terbear0007 Posted June 6, 2004 Posted June 6, 2004 I have been receiving "returned" emails which attempted to distribute viruses for the last 6-9 months that "show" that the email was originated by one of our domain's email addresses. In the last week or two, I am getting about 20-40 a day. I came across a website that (I think) claims they have found a way for administrators to stop that. I wonder if someone who knows what they are doing, would mind checking out this site and letting me know if this would work and how it would have to be done. Here is the site URL. http://spf.pobox.com/ I sure would appreciate it. I, like so many others, really do hate the idea that people think "our site" is sending all these viruses. Thanking all of you in advance, Rock Sign Quote
TCH-Rob Posted June 6, 2004 Posted June 6, 2004 I did not get too far into the site but this looks to be a server side inclusion and not something one can put in their web space to help stop it. I believe one would need a dedicated box at best to run this software. Quote
terbear0007 Posted June 6, 2004 Author Posted June 6, 2004 Hello Rob, Thanks for the quick response. I wish you had better news for me and others. SO...based on what I have been reading in the forums and what you just told me, there really isn't anything one can do about it at this time, is there? Wonder if you can help me figure out how to tell where an email originated from, by reading the following info... Importance: NormalX-Priority: 3 (Normal) X-MSMail-Priority: Normal Message-ID: <cc47647ad1b63a.2e895.qmail@decorativeartsbyjep.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="==55b562dccf.e3da" Content-Transfer-Encoding: 7bit This is a multi-part message in MIME format. --==55b562dccf.e3da hey dude!# ive found a shity virus on my pc. yo must check your pc! follow the steps in this article. bye +-+-+ X- Mail_Scanner: No Virus found +-+-+ DECORATIVEARTSBYJEP- AntiVirus Service +-+-+ http://www.decorativeartsbyjep.com --==55b562dccf.e3da Content-type: text/plain; charset=iso-8859-1 Content-Disposition: attachment;filename=McAfee_EmailScanReport.txt Content-Transfer-Encoding: quoted-printable ****************** McAfee VirusScan ************************ ******* Alert generated at: Sun, 06 Jun 2004 04:58:14 -0500 ********* ********************************************************************* McAfee VirusScan has detected a potential threat in this e-mail=20 sent by Jane@decorativeartsbyjep.com. The following actions were attempted on each suspicious part.=20 We strongly recommend that you report this virus-related activity=20 to Jane@decorativeartsbyjep.com. The attachment "article.doc.zip" is infected with the W32/Sober.g@MM Vir= us(es).=20 This attachment has been quarantined. --==55b562dccf.e3da-- This way I will know what to look for and will try to trace the origin. Either way, thanks again for your help. Terry Ohhhhh, by the way.... Rock Sign Quote
Deverill Posted June 6, 2004 Posted June 6, 2004 Sometimes the other end will return the entire message including the headers. If this happens you can see that the original email came from tnoheu@****** [209.99.109.92] or whatever. For your own peace of mind you can confirm that it's not TCH's IP address. Other than that there's nothing to glean from your posted message - it just doesn't give the details you need. As for stopping it, it's like stopping me from sending you an email from a bazillion different email accounts I have. A bounceback is just like an original email so it's not able to be blocked unless you start filtering out all messages that say "not deliverable" or some other string in them. Quote
terbear0007 Posted June 6, 2004 Author Posted June 6, 2004 Thanks Rob, This, which I already included, is the header for that email. Almost all of the are the same. Return-path: <Jane@decorativeartsbyjep.com>Envelope-to: WebDesigns@decorativeartsbyjep.com Delivery-date: Sun, 06 Jun 2004 04:42:00 -0400 Received: from [24.176.114.26](helo=jane.com) by server10.totalchoicehosting.com with smtp (Exim 4.34) id 1BWtE5-0005f6-Sc; Sun, 06 Jun 2004 04:42:00 -0400 From: Jane@decorativeartsbyjep.com To: Free-Mail@decorativeartsbyjep.com Date: Sun, 06 Jun 2004 08:41:28 GMT Subject: FwD: damn! Importance: Normal X-Priority: 3 (Normal) X-MSMail-Priority: Normal Message-ID: <cc47647ad1b63a.2e895.qmail@decorativeartsbyjep.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="==55b562dccf.e3da" Content-Transfer-Encoding: 7bit I guess it's like you and Jim say... not much I can do right now. And, banning most of the headers that these are returned to us for, would never let us know about some of the monthly newsletters that are returned as "undeliverable" or whatever. So, again... thanks very much for your help. You too Jim. Terry.. Rock Sign but Mail spoofing... Quote
TCH-Thomas Posted June 6, 2004 Posted June 6, 2004 (edited) This part Received: from [24.176.114.26] is the one you need, to find out where it came from if im not wrong. Edited June 6, 2004 by Jikrantz Quote
terbear0007 Posted June 6, 2004 Author Posted June 6, 2004 Hello Thomas, I "thought" that was what I needed to check, but when I tried to trace it yesterday, it always timed out before it located the server. But today I tried it and it gave me this message... Host 26.114.176.24.in-addr.arpa not found: 2(SERVFAIL) I kind of thought it wouldn't do much good to look it up. Oh well. Thanks for everyone's help! As always, TCH forums and Tech support are all "top notch"!! Rock Sign Terry Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.