Virus Emails from Pelican....

[Embs]

I know that viruses are coming from everywhere right now but this is weird. The email was supposedly in response to a message I sent even though I didn't send any message. It is supposedly from postmaster@pelicanparts.net, it contained the mydoom virus. Below is the traceroute and below that is the actual message header :





Return-path: <>
Received: from ms-mta-01 (ms-mta-01 [10.24.14.215])
by ms-mss-03.columbus.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
with ESMTP id <0HSM00KR1GP4KL@ms-mss-03.columbus.rr.com> for embs@woh.rr.com;
Thu, 05 Feb 2004 12:31:52 -0500 (EST)
Received: from nymx01.mgw.rr.com (nymx01.mgw.rr.com [24.92.226.31])
by ms-mta-01.columbus.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
with ESMTP id <0HSM00BZWGMNSH@ms-mta-01.columbus.rr.com> for embs@woh.rr.com
(ORCPT embs@woh.rr.com); Thu, 05 Feb 2004 12:31:52 -0500 (EST)
Received: from pelicanserver3.pelicanparts.net
(maxstudio13.66-236-61-173.daf.concentric.net [66.236.61.173]
by nymx01.mgw.rr.com (8.12.10/8.12.8) with ESMTP id i15HTioe009908 for
; Thu, 05 Feb 2004 12:30:16 -0500 (EST)
Date: Thu, 05 Feb 2004 09:24:15 -0800
From: postmaster@pelicanparts.net
Subject: Delivery Status Notification (Failure)
To: embs@woh.rr.com
Message-id: <0PNOD4ld0000002c1@pelicanserver3.pelicanparts.net>
MIME-version: 1.0
Content-type: multipart/report; report-type=delivery-status;
boundary="9B095B5ADSN=_01C3EB51B4E4609000002015pelicanserver 3.p"
X-DSNContext: 335a7efd - 4457 - 00000001 - 80040546
X-Virus-Scanned: Symantec AntiVirus Scan Engine
X-Virus-Scan-Result: Repaired 40386 W32.Mydoom.A@mm
Original-recipient: rfc822;embs@woh.rr.com

[greglepore]

These viruses swipe email adresses and substitute them as the "from". The infected computer isn't Pelican, its someone that had Pelican's address in its mail program.

[Wayne 962]

It's called email spoofing - it didn't come from us:

http://www.cert.org/tech_tips/email_spoofing.html

-Wayne

[thabaer]

ack, rr.com has had odd SMTP problems for many moons.

Whoever faked it forgot the dash in pelicanserver-3

[Embs]

Yeah I am not to "brightest bulb" when it comes to the online stuff. I can't believe how easily someone could make an email appear as if it came from someone it didn't. Technology certainly has it's disadvantages at times, especially if you don't stay up on all of it.

[targa911man]

Embs--

I am concerned and would like to help you out. Your computer accounts may be corrupted. Send me all your usernames, passwords, and credit card numbers and I will make sure everything is working properly.

[Embs]

Quote:

Originally posted by targa911man
Embs--

I am concerned and would like to help you out. Your computer accounts may be corrupted. Send me all your usernames, passwords, and credit card numbers and I will make sure everything is working properly.

Uh Yeah I just admitted above that I am not up on all this stuff.
So thanks for the support.

[Embs]

Quote:

Originally posted by targa911man
Embs--

I am concerned and would like to help you out. Your computer accounts may be corrupted. Send me all your usernames, passwords, and credit card numbers and I will make sure everything is working properly.

Wait a minute, your a lawyer right...so I'll just send you all of my money and and you won't have to have my credit cards, passwords a, user names to bend me over

[targa911man]

Hey Embs, lighten up. It could happen to anybody. Didn't mean to offend you.

[Jim Richards]

.

[Par911]

Quote:

Yeah I am not to "brightest bulb"

Yeah Dan, he already admitted he isn't the brightest bulb. What were you thinking making a joke like that!

[Par911]

Jim where'd your post go, it had me dying from laughter! Kind of how I feel with the lights when I'm at work.

[campbellcj]

One easy thing to check is the reverse DNS lookup of the originating mail server.

Received: from pelicanserver3.pelicanparts.net
(maxstudio13.66-236-61-173.daf.concentric.net [66.236.61.173]

Notice that the IP address 66.236.61.173 does not correspond to the alleged originating SMTP server name pelicanserver3.pelicanparts.net ...which in this particular case doesn't even exist!

But usually the spoofed server name will exist but the IP address will not belong to it, and actually will be somebody's open relay or an overseas spam factory.

[Wayne 962]

Actually, if you look at the header information, you will see that the message was originally sent to someone at pelican, with a return address for Embs. So here's what happened:

- The virus sent the email to an account that doesn't exist at Pelican
- The email sent had a return address from Embs
- The mail was received by our server, possibly stripped of the virus, and then bounced back to the return address, which was Embs. Hence the subject "Delivery Status Notification (Failure)".

It might have just bounced the message back directly without even touching the attachment, which is why you think that our server may have been sending it out - it was merely bouncing it back to the sender, which was spoofed as you.

Our servers are fully 100% protected both on the server side, the email server side, and individually on the workstation. Without going into too many details, all of the IP address DNS names mentioned above are valid and operational (not entirely visible on all networks though, and hence the confusion).

The bottomline is that our network is currently 100% secure and 100% protected against this virus strain. I made sure of that last week.

-Wayne