Trace email source w/out headers

[mvvilleza]

Hi people,

My question is the lovelorn virus is spreading mail on my network and i found out that it doesn't have headers. Is it possible to trace the source of the virus or should i use a special software? If yes, is there a free software available? Thanks for any info.

 

[eyec]

this would be a moot point. just to identify where it last came from would not identify the original source.

like most virus, it is spread by unsuspecting users.

keeping it out of your network requires educating your users not to open these emails.

i assume your AV software and firewall is up to date.

stripping attachments at the server would help prevent infecting your network but could become inconvenient.

 

[rtichnor]

check your connections at the firewall. A connection log will tell you what IP address and what port is being used. That is the easiest way to track it down.

 

[Grenage]

I agree with eyec, it really is not worth the effort or trying to find out where the emails came from. It most likely comes from multiple sources and having the IP addresses will do you no good.

 

[rtichnor]

OMG
He has virus-infected e-mail being spread around his network. This particular virus steals passwords and spreads it randomly. It also disables anti-virus programs. He needs to track it down to stop it. If any of this e-mail originating from his network is moving beyond his network, into the internet, his ISP will SHUT HIM DOWN !!!!!

 

[rtichnor]

http://securityresponse.symantec.com/avcenter/venc/data/w32.nolor@mm.html#removalinstructions

 

[rtichnor]

that was a bad link. I don't know why it didn't carry through proerly. Just copy from the http, all the way to the right. Paste it in your browser.

 

[Grenage]

I imagine he just phrased it in a perculiar manner, and is just receiving a lot of infected emails from an external source.

 

[rtichnor]

When he said "... the lovelorn virus is spreading mail on my network ...". I took that literally. It could be misconstrued. However, he said that the e-mails did not have any header information. That is normally an indication that e-mail is spreading internally.

 

[rtichnor]

Also, when we get virus-infected e-mail or spam, I track them down and report them to thier ISP. Nobody should accept garbage like that coming into thier network. I have found that many of our employees' home computers were infected, and this is how they ended up being fixed. Quite a few employees had nasty trojans installed and were wreaking havoc with alot of personal information.
This provided two major benefits...
First, I reduced our intake of all that garbage.
Second, it allowed for a chance to have the infected home computers cleaned, so that they would no longer be zombies.

Have your MTA perform a RDNS lookup on all incoming e-mail. That will flag the vast majority of garbage in everyone's inbox (inside the header).

 

[mvvilleza]

rtichnor,

you were right that the virus comes from an internal source. You see, i'm new in the company and found out not every computer has anti-virus installed, so i suspect that its origin is from a computer with no anti-virus installed. Otherwise, i will know it because i have our anti-virus servers configured to notify me if a virus is detected. So, it only means it comes from a computer w/ no antivirus, that's why i was asking if i can track down the source since there's no headers on the mail.

 

[mvvilleza]

I also suspect that this client computer has mail configured. Otherwise, it wouldn't get any email addresses to send to. Our mail servers also have antivirus and is configured w/ notification also. But it only tells a bogus mail address non-existent in our mail servers. So i checked the headers, unfortunately it's empty.

 

[JoeBloggssss]

Hi,

-----------------
- Best Practice -
-----------------

1. Invest in an gateway anti-virus solution, Check Point can integrate CVP Servers, which supports many best-of-breed anti-virus programs.

2. In relation to home and mobile users having compromised endpoints, using somthing like Zone Labs Integrity, requiring each endpoint connecting to your network to comploy to policy.

3. Invest in an IPS device, where the threat is so new, an IPS can provide proactive security stopping it in certain cases.

4. Several clients, are not using MessageLabs which provide content security in the cloud. This helps.


Christopher McGill
CCSA, CCNA, MCP

 

[rtichnor]

ChrisMcGill2001,
That was great !!!

Could you give us an idea of how much money all of that would cost?

 

[JoeBloggssss]

Alot less than the law suits for client personal information leaks.

 

[rtichnor]

lol

You must be in the law or medical field. I'm in the 'Municipal Government' field where everyhting is 'public record'.

I was just curious about the cost.

 

[JoeBloggssss]

I work for a IT Managed Provider, and many of our clients are government departments. You are right, the cost for all this is high. However, most companies use a firewall like Check Point which supports gateway AV scanning. You could use an open source IDS/IPS so no cost there. Interity is not that expensive, but theres got to be an open source alternative. However, that would then open the questions about code maturity and security audits, etc, etc. People band around words like TCO & ROI, but it is never cheap. But it the daddy if yeah can get you hand on the kit. I am can't wait to ply with ISS RealSecure.

 

[mvvilleza]

Thanks for the info ChrisMcGill2001, nevertheless you didn't answer the question

 

[JoeBloggssss]

mvvilleza do you want a hard cash figure, this would depend on what type of deal you get or partnership status.

 

[mvvilleza]

No, i was referring to my question, not rtichnor's.