even show common return address.
> >
> > -nn
> >
> >
>
>


Top

Re: Email assault? by Henry

Henry
Tue Jan 27 18:02:48 CST 2004

At a command prompt Type:
Netstat -an

--
Henry Craven.
-SBS MVP-
============ Post It Appropriately: =========
SBS 4/4.5 : microsoft.public.backoffice.smallbiz
SBS 2000 : microsoft.public.backoffice.smallbiz2000
SBS 2003 : microsoft.public.windows.server.sbs
News Server : news.microsoft.com
=====================================
"NetNathan" <n.a.smith@nospam-att.net> wrote in message
news:OMQ0edS5DHA.1592@TK2MSFTNGP10.phx.gbl...
> Is there a location in ISA Server to find out what ports are open?
Where is
> this location?
> Thanks,
>
> -nn


Top

Re: Email assault? by NetNathan

NetNathan
Tue Jan 27 18:30:59 CST 2004

Excuse me. If your "Post It Appropriately:" was for me.
This ISA Server is part of SBS2K.
Thanks,
-nn

"Henry Craven [SBS MVP]" <IUnknown@d.com> wrote in message
news:O0p%23DIT5DHA.1948@TK2MSFTNGP12.phx.gbl...
> At a command prompt Type:
> Netstat -an
>
> --
> Henry Craven.
> -SBS MVP-
> ============ Post It Appropriately: =========
> SBS 4/4.5 : microsoft.public.backoffice.smallbiz
> SBS 2000 : microsoft.public.backoffice.smallbiz2000
> SBS 2003 : microsoft.public.windows.server.sbs
> News Server : news.microsoft.com
> =====================================
> "NetNathan" <n.a.smith@nospam-att.net> wrote in message
> news:OMQ0edS5DHA.1592@TK2MSFTNGP10.phx.gbl...
> > Is there a location in ISA Server to find out what ports are open?
> Where is
> > this location?
> > Thanks,
> >
> > -nn
>
>


Top

Re: Email assault? by SuperGumby

SuperGumby
Tue Jan 27 18:44:47 CST 2004

"Post It Appropriately:" is not specifically aimed at you, it's Henry's .sig

"NetNathan" <n.a.smith@nospam-att.net> wrote in message
news:uEZq7XT5DHA.2416@TK2MSFTNGP10.phx.gbl...
> Excuse me. If your "Post It Appropriately:" was for me.
> This ISA Server is part of SBS2K.
> Thanks,
> -nn
>
> "Henry Craven [SBS MVP]" <IUnknown@d.com> wrote in message
> news:O0p%23DIT5DHA.1948@TK2MSFTNGP12.phx.gbl...
> > At a command prompt Type:
> > Netstat -an
> >
> > --
> > Henry Craven.
> > -SBS MVP-
> > ============ Post It Appropriately: =========
> > SBS 4/4.5 : microsoft.public.backoffice.smallbiz
> > SBS 2000 : microsoft.public.backoffice.smallbiz2000
> > SBS 2003 : microsoft.public.windows.server.sbs
> > News Server : news.microsoft.com
> > =====================================
> > "NetNathan" <n.a.smith@nospam-att.net> wrote in message
> > news:OMQ0edS5DHA.1592@TK2MSFTNGP10.phx.gbl...
> > > Is there a location in ISA Server to find out what ports are open?
> > Where is
> > > this location?
> > > Thanks,
> > >
> > > -nn
> >
> >
>
>


Top

Re: Email assault? by NetNathan

NetNathan
Wed Jan 28 12:15:19 CST 2004

Today this is still going on. I recieved 80 undeliverable emails over last
night
It appears to be related to a MY/DOOM/Novarg type virus. However it
appaears that someone is trying to send the virus to others using my
company's reuturn path.
It seems to me that someone is spoofing my server email address to send
email to others using my company as a sender.
Nothing is shown in sent folders so it does not appear to be sent from
anyone in the company.
In my administrator undeliverable box I am getting email that is telling me
the email sent from someone that does not exist at my company is
undeliverable to the person to whom I have sent this file.
I can see no sign that the original email to the person came from my
company.
Below is some info from the email.
****************************************************************************
*********************************
Undeliverable message and header info:

Your message did not reach some or all of the intended recipients.
Subject:
Sent: 01/27/04 22:48
The following recipient(s) could not be reached
mike@gmenterprises.com on 01/28/04 09:49
The e-mail account does not exist at the organization this message was sent
to. Check the e-mail address, or contact the recipient directly to find out
the correct address.<server01.gmenterprises.local #5.1.1>

****************************************************************************
**********************************
Undeliverable header info is below:

