General discussion

Locked

More BadTrans..Again help is needed

By LordInfidel ·
We all can remember the I love you and Sir Cam outbreaks. Now matter how hard you tried they kept comming.

Normally I start a campaign to alert each person that sends my network the virus. I usually send them a friendly notice and instructions on how to remove it.

I also usually urge all other admins to do the same.

However, this time my good faith efforts are coming back to haunt me. With this virus, if you send the person an e-mail alerting them, it goes into their inbox. The next time they reboot, the virus spreads again. And is sent back to me twice since now I have 2 e-mails in their inbox.

So now we have a dillema. How do we alert the user and avoid receiving the virus.

The answer here is to not alert the user, but alert their postmaster. By default, all mail systems have a postmaster account. (normally, but if a mail server hosts multiple domain names, you might have to do some research)

What does that accomplish. Maybe nothing. But it might alert anunsuspecting admin that one of their users has a virus. Or it might force an isp to shut down that persons mail account.

With that, I will be posting my canned responses to postmasters for all of you to use. Feel free to edit as needed.

I will also post some other misc advice about combatting this virus.

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Postmaster e-mail

by LordInfidel In reply to More BadTrans..Again help ...

Notes: I usually sign mine with PGP. This is not necessary but adds credibility as to the source.

From: Use a administrative address, do not use your personal address. ie I use
Vdat Mail Administrator(mailadministrator@vdat.com)

To: postmaster@domainname.com

Subject: User (affected@useraddress.com) is infected with BadTrans

Body:

Multiple virus have been sent by the following user, affected@useraddress.com.

This user has been infected with the BadTrans virus.

Please take the appropiate steps to assist this user in cleaning their machine so that no further viruses are propagated.

Any further viruses sent to our network by this user will result in us blocking this user from sending e-mail to our network.

We have enclosed the headers of the offending e-mail below.

Thank you for you assistance in this matter

Your company name Mail Administrator
-----------------------------------
Please do not reply to this address

<!--Begin Headers-->

headers
<!--End Headers-->

Collapse -

How to find Headers of an e-mail

by LordInfidel In reply to More BadTrans..Again help ...

So where are these headers located?

They are generally located in the Properties of the e-mail. These are general instructions but are usually aplicable to most e-mail clients.

First, turn off your preview pane if you have not yet done so. (you may want to use an unifected e-mail first)

Next highlight the e-mail you wish to get the headers from and right click on it.

You should then be able to view it's properties. (exchange users choose options)

If you can not right click on it. Still highlight it then go to file/properties.

What you want to look for is a whole mess of information that kind of looks like this:
(IP's and domain names have been renamed)

Copy and paste the headers into your e-mail to the postmaster.

<!--Begin Headers-->

Received: from mail5.a.remotedomain.net ([x.x.x.x]) by my.domain.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id V93BBQXL; Wed, 28 Nov 2001 14:55:43 -0500
Received: from aol.com (d6.as1.gryl.mi.a.remotedomain.net [x.x.x.x])
by mail5.a.remotedomain.net(x.x.x/x.x.x) with SMTP id fASJt4Q42609
for <user@mydomain.com>; Wed, 28 Nov 2001 14:55:05 -0500 (EST)
Date: Wed, 28 Nov 2001 14:55:05 -0500 (EST)
Message-Id: <200111281955.fASJt4Q42609@mail5.a.remotedomain.net>
From: "user name" <auser@adomain.net>
To: auser@mydomain.com
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1


<!--End Headers-->

Collapse -

Postmaster e-mail

by LordInfidel In reply to More BadTrans..Again help ...

To figure out who to send the e-mail to, there are several ways to do this.

An e-mail address consists of 2 parts. A user name and a domain name.

username@domainname.com

First you can go with the no-brainer. Take the senders e-mail address and replace their username with postmaster.

Now let's say the e-mail comes back to you as undeliverable. Depending on how much this person has bothered you, you will now have to do some research.

