Hi, I'm hoping their are some tech savy mail/security people on this list.
We have a remote office in London which is using SAVFE version 2.8 and we are getting constant admin messages that London users inboxes are infected. Of course, the infection is detected an an e-mail is sent to the administrator stating the infection was quarantined.
Immediately after the admin message re: London comes in, the exact same e-mail gets caught in our Toronto active Exchange box (also running SAVFE).
What i want to know is, based upon the information provied from SAVFE in the message to the administrator at both the London and Toronto sites, is it possible to track where the e-mail came from?
Some details are:
London:
1) Sender of infected item (of course, this is most likely spooofed)
2) Recipient of infected attachment
3) subject of the message
4) the name of the attachment (in this case message.scr)
Then immediately following a Toronto e-mail alert re: infection
Toronto:
1) Location of infected item (SMTP - then the numeric description of the message)
2) The sender of the message (SMTP - then the numeric descrpition of the message)
3) Subject of the message (Mail delivery failure)
4) The name of the attachment and the action taken
I am no mail administrator, but because I am part of the Security team it is my responsibility to track down this message.
Does anyone have any experience doing an audit trail of an infected e-mail?
Our setup is thus:
The London mail goes staright to the Exchange gateway.
Is the SMTP alphanumeric description tracable?
here is an example:
TOREXGW:
Location of the infected item: SMTP (TOREXGW-{FB80438E-AD22-4E5C-92A3-3BF972DC8EC1})/NON_IPM_SUBTREE/MTS-OUT
Sender of the infected item: SMTP (TOREXGW-{FB80438E-AD22-4E5C-92A3-3BF972DC8EC1})
Subject of the message: Mail Delivery (failure jelias@lon.fasken.com)
The attachment "message.scr" was Quarantined for the following reasons:
Virus W32.Netsky.P@mm was found.
This was done due to the following Symantec AVF settings:
Policy: Standard
SubPolicy: Virus SubPolicy
Rule: Basic Virus Rule
------------------------
FMLONDON:
Sender of the infected attachment: muzyka@firma.interia.pl
Recipient of the infected attachment: Elias, John\Inbox
Subject of the message: Mail Delivery (failure jelias@lon.fasken.com)
One or more attachments were quarantined.
Attachment message.scr was Quarantined for the following reasons:
Virus W32.Netsky.P@mm was found.
I know this is a long e-mail but thanks in advance.
We have a remote office in London which is using SAVFE version 2.8 and we are getting constant admin messages that London users inboxes are infected. Of course, the infection is detected an an e-mail is sent to the administrator stating the infection was quarantined.
Immediately after the admin message re: London comes in, the exact same e-mail gets caught in our Toronto active Exchange box (also running SAVFE).
What i want to know is, based upon the information provied from SAVFE in the message to the administrator at both the London and Toronto sites, is it possible to track where the e-mail came from?
Some details are:
London:
1) Sender of infected item (of course, this is most likely spooofed)
2) Recipient of infected attachment
3) subject of the message
4) the name of the attachment (in this case message.scr)
Then immediately following a Toronto e-mail alert re: infection
Toronto:
1) Location of infected item (SMTP - then the numeric description of the message)
2) The sender of the message (SMTP - then the numeric descrpition of the message)
3) Subject of the message (Mail delivery failure)
4) The name of the attachment and the action taken
I am no mail administrator, but because I am part of the Security team it is my responsibility to track down this message.
Does anyone have any experience doing an audit trail of an infected e-mail?
Our setup is thus:
The London mail goes staright to the Exchange gateway.
Is the SMTP alphanumeric description tracable?
here is an example:
TOREXGW:
Location of the infected item: SMTP (TOREXGW-{FB80438E-AD22-4E5C-92A3-3BF972DC8EC1})/NON_IPM_SUBTREE/MTS-OUT
Sender of the infected item: SMTP (TOREXGW-{FB80438E-AD22-4E5C-92A3-3BF972DC8EC1})
Subject of the message: Mail Delivery (failure jelias@lon.fasken.com)
The attachment "message.scr" was Quarantined for the following reasons:
Virus W32.Netsky.P@mm was found.
This was done due to the following Symantec AVF settings:
Policy: Standard
SubPolicy: Virus SubPolicy
Rule: Basic Virus Rule
------------------------
FMLONDON:
Sender of the infected attachment: muzyka@firma.interia.pl
Recipient of the infected attachment: Elias, John\Inbox
Subject of the message: Mail Delivery (failure jelias@lon.fasken.com)
One or more attachments were quarantined.
Attachment message.scr was Quarantined for the following reasons:
Virus W32.Netsky.P@mm was found.
I know this is a long e-mail but thanks in advance.