Microsoft Mail Internet Headers Version 2.0
From: postmaster@gmenterprises.com

To: jim@nai.com

Date: Wed, 28 Jan 2004 09:48:32 -0800

MIME-Version: 1.0

Content-Type: multipart/report; report-type=delivery-status;


boundary="9B095B5ADSN=_01C3C699F5C11AB800002159server01.gmenter"

X-DSNContext: 335a7efd - 4457 - 00000001 - 80040546

Message-ID: <Jc6l5n4lf00000439@server01.gmenterprises.local>

Subject: Delivery Status Notification (Failure)



--9B095B5ADSN=_01C3C699F5C11AB800002159server01.gmenter

Content-Type: text/plain; charset=unicode-1-1-utf-7



--9B095B5ADSN=_01C3C699F5C11AB800002159server01.gmenter

Content-Type: message/delivery-status



--9B095B5ADSN=_01C3C699F5C11AB800002159server01.gmenter

Content-Type: message/rfc822



Received: from nai.com ([216.190.167.128]) by server01.gmenterprises.local
with Microsoft SMTPSVC(5.0.2195.6713);

Wed, 28 Jan 2004 09:48:27 -0800

From: jim@nai.com

To: mike@gmenterprises.com

Subject:

Date: Tue, 27 Jan 2004 22:48:27 -0800

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0012_4D5980FC.429CCD7E"

X-Priority: 3

X-MSMail-Priority: Normal

Return-Path: jim@nai.com

Message-ID: <SERVER01fhzL1f6Ykwn000003ea@server01.gmenterprises.local>

X-OriginalArrivalTime: 28 Jan 2004 17:48:28.0796 (UTC)
FILETIME=[EFEB33C0:01C3E5C6]



------=_NextPart_000_0012_4D5980FC.429CCD7E

Content-Type: text/plain;

charset="Windows-1252"

Content-Transfer-Encoding: 7bit



------=_NextPart_000_0012_4D5980FC.429CCD7E

Content-Type: application/octet-stream;

name="document.cmd"

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

filename="document.cmd"




------=_NextPart_000_0012_4D5980FC.429CCD7E--



--9B095B5ADSN=_01C3C699F5C11AB800002159server01.gmenter--

****************************************************************************
**********************************

Can anyone figure out what is happening here?



-nn




"SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
news:ePL20WS5DHA.1368@TK2MSFTNGP10.phx.gbl...
> look around for references to MyDoom/Novarg, or search SARC for it.
>
> "NetNathan" <n.a.smith@nospam-att.net> wrote in message
> news:e2KHIAS5DHA.2392@TK2MSFTNGP11.phx.gbl...
> > Our company's SBS2K exchange server is being bombarded at the rate of 1
> > email every 3 minutes. I receive all the undeliverable.
> > The emails are addressed on a first name basis i.e.... bob @
> > gmenterprises.com. They have the company address correct, but we use
> first
> > name and last name in our email.
> > What kind of an assault is this. Each email has a file attached that is
> > either *.pif or *.scr as an attachment (which Symantec nicely blocks).
> > Obviously, I know it must be a virus or Trojan of some sort.
> > Why is this assault continuing? Why so many emails? The headers do not
> > even show common return address.
> >
> > -nn
> >
> >
>
>


Top

Re: Email assault? by Pat

Pat
Thu Jan 29 07:28:11 CST 2004

Yes and I'm amazed you haven't had it before.
a lot of Viruses have the ability when infecting a users machine to harvest
the e-mails from that machine and then send an e-mail to the addresses using
other addresses it found as the from address.

This prevents the wise recipient of an infected message contacting the
infected sender and getting them to remove the virus.
The unwitting sender will therefore transmit a lot more virus infected
e-mails without knowing.

There is no solution. If clients have your e-mail address on their system
(or it exists anywhere on the internet that it can be trawled from) you will
appear to be sending infected messages to people.

Your only real choice is to ensure you are clean and protected and either
respond confidently to anyone who makes the mistake of thinking the e-mails
are originated from you and contact you to let you know.
Or just ignore them as most people do.

