Different Send/Receive Virus Notifications?
Alex Neuman van der Hans
alex at nkpanama.com
Tue Mar 27 22:20:54 CEST 2007
Paul Hutchings wrote:
> Our Firewall only allows outbound smtp from our Exchange server so it
> should be the only thing talking to the relay from our network.
> Our Exchange server only allows authenticated SMTP so in theory a
> worm/virus shouldn't be able to get it to accept and relay mail?
> Because of this it would have to be a MAPI virus sent via Outlook which
> would not allow the Sender "From" address to be faked.
> We have very well regarded A/V on the Exchange server so I would hope
> it's never going to happen to begin with :)
>
> Not sure if anyone here uses Exchange/Outlook but that was the thinking
> behind it.
>
IIRC, Exchange would allow messages that are both ("to your domain"
**and** "apparently from your domain") without authentication since it
thinks it's the owner of that domain. That being said, a
"virus"/worm/whatever could fake the from as someone else from your
domain, and send something "to" someone at your domain, leading you on a
wild goose chase. I'm not sure many MAPI viruses are still out in the
wild, but I don't suppose it would be difficult for such viruses to fake
the from, even MAPI-wise (although IANAP).
Example:
Alice's machine sends a message "from bob at yourdomain.com" and "to
charlie at yourdomain.com". You spend some time looking at Bob's PC while
Alice keeps spewing out stuff unknowingly.
More information about the MailScanner
mailing list