Re: spoofed addresses?

["Craig W. Drake" <c-drake () NEIU EDU>]

Jake,
 
This subject "Fax Message Received" is known to be associated with the
W32.Beagle.mm worm.  Yes, it spoofs the senders address.  I would
recommend setting up some kind of SMTP gateway to scan all of your
incoming/outgoing email for viruses.  Also make sure that your desktops
are all running an up-to-date AntiVirus package. Another thing that we
have done is use our SMTP gateway to drop all executable attachments
(EXE, COM, SCR, PIF, etc...).  The NDR's are a little tougher issue.
Because the original infected message has a spoofed sender address, it
will send NDR's to that spoofed address instead of the actual sender.
We haven't found a good way to stop the NDR's because in order to do so,
we would have to also block "legitimate" NDR's. 
 
Craig Drake
Northeastern Illinois University
 

________________________________

From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob
Sent: Friday, April 30, 2004 4:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] spoofed addresses?



Please tell me I'm not the only one...  We're getting a LOT of NDR's and
blocked message receipts from different hosts and all sorts of weird
things.  Typically they are messages carrying viruses circulating with
our email addresses in the 'from' field.  See (scrubbed) message threads
below.

I have scanned all suspected machines and never find any viruses or
spyware or anything weird.   I've done scanning on the internal network,
checked for vulnerabilities on all the servers and it doesn't seem like
we're causing the problem.   My only assumption at this point is that
our addresses are being spoofed. 

I see messages like these once a week.  Right now I can show my manager
what isn't happening, but is there any way I can verify if the address
is being spoofed?  Can I stop it?   Is there any hope?  I'm attempting
to appease senior managers with black and white evidence so any insight
would be appreciated.


Jake Barros 



-----Original Message-----
From: (grace employee)
Sent: Friday, April 30, 2004 8:08 AM
To: Helpdesk
Subject: FW: Fax Message Received 

Is this virus different? (Rhetorical. no response needed)  

I've never before had students respond asking if I sent the message to
them. Several have responded. 

It's really damaging my credibility! 

(grace employee) 
  

-----Original Message-----
From: (grace student)
Sent: Friday, April 30, 2004 1:04 AM
To: (grace employee) - Health Center
Subject: FW: Fax Message Received 

(grace employee),
I was about to open your attachment when I realized it was named the
same thing as the virus that has been 
circulating campus.  Then I realized that this really isn't like all the
other e-mails you send to students.  
Did you really mean to send this? 

(grace student) 

        -----Original Message-----
        From: (grace employee)
        Sent: Wed 4/28/2004 9:28 PM
        To: (grace student)
        Cc:
        Subject: Fax Message Received 

        More info is in attach
        


********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.