"NetNathan" <n.a.smith@nospam-att.net> wrote in message
news:ejuVsqc5DHA.1368@TK2MSFTNGP10.phx.gbl...
> Today this is still going on. I recieved 80 undeliverable emails over
last
> night
> It appears to be related to a MY/DOOM/Novarg type virus. However it
> appaears that someone is trying to send the virus to others using my
> company's reuturn path.
> It seems to me that someone is spoofing my server email address to send
> email to others using my company as a sender.
> Nothing is shown in sent folders so it does not appear to be sent from
> anyone in the company.
> In my administrator undeliverable box I am getting email that is telling
me
> the email sent from someone that does not exist at my company is
> undeliverable to the person to whom I have sent this file.
> I can see no sign that the original email to the person came from my
> company.
> Below is some info from the email.
>
****************************************************************************
> *********************************
> Undeliverable message and header info:
>
> Your message did not reach some or all of the intended recipients.
> Subject:
> Sent: 01/27/04 22:48
> The following recipient(s) could not be reached
> mike@gmenterprises.com on 01/28/04 09:49
> The e-mail account does not exist at the organization this message was
sent
> to. Check the e-mail address, or contact the recipient directly to find
out
> the correct address.<server01.gmenterprises.local #5.1.1>
>
>
****************************************************************************
> **********************************
> Undeliverable header info is below:
>
> Microsoft Mail Internet Headers Version 2.0
> From: postmaster@gmenterprises.com
>
> To: jim@nai.com
>
> Date: Wed, 28 Jan 2004 09:48:32 -0800
>
> MIME-Version: 1.0
>
> Content-Type: multipart/report; report-type=delivery-status;
>
>
> boundary="9B095B5ADSN=_01C3C699F5C11AB800002159server01.gmenter"
>
> X-DSNContext: 335a7efd - 4457 - 00000001 - 80040546
>
> Message-ID: <Jc6l5n4lf00000439@server01.gmenterprises.local>
>
> Subject: Delivery Status Notification (Failure)
>
>
>
> --9B095B5ADSN=_01C3C699F5C11AB800002159server01.gmenter
>
> Content-Type: text/plain; charset=unicode-1-1-utf-7
>
>
>
> --9B095B5ADSN=_01C3C699F5C11AB800002159server01.gmenter
>
> Content-Type: message/delivery-status
>
>
>
> --9B095B5ADSN=_01C3C699F5C11AB800002159server01.gmenter
>
> Content-Type: message/rfc822
>
>
>
> Received: from nai.com ([216.190.167.128]) by server01.gmenterprises.local
> with Microsoft SMTPSVC(5.0.2195.6713);
>
> Wed, 28 Jan 2004 09:48:27 -0800
>
> From: jim@nai.com
>
> To: mike@gmenterprises.com
>
> Subject:
>
> Date: Tue, 27 Jan 2004 22:48:27 -0800
>
> MIME-Version: 1.0
>
> Content-Type: multipart/mixed;
>
> boundary="----=_NextPart_000_0012_4D5980FC.429CCD7E"
>
> X-Priority: 3
>
> X-MSMail-Priority: Normal
>
> Return-Path: jim@nai.com
>
> Message-ID: <SERVER01fhzL1f6Ykwn000003ea@server01.gmenterprises.local>
>
> X-OriginalArrivalTime: 28 Jan 2004 17:48:28.0796 (UTC)
> FILETIME=[EFEB33C0:01C3E5C6]
>
>
>
> ------=_NextPart_000_0012_4D5980FC.429CCD7E
>
> Content-Type: text/plain;
>
> charset="Windows-1252"
>
> Content-Transfer-Encoding: 7bit
>
>
>
> ------=_NextPart_000_0012_4D5980FC.429CCD7E
>
> Content-Type: application/octet-stream;
>
> name="document.cmd"
>
> Content-Transfer-Encoding: base64
>
> Content-Disposition: attachment;
>
> filename="document.cmd"
>
>
>
>
> ------=_NextPart_000_0012_4D5980FC.429CCD7E--
>
>
>
> --9B095B5ADSN=_01C3C699F5C11AB800002159server01.gmenter--
>
>
****************************************************************************
> **********************************
>
> Can anyone figure out what is happening here?
>
>
>
> -nn
>
>
>
>
> "SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
> news:ePL20WS5DHA.1368@TK2MSFTNGP10.phx.gbl...
> > look around for references to MyDoom/Novarg, or search SARC for it.
> >
> > "NetNathan" <n.a.smith@nospam-att.net> wrote in message
> > news:e2KHIAS5DHA.2392@TK2MSFTNGP11.phx.gbl...
> > > Our company's SBS2K exchange server is being bombarded at the rate of
1
> > > email every 3 minutes. I receive all the undeliverable.
> > > The emails are addressed on a first name basis i.e.... bob @
> > > gmenterprises.com. They have the company address correct, but we use
> > first
> > > name and last name in our email.
> > > What kind of an assault is this. Each email has a file attached that
is
> > > either *.pif or *.scr as an attachment (which Symantec nicely blocks).
> > > Obviously, I know it must be a virus or Trojan of some sort.
> > > Why is this assault continuing? Why so many emails? The headers do
not
> > > even show common return address.
> > >
> > > -nn
> > >
> > >
> >
> >
>
>


Top