Re: [Exim] Spammer or new virus?

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Douglas Gray Stephens
Datum:  
To: Marc MERLIN
CC: exim-users
Betreff: Re: [Exim] Spammer or new virus?
Marc,

At 09:19 (GMT-0700) on 28-May-2002, Marc MERLIN wrote:
> Now that I'm actually watching my logs more closely, I noticed that someone
> from two different places (or two different people) keep trying to send mail
> through my system as someemail@??? (my dad's Email), and get
> rejected because I don't relay (my dad doesn't send mail through my machine)
>
> The "interesting" part is that at least some of the RCPT TOs are actually
> Email addresses that my dad could Email (well, some, like the last 3, since
> he is a magician).


The KLEZ virus apparently looks over the infected machine to see what
SMTP hosts have been defined, and tries to relay via them. I think
the rejected email has the hall marks of that virus.


Douglas.




>
> Right now, my guess is that one or two of his collegues are using outlook (I
> made sure he isn't) and they are infected and trying to send mail to their
> addressbook in his name
> However, that'd be the first time that I see a virus that looks up the MX
> for the user and tries connecting through it, and masquerades the envelope
> from too (usually it's only the header from)
>
> A spammer would typically probe for an open relay and move on. Here, I keep
> getting attempts almost every day.
>
> Has anyone seen that?


--

================================
Douglas GRAY STEPHENS
Technical Architect (Directories)
Schlumberger Cambridge Research
High Cross,
Madingley Road,
Cambridge.
CB3 0EL
ENGLAND

Phone  +44 1223 325295
Mobile +44 773 0051628
Fax    +44 1223 311830
Email DGrayStephens@???
================================