General discussion


Netsky is on the attack!

By buschman_007 ·
Ok so a basic layout of my LAN:

30 or so Servers(Mostly application/DB servers running Win 2K Server)

All my domain, exchange, and file servers are 2K3.

I have Symantec corp Ed and Mail Security 4.5.

I have a sonciwall firewall.

I have a direct T1 to a sister company in India.

The problem:
I'm getting around 200 virus hits on Symantec mail security between ~11pm and 8am every night. All the hits are W32.Netsky.P@mm.

The sender is always

The recipient's very, but they seemed based off older Maryland and India names.

What I have checked:
I have reverified that I'm not an open relay.

I have attempted to utilize ethereal to examine packet flow. But alas I am not experienced enough with this software package to decipher what it is telling me.

Am I getting blasted from the outside? If so why isn't my firewall/Anti-Spam/Anti-Virus blocking it before it gets to my mail server?

If it's internal(what I suspect) how can I figure out which machine is sending these messages? If it's someone in India I'm going to need some sort of proof to show the admin over there that his machine has a problem.

You advice is appreciated.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by ReWrite In reply to Netsky is on the attack!

About the only thing I know of to do would be to examine the originator ip address in the message headers and determine if they are all coming from the same place (or maybe a limited group). The from name is probably being spoofed but the ip addresses cannot be spoofed.

You can then take the ip address and plug it into a whois server to see where it is located or do a traceroute on the ip address to see where it is located.



Collapse -

by buschman_007 In reply to

How do I find the original IP address? Neither Exchange nor Symantec seem to be forarding that information on. Or if they are I'm not sure how to view it.

Thanks for the answer though.

Collapse -

by LiamE In reply to Netsky is on the attack!

It actually sound like you are being spoofed.

In any case have you carried out a scan of the workstations on your end of the network yet? Sounds like time for a full scan, PC by PC. I'm not familiar with Symantec corp Ed - does it come with an 'on access' and 'on demand' desktop scanners and if so are they configured and again if yes has there been anything thrown up by them?

Do you have an adware scanner? Many if not most adware/malware programs dont get picked up virus scans and unless you don't let your users use the internet at all its very safe to assume that you have plenty of unwanted programs hanging around causing problems. Downloader bots are particularly effective at causing grief. If you havnt already get something like Spybot or Ad-Aware on the PCs while you are doing the virus scans.

As to why cant a virus mail be stopped before it gets to the mail server, as I'm sure you know, its because messages are not sent like letters in the post - they are sent in chunks - like bits of a jigsaw - its only when the jigsaw is put together (ie at the mail server) that the picture can be seen and a virus detected. A firewall blocks activity on a port by port basis - and virus email use the same port as all the rest of the good stuff so thats not going to help. So of course its left to the mail scanner where its correctly being picked up at the first opportunity.

Collapse -

by buschman_007 In reply to

Looks like I might need to do a machine by machine scan. While Symantec Corp does allow me to force scans on those that are connected, it doesn't on those that are out of contact, having an issue, or not managed by the Corp server.


Collapse -

by buschman_007 In reply to Netsky is on the attack!

This question was closed by the author

Related Discussions

Related Forums