need help with e-mail virus

[Jonny Two Shoes]

I have been asked to try see if I can try locate the sender of an e-mail with a potential virus threat. A page was handed to me with the details of the e-mail printed on it.

return path shows a non existant e-mail address with our company domain....that is why he probably contacted us.

From: "All-Yours.Net" dzpf@(mycompany-censored).com

Our email policy does not even allow such a name "dzpf"..it is always firstname.surname@(mycompany).com

Any way to go about addressing this??

"Received From:" does have IP addresses. What IP range is 196.36.[censored until I know this range is not internal]?

And 125.132.[censored]. is further down on another received from entry.

Im not very experienced in this field, any help greatly appreciated.

 

[Page]

Chances are good that it doesn't matter if you track the sender down or not, it is most likely a zombie pc and the user doesn't even know his PC is spewing spam/viruses..

 

[Jonny Two Shoes]

BTW subject of the e-mail is....youve received a postcard from a worshipper.


obviously suspect

 

[Jonny Two Shoes]

Chances are good that it doesn't matter if you track the sender down or not, it is most likely a zombie pc and the user doesn't even know his PC is spewing spam/viruses..

the fact that it came from our e-mail domain though???

 

[Jonny Two Shoes]

Another received from entry is as follows:

Received: from ggfg.gdipe ([191.220.censored]) by dcsdq with Microsoft SMTPSVC(6.0.3790.0); and date thereafter

 

[Jonny Two Shoes]

Whats the easiest way to find the source of all these IP's?

Bare in mind I cannot ping external IP's or addresses as our proxy in chicago has this protocol disabled

Apologies for multiposting like an idiot

 

[Page]

http://www.my-proxy.com/content/proxy-knowledge/ip-ranges-and-country-code-safe-unsafe.html should give a list of all domains and IP ranges.

The best you can do is add in some filters to target anything with "postcard" in the subject and delete it automatically. Many malware in the wild use some form of the postcard trick to propogate.

 

[Page]

the fact that it came from our e-mail domain though???

Spoofing, yes, it's a well-known trick used to fool people into thinking the email is legit.

If I were you I'd notch it up to "impossible to locate" and educate users to be on the lookout for fishy emails.

 

[Jonny Two Shoes]

Page you are the man!! or woman :/ dunno anyway thanks

I couldn't locate any of those IP ranges thus far. Still looking.

 

[andres101]

I usually use Domain Dossier to find out who owns an IP address. they usually list a abuse email address as well.

 

[ambo]

Are you using SPF or DKIM to protect your domain from spoofing attacks?

It won't help you finding the source of the scam - but it helps you prevent it happening again.

 

[Jonny Two Shoes]

Domain dossier as suggested by andres101 points one of the IP's to Korea Telecom and two others to something thats Tucows sponsored. Thanks for that link though...I added it to my favourites...will definately come in handy again sometime.

@ ambo our Intranet is so huge I have absolutely no control of what these guys use. We don't have any direct line into SA local...we have a leased line to Chicago where everything goes out and comes in via a proxy server. Although we host our own e-mail for the users at SAfrica it is all controlled by admins in Chicago. We do the maintaining and send out requests for new users and fix it if need be.

 

[ambo]

@ ambo our Intranet is so huge I have absolutely no control of what these guys use.

That is a pretty poor excuse IMO. If you do not have control over your network then of course it will be abused.

If you are not high enough to be making the required policy decisions then you should pass on the info to the guys who are. But if the company is ignoring the current technology for protecting your network and then coming down on you when it gets compromised then I really have to wonder...

 

[Jonny Two Shoes]

ambo you will be surprised how things are run here

I have only been with the company since the beginning of this year. A simple thing like installing one laptop for a user can take all day, what with the poor images, forms to complete and sign, and all the software to install. My record for laptop rollout in a full days work is two and I dont just sit around either.

Furthermore I don't have full control of the network because I am the PC support Admin, not the network admin. However our jobs overlap a lot as I have just mentioned the entire workforce of the department in SA/Johannesburg branch also responsible for Cape Town and Durban's problems and all the reps and onsite people etc etc

EDIT: oh and as far us being up to date...take this piece of info. I am currently running an audit on everyones PC's and trying my best to be ready when the big audit happens near the end of this year. The best software we have going to keep track of PC assets still runs the year 2000 compatibility check!! Yes it is going to take me a while. No overtime pay either bleh!!

 

[ambo]

Sounds like you got your work cut out for you mate

I must say I pity you - and personally I don't think I'd survive long in that work environment! Good luck.

 

[Jonny Two Shoes]

Sounds like you got your work cut out for you mate

I must say I pity you - and personally I don't think I'd survive long in that work environment! Good luck.

LOL thanks though.

Ye well im still young so I have a lot of experience to build up before I can even consider much. Just taking what I can get really.