You will need to go to your favorite domain name lookup site. I use http://www.whois.org/

What you want to do is to do a lookup on the domain name. So you would type into the search box domainname.com. (I personally copy the e-mails domain name and paste it in)

You will then be broughtto another page that lists all of the matches. Find the match and choose Whois Record.

A window will pop up with the information.

Generally you would use the technical contact. If the technical contact looks like a web host comany, use the admin contact.

Collapse -

above title shoud be Whois Records

by LordInfidel In reply to Postmaster e-mail

The above post was supposed to be titled
Whois records.

Sorry

Collapse -

Or possibly

by admin In reply to More BadTrans..Again help ...

you could send the notices from a seperate account such as virusalert@box.mydomain.com and then restrict all incoming mail to that address with an autoresponse so that they get their mail back until they fix the problem.

:>

Collapse -

This is the point I am up to.

by LordInfidel In reply to Or possibly

The problem with that is, as I have found out.

Is that when you restrict delivery to that account, the account it replies back to the sender with is the postmaster account.

Now the infected person has a new e-mail in their inbox. This time from the postmaster address. Which for obvious reasons the postmaster accounts need to remain open/available for mail.

It is a never ending cycle. Which is I why I am advocating *not* contacting the infected host, but instead contact their admin/postmaster. Let them deal with it.

Collapse -

I understand choosing not do the cycle,

by admin In reply to This is the point I am up ...

But if you first send a manual reply, it should not go to the postmaster, but rather should be addressed to the sender. After this one manual send, it should then come back to the account you created and automatically be refused and auto-reply again to the sender if they are sending without knowing it until they either get a clue or their Admin does. Basically, when your network recieves the first, or your AV blocks it, just address a pre-made message from your "virusalert" account.

You may be to big to send the first one manually, or, perhaps, I don't see what is wrong with this, or perhaps I'm not explaining very clearly, or just don't understand something. I have had people get mad, but that's usually good when they see that they are creating the problem and then fix it.

Collapse -

Additionally,

by admin In reply to I understand choosing no ...

I read back, and I know that everyone that sends us mail does not have a postmaster or at least not one handy to them (at their isp etc.)thereore, sending to the postmaster would perhaps never reach the sender.

The dilemma was:

>>The next timethey reboot, the virus >>spreads again. And is sent back to me >>twice since now I have 2 e-mails in their >>inbox.

>>So now we have a dillema. How do we alert >>the user and avoid receiving the virus.

Creating a specific account for this makes sure the user is alerted everytime they send us a message. The alert would contain instructions to send questions to another account they could reach us at, but if the virus sent a reply, they would just recieve another notice that they sent us something and we would avoid recieving the virus on our network.

Actually, I am not even sure if you can set Exchange up to do this, so this may be another point where you would have to have the account on a seperate mail server.....

Anyway, just one way to acomplish this.... Yours does sound like it works quite well.

One downside to the way I am proposing that I am quite aware of is that sometimes we have a problem when there are auto-responders on each end and you have to have a way to detect and stop the loop once it gets to a certain point.

:)

Collapse -

I understand what you are saying....

by LordInfidel In reply to I understand choosing no ...

I usually send as my postmaster account.

I guess I could make an account like youhaveavirus or something stupid like that.

In exch you have the option of specicfying who can send to an mailbox. If your not on the accept list, an rfc compliantmessage is sent back. Technically it's not an auto-reply but it is.

But when the bounce back message is sent, it is sent out as postmaster. So again it's a quandry. They will eventually get the postmaster e-mail address into their inbox and the virus will again be sent to you.

(Obviosuly I am patched, have my preview pane off and my AV at the gateway blocks the file extensions anyways)

Collapse -

Sorry for hammering this...

by admin In reply to I understand what you are ...

Yeah, we stopped using Exchange as our mail server some time ago, I was wondering if your solution was related to Exchange. Obviously it won't work if it's sent out as postmaster.

:)

Back to IT Employment Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums