Klez-E

Kham Vue kvue at WADSNET.COM
Thu May 16 16:36:53 IST 2002 

Thanks that worked.

--------------------------------------------------------------
Kham Vue
Internet Admin
The City of Wadsworth
WADSNET.COM High Speed Internet Service
kvue at wadsnet.com
 "Believe that life is worth living, and your belief will help create the fact."
      --William James

----- Original Message -----
From: "Julian Field" <jkf at ECS.SOTON.AC.UK>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Thursday, May 16, 2002 10:32 AM
Subject: Re: Klez-E


> At 12:08 16/05/2002, you wrote:
> >I'm new so excuse me.
> >
> >Where can I find the syslog in REDHAT 5.0?
>
> Look in /etc/syslogd.conf or /etc/syslog.conf.
> That file will tell you what logs go where.
>
> Type "man syslogd" and things will become clearer.
>
>
> >--------------------------------------------------------------
> >Kham Vue
> >Internet Admin
> >The City of Wadsworth
> >WADSNET.COM High Speed Internet Service
> >kvue at wadsnet.com
> >  "Believe that life is worth living, and your belief will help create the
> > fact."
> >       --William James
> >
> >----- Original Message -----
> >From: "Jeff A. Earickson" <jaearick at COLBY.EDU>
> >To: <MAILSCANNER at JISCMAIL.AC.UK>
> >Sent: Wednesday, May 15, 2002 4:46 PM
> >Subject: Re: Klez-E
> >
> >
> > > Hi,
> > > I would study the full mail headers of the email (turn this on in
> > > mailscanner if you don't have them), or search your syslogs for message
> > > id g4FEfKR17219 and see what IP number the message originated from.
> > > Then go looking to see who might own the machine attached to that
> > > IP number.  At my site, I search the syslogs to see who has been
> > > making POP connections from that IP number.  If there are any POP
> > > connections associated with the machine, then I know who the owner
> > > is.  Once I know that then I drag out the boiling oil and thumbscrews.
> > > The user's account gets locked out, their machine blacklisted in my
> > > sendmail settings -- they are dead until the machine is cleaned up.
> > >
> > > ** Jeff A. Earickson, Ph.D                         PHONE: 207-872-3659
> > > ** Senior UNIX Sysadmin, Information Technology    EMAIL:
> > jaearick at colby.edu
> > > ** Colby College, 4214 Mayflower Hill,               FAX: 207-872-3076
> > > ** Waterville ME, 04901-8842
> > >
> > ----------------------------------------------------------------------------
> > >
> > > On Wed, 15 May 2002, Mike Walker wrote:
> > >
> > > > Date: Wed, 15 May 2002 20:57:15 +0100
> > > > From: Mike Walker <mike at 4frontmedia.net>
> > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > Subject: Klez-E
> > > >
> > > > Over the last two days we have seen several virus warnings notifications
> > > > from one of our mailscanner users, we cannot quite determine
> > > > whether they are infected or is it Klez-E up to tricks.
> > > > Before we alarm the user and tell him that our scanner missed this one
> > > > has anybody any thoughts or similar experiences?
> > > >
> > > > When we check the quarantined message it is implying that our user was
> > > > the sender but......with Klez-E who knows?
> > > > The message we as the provider get from MailScanner is as follows:
> > > >
> > ***************************************************************************
> > > > The following e-mail messages were found to have viruses in them:
> > > >
> > > > Sender: <>
> > > > Recipient: < Our users e-mail address appears here > (I've removed to
> > > > protect identity)
> > > >
> > > > Subject: Mail delivery failed: returning message to sender
> > > >
> > > > MessageID: g4FEfKR17219
> > > >
> > > > Report:
> > /var/spool/MailScanner/incoming/g4FEfKR17219/msg-1060-281.txt/[From
> > > > emmanuel < Our users e-mail address appears here >][Date Wed, 15 May 2002
> > > > 15:40:50 +0100]/snoopy.exe infected: I-Worm.Klez.e
> > > >
> > > > --
> > > >
> > > > MailScanner
> > > >
> > > > Email Virus Scanner
> > > >
> > > >
> > > > ____________________________________________________________
> > > > This message has been scanned for viruses by "VITANIUM" the
> > > > multi-scan E-mail Virus Protection Service from 4FrontMedia.
> > > > To safeguard your business call 01233-850906.
> > > >
> > > >
> > >
> > >
>
> --
> Julian Field                Teaching Systems Manager
> jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
> Tel. 023 8059 2817          University of Southampton
>                              Southampton SO17 1BJ
>
>

More information about the MailScanner mailing list