Does this mean, someone is trying to relay viruses.

Need help? Ask here.

Moderator: Moderators

Post Reply
usalabs
Posts: 11
Joined: Wed Mar 09, 2005 11:47 pm

Does this mean, someone is trying to relay viruses.

Post by usalabs »

I've been keeping a close eye on my server logs and my email server keeps coming up with this:-

A virus with the name 'Win32:Netsky-P [Wrm]' has been detected in this email,
and as a result, the email has been rejected.

Email header information:
Received: from mail.rollernet.us ([208.11.75.2])
by mail.tezandbabs.us (Tezandbabs email server.) with ESMTP id ZJS22615
for <postmaster@tezandbabs.us>; Wed, 13 Jul 2005 23:24:48 -0700
X-RollerNet-Abuse: Roller Network SMTP Services. See http://rollernet.us/abuse.php
Received: from tezandbabs.us (unknown [61.246.55.183])
by mail.rollernet.us (Postfix) with ESMTP id E4C81528646
for <postmaster@tezandbabs.us>; Wed, 13 Jul 2005 00:48:35 -0700 (PDT)
From: 5cb841db@vsnl.net.in
To: postmaster@tezandbabs.us
Subject: Mail Delivery (failure postmaster@tezandbabs.us)
Date: Wed, 13 Jul 2005 13:16:29 +0530
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20050713074835.E4C81528646@mail.rollernet.us>

The original message was received at Wed, 13 Jul 2005 23:24:49 -0700
The message was sent from: 5cb841db@vsnl.net.in
The message was sent to: postmaster@tezandbabs.us

The virus found was: Win32:Netsky-P [Wrm]


I have many of these, same virsus detected, different sender email.

Does this mean someone is trying to relay viruses from my email server, if so, how do I disable relaying, I'm using Merak Email Server with updated, integral antivirus, and spam assasin, I've left everything as default, as I don't know the optimal settings to use, I have challenge response disabled, as I don't know how to setup challenge response properly.
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

What you are seeing is commonly known as a "joe job"; simply put, someone (in this case, a virus-laden message) picks an email address to use as the MAIL FROM address that has nothing to do with them. The goal is to direct the fallout somewhere else, but still have the message pass some basic tests such as if the domain name exists. There's a good description about it here:

http://en.wikipedia.org/wiki/Joe_job

Ultimately, there is nothing you can really do except wait for the flood of bounce messages to subside. You can, however, help your case by publishing an SPF record, if possible. SPF, or Sender Policy Framework, is a record added to the DNS information for your domain that declares the legitimate sources for email using your domain name. You can read more about SPF here:

http://spf.pobox.com/

When an SPF record is present, any mail server that checks SPF will reject the message if it came from an unauthorized source. Roller Network filtering has an SPF option that works the same way. If you're concerned about being blacklisted or having any retaliatory action taken against you, you shouldn't be too concerned. Anyone who looks at the message headers for the spam could easily tell that the return address was forged. Although SPF will help your case if someone tries to challenge you (it's a way to prove that the spam should not have legitimately been accepted, since it didn't come from an authorized source, had the recipient been checking SPF records), many mail servers still do not utilize SPF.

Hopefully this answers your question. If you have any other questions, feel free to contact us. Thanks!
Technical Support support@rollernet.us
Roller Network LLC
Post Reply