Jeff A. Earickson jaearick at COLBY.EDU
Wed May 15 21:46:34 IST 2002

I would study the full mail headers of the email (turn this on in
mailscanner if you don't have them), or search your syslogs for message
id g4FEfKR17219 and see what IP number the message originated from.
Then go looking to see who might own the machine attached to that
IP number.  At my site, I search the syslogs to see who has been
making POP connections from that IP number.  If there are any POP
connections associated with the machine, then I know who the owner
is.  Once I know that then I drag out the boiling oil and thumbscrews.
The user's account gets locked out, their machine blacklisted in my
sendmail settings -- they are dead until the machine is cleaned up.

** Jeff A. Earickson, Ph.D                         PHONE: 207-872-3659
** Senior UNIX Sysadmin, Information Technology    EMAIL: jaearick at colby.edu
** Colby College, 4214 Mayflower Hill,               FAX: 207-872-3076
** Waterville ME, 04901-8842

On Wed, 15 May 2002, Mike Walker wrote:

> Date: Wed, 15 May 2002 20:57:15 +0100
> From: Mike Walker <mike at 4frontmedia.net>
> Subject: Klez-E
> Over the last two days we have seen several virus warnings notifications
> from one of our mailscanner users, we cannot quite determine
> whether they are infected or is it Klez-E up to tricks.
> Before we alarm the user and tell him that our scanner missed this one
> has anybody any thoughts or similar experiences?
> When we check the quarantined message it is implying that our user was
> the sender but......with Klez-E who knows?
> The message we as the provider get from MailScanner is as follows:
> ***************************************************************************
> The following e-mail messages were found to have viruses in them:
> Sender: <>
> Recipient: < Our users e-mail address appears here > (I've removed to
> protect identity)
> Subject: Mail delivery failed: returning message to sender
> MessageID: g4FEfKR17219
> Report: /var/spool/MailScanner/incoming/g4FEfKR17219/msg-1060-281.txt/[From
> emmanuel < Our users e-mail address appears here >][Date Wed, 15 May 2002
> 15:40:50 +0100]/snoopy.exe infected: I-Worm.Klez.e
> --
> MailScanner
> Email Virus Scanner
> ____________________________________________________________
> This message has been scanned for viruses by "VITANIUM" the
> multi-scan E-mail Virus Protection Service from 4FrontMedia.
> To safeguard your business call 01233-850906.

More information about the MailScanner mailing list