Educause Security Discussion mailing list archives
Re: spoofed addresses?
From: "Craig W. Drake" <c-drake () NEIU EDU>
Date: Fri, 30 Apr 2004 16:43:30 -0500
Jake, This subject "Fax Message Received" is known to be associated with the W32.Beagle.mm worm. Yes, it spoofs the senders address. I would recommend setting up some kind of SMTP gateway to scan all of your incoming/outgoing email for viruses. Also make sure that your desktops are all running an up-to-date AntiVirus package. Another thing that we have done is use our SMTP gateway to drop all executable attachments (EXE, COM, SCR, PIF, etc...). The NDR's are a little tougher issue. Because the original infected message has a spoofed sender address, it will send NDR's to that spoofed address instead of the actual sender. We haven't found a good way to stop the NDR's because in order to do so, we would have to also block "legitimate" NDR's. Craig Drake Northeastern Illinois University ________________________________ From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob Sent: Friday, April 30, 2004 4:28 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] spoofed addresses? Please tell me I'm not the only one... We're getting a LOT of NDR's and blocked message receipts from different hosts and all sorts of weird things. Typically they are messages carrying viruses circulating with our email addresses in the 'from' field. See (scrubbed) message threads below. I have scanned all suspected machines and never find any viruses or spyware or anything weird. I've done scanning on the internal network, checked for vulnerabilities on all the servers and it doesn't seem like we're causing the problem. My only assumption at this point is that our addresses are being spoofed. I see messages like these once a week. Right now I can show my manager what isn't happening, but is there any way I can verify if the address is being spoofed? Can I stop it? Is there any hope? I'm attempting to appease senior managers with black and white evidence so any insight would be appreciated. Jake Barros -----Original Message----- From: (grace employee) Sent: Friday, April 30, 2004 8:08 AM To: Helpdesk Subject: FW: Fax Message Received Is this virus different? (Rhetorical. no response needed) I've never before had students respond asking if I sent the message to them. Several have responded. It's really damaging my credibility! (grace employee) -----Original Message----- From: (grace student) Sent: Friday, April 30, 2004 1:04 AM To: (grace employee) - Health Center Subject: FW: Fax Message Received (grace employee), I was about to open your attachment when I realized it was named the same thing as the virus that has been circulating campus. Then I realized that this really isn't like all the other e-mails you send to students. Did you really mean to send this? (grace student) -----Original Message----- From: (grace employee) Sent: Wed 4/28/2004 9:28 PM To: (grace student) Cc: Subject: Fax Message Received More info is in attach ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- spoofed addresses? Barros, Jacob (Apr 30)
- <Possible follow-ups>
- Re: spoofed addresses? Brent Sweeny (Apr 30)
- Re: spoofed addresses? Craig W. Drake (Apr 30)
- Re: spoofed addresses? Gary Flynn (Apr 30)
- Re: spoofed addresses? Bruggeman, John (May 01)