strange internal email

[wellerw]

Hi,

I have come int to work this morning to find that several users have received an internal email from (user@mydomain.com)the user does not exist on my server, but is is my domain name.

also in the server event log , there is an entry that says, authentication failed from ip address 219.153.156.1/webmaster.

Can anyone tell me what has happened here?, when this server was set up it was done with microsofts help and they assured me that is is not an open relay.

thanks
CJ

 

[devastator]

A new virus that came out over Friday and the weekend.

http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.c@mm.html

 

[guylewis]

What you are seeing is the new virus that devastator is speaking of.

The reason it is delivered to your users is that despite the fact you are not a relay the system still allows 'spoofed' from addresses as long as the mail is going to a valid address on your system. To prevent this you would have to configure authentication on your server to do reverse DNS validation. This adds significant processing overhead to the system and also results in a high failure rate in people trying to deliver mail to you. The high failure rate is due to misconfigure DNS. Everything has to be perfect at the DNS server for this to work properly.

Your best line of defense is good email AV software, updated daily.

 

[wellerw]

Thanks for the replies.

I will go and order some decent virus software I think.

 

[Spirit]

Check out antigen by sybari, it really is a fantastic tool.

I use it and it saves my bacon on a daily basis.

Iain

P.S. Send comission checks to.......