Hi All,

Someone has emailed me telling me one of my customers has a virus and it keeps spamming them.

Our mail server has an up-to-date version of Sophos AV software on it and appears to be working correctly, filtering the virus when I send through it. Now I know that Klez has it's own SMTP engine, but based on the headers I've seen it appears that the spam in question is coming from our server.

So my question is: Is Klez clever enough to "steal" server info from Outlook/ Outlook Express and fake the email headers to make it look like our server is the sender or is there something causing our server to not catch the virus?

So would this mean that even if we blocked the customer from our mail server would the emails still get sent?

Cheers!
Simon

Yes, and No

Klez does its own SMTP regardless of your server

as long as port 25 is open Klez will send stuff out with your users or other random spoofed address from your place

as for the heades seems like comming out of your server it might very much be that your outgoing emails might be infected

Do you have that email AV software checking for both incomiing and outgoing emails?

or only incoming?

and what type of headers do you see, from the ones that are infected and appearently comming from your server

can you post a header here?

Hi,

Here is an example header. Sorry but I've asterisked out the domain names, and changed the IP addresses slightly, but I think you'll be able to get the idea

Received: from technetium.cix.co.uk (technetium.cix.co.uk [194.153.0.53])
by sulphur.cix.co.uk (8.11.3/CIX/8.11.3) with ESMTP id g95Nnfr02305
for <****@cixcouk.compulink.co.uk>; Sun, 6 Oct 2002 00:49:41 +0100 (BST)
Received: (from root@localhost)
by technetium.cix.co.uk (8.11.3/CIX/8.11.2) id g95Nnet10314
for ****@cixcouk.compulink.co.uk; Sun, 6 Oct 2002 00:49:40 +0100 (BST)
Received: from dealers.****.co.uk (dealers.****.co.uk [195.166.55.75])
by technetium.cix.co.uk (8.11.3/CIX/8.11.2) with ESMTP id g95Nnd510309
for <****@cix.compulink.co.uk>; Sun, 6 Oct 2002 00:49:39 +0100 (BST)
X-Envelope-From: roadside_motors@dealers.****.co.uk
Received: from Iamdwhnpk ([195.166.32.92]) by dealers.****.co.uk (8.9.3/8.7.3) with SMTP id AAA21173 for <****@cix.compulink.co.uk>; Sun, 6 Oct 2002 00:52:46 GMT
Date: Sun, 6 Oct 2002 00:52:46 GMT
Message-Id: <200210060052.AAA21173@dealers.****.co.uk>
From: fussell_wadman <fussell_wadman@dealers.****.co.uk>
To: ****@cix.compulink.co.uk
Subject: Motability Finance Limited
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=O5ymnnnXH218j
X-Envelope-To: ****@cixcouk.cix.co.uk
X-PMFLAGS: 570950016 0 1 P620D0.CNM

<HTML><HEAD></HEAD><BODY>
<iframe src=cid:X5TNz634Fn89166M4i1 height=0 width=0>
</iframe>
<FONT></FONT></BODY></HTML>

The mail server is set to filter both incoming and outgoing mails. I actually grabbed an infected email from the quarantine folder on the server and sent it to myself and it the server filtered it correctly.

I think Klez is using its own SMTP engine, but I want to make sure! :) As you can see, our server is listed in the headers so do you think Klez is faking the headers or is our server being used by Klez to relay?

Cheers,
Si

What you see there is actually your internet connection address, of what the ISP provides you

so in a way "yes" the Klez is "faking" your server

but not really since it's using its own, and since it's in your side of the wall, then when the emails goes out, it looks like as if it's comming from your network

if it was really faking your Server it must read something like

servername.cixcouk.compulink.co.uk
or in your case seems like
"technetium.cix.co.uk" is the actual server

and not just from "cixcouk.compulink.co.uk"

:t

either ways if you block outgoing 25 SMTP for every computer but your mail server

you should be able to stop the Klez emails from going out

but your best solution is to kill and clear Klez out of those infected machines :t

yes is very dangerous to post your stuff online

i easily got all this from your setup

...errh... decided to omit the info here, don't want people hacking into your server
i PM you the info instead

and i can see that the AV software for the e-mail server doesn't seem to be setup where it should be unless your AV software is on the same machine as the mail server :t