Hello everyone.

Not sure if this is the right place, but I figured if it was not, someone may be able to point me into the right direction.

Basically, one of the users on our network is continuously receiving emails that have a virus in them. In going through the email headers, I am trying to locate why, this is continuing to occur.

What I was wondering if anyone knows of a web site where I might be able to post the headers into the headers to see if I might be able to get some help in tracking down this problem.

Thanks everyone.

Tarballed

What might help is to know where the virus's coming from
and what is the mail transport agent you or your company's
using.
You can filter these emails out with little programming.

Could be someone's infected PC which is sending automated
email (without that user actually knowing) to every recipient
in their address book and one of them happens to be this
client of yours.

Let's say, you're using sendmail and you want to use procmail
to filter these messages, then you can post your question
on their news group.

http://www.procmail.org/

Read the Howto's/FAQ's, there's some good information.

Please be precise when posting, e.g:

Mail transfer agent you're using.
What is the problem
What is that you want to achieve.

Good luck!

Gaston,

Thanks for your reply. I have a feeling that you are correct in that someone is infected with a virus and it is sending out email to everyone in their address book.

If you are curious, here is the headers: (note: I removed our company info)

Date: Sun, 2 Feb 2003 17:31:20 -0800
From: Mail Delivery Subsystem <MAILER-DAEMON@teeny2.aspadmin.com>
To: <XXXXXX@XXXXXXXXX>
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)


The original message was received at Tue, 28 Jan 2003 17:17:39 -0800
from slkcdslgw6PoolC1.slkc.uswest.net [65.100.196.1]


----- The following addresses had permanent fatal errors -----
<23017_10156_200301181000@mdmg.criticschoicemail.co m>


----- Transcript of session follows -----
451 4.4.1 timeout writing message to mail.criticschoicemail.com.: Connection timed out with mail.criticschoicemail.com.
<23017_10156_200301181000@mdmg.criticschoicemail.co m>... Deferred
Message could not be delivered for 5 days
Message will be deleted from queue
Reporting-MTA: dns; teeny2.aspadmin.com
Arrival-Date: Tue, 28 Jan 2003 17:17:39 -0800


Final-Recipient: RFC822; 23017_10156_200301181000@mdmg.criticschoicemail.co m
Action: failed
Status: 4.4.7
Remote-MTA: DNS; mail.criticschoicemail.com
Last-Attempt-Date: Sun, 2 Feb 2003 17:31:20 -0800
Return-Path: <XXXXXXXXX@XXXXXXXXXXXX>
Received: from Notlrdnb (slkcdslgw6PoolC1.slkc.uswest.net [65.100.196.1])
by teeny2.aspadmin.com (8.11.6/8.11.6) with SMTP id h0T1HdY09688
for <23017_10156_200301181000@mdmg.criticschoicemail.co m>; Tue, 28 Jan 2003 17:17:39 -0800
Date: Tue, 28 Jan 2003 17:17:39 -0800
Message-Id: <200301290117.h0T1HdY09688@teeny2.aspadmin.com>
From: awatts <awatts@teamworkmortgage.com>
To: 23017_10156_200301181000@mdmg.criticschoicemail.co m
Subject: Re:welcome to my hometown
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=PC1mmc3x79Wg4KX4BSc


Content-Type: text/html;

Just a note: We are using our ISP's email server. It seems this particular user is constantly receiving email's with viruses in them over and over.


Thanks for the input. Feel free to give your input.

Tarballed

If you want to filter with procmail and if you can, then
just install procmail and then create procmailrc
file in users home dir, chmod 700

Let's say this message has always the same header,
then you'd write in procmailrc the following:

#nuke the virus emails!

:0H
Subject: Re:welcome to my hometown
/dev/null


What this filter means is to just look at the email
header and find the exact match for the Subject and
then nuke it.

Or where ever you'd like to forward them to.
But you should also contact the sender and
their admin (root@somedomain.com or postmaster@somedomain.com)to get the
sender's PC virus scanned and asap because
it won't end.
In your case you should contact postmaster@slkc.uswest.net
and root@slkc.uswest.net, send them the same headers
you just posted here.
Also inform awatts@teamworkmortgage.com

Or a bit more complicated one where you have
to specify both the sender and the subject:

:0H
* ^From:.*email address here
* ? egrep -i "^Subject:.*Subject of the msg here"
/dev/null

Please NOTE that everything's case sensitive and you have
to watch the spaces etc, they just have to match the
real email headers, otherwise your procmail filter won't
work
With procmail you'll get the SAMPLE file which shows how to
activate the logging to see if your filter's doing what it supposed
to do.

Hope this helps.

Gaston,

Thank you again. I really appreciate your input. At this time, we do not have our own email server, but we are planning to implement our own server here soon. We are currently using our ISP's email server.
When we do setup our own server, I will use your recommendations to make sure our server is locked and secure.

Coincidently, our user is continuing to receive email's with viruses in them that our AV server catches. Here is the latest header from it:

Received: from teeny2.aspadmin.com (teeny2.aspadmin.com [216.98.128.254]) by rly-na03.mx.aol.com (v90_r2.6) with ESMTP id MAILRELAYINNA36-0210125342; Mon, 10 Feb 2003 12:53:42 -0500
Received: from Ylblbf (slkcdslgw6PoolD8.slkc.uswest.net [65.100.197.8])
by teeny2.aspadmin.com (8.11.6/8.11.6) with SMTP id h1AIBUF22968
for <ZwBqCBDLgT2Md@netscape.net>; Mon, 10 Feb 2003 10:11:30 -0800

I believe you are right in that I need to contact @slkc.uswest.net with the headers from these emails.

Thanks again Gaston. I do appreciate it.

Tarballed

No worries ;-)


If you can, you also want to look at using qmail or
postfix as your MTA.
As MTA's they are much more secure out of the box
than sendmail. I've used postfix and it's also really
fast and much easier maintain/configure/run than
sendmail.

That doesn't, however, change the fact the viruses
might get inside.
Updating your filters, training your user base
on how to use email and not opening suspicous
messages and checking the virus websites is a good
start.

Thanks Gaston. I appreciate that. I will look at both qmail and MTA.

Off hand, do you have any links you recommend for MTA? I'd really like to research that more to see some of the advantages, disadvantages as well as what I will need to set it up.

Thanks.

Tarballed

Check out qmail and postfix home pages, there's plenty of
info available.
And then just ask these people what their experiences
were.

http://www.postfix.org

http://www.qmail.org/

From my an experience we had an old Sparc 2 running
1 cpu Solaris 2.5.1 and handling sometimes
about 40000 emails an hour
without hickup. Though, this server was
just for relaying mail between the actual mail servers

What you gotta remember that email is quite i/o heavy,
loads read and write processes.
If your company can afford it, try to have least dual cpu
machine with disk array. Disk array or equivalent to
share the load on the disks so that not just one disk
continually bombarded when people are popping/imapping
their emails. And least 2GB of memory if you guys can afford
it. And 100Mb Nic or 2 with automatic failover.
Also you might need to take into consideration the possible
user base growth.
But then again I don't your companies requirements, how
many users and how much email.
Everything depends on how important this server is for
your company. You can get it very cheap but then you
run the risk that you don't redundancy (no dual power supply,
no dual nic, all the disks behind one controller)
And then the backup strategy....story goes on...;-)