General discussion

Locked

User ID Stolen by spammer

By Coors ·
I have a couple of users who are getting mail returned to their mailboxes regarding e-mail they have never sent. These are spam messages that are being sent out under their e-mail accounts without their consent or knowledge. Is there any way to stopthis from occuring. We are using Exchange 5.5 and Outlook 97 and 2000.

About 5 months ago we closed our Exchange Server to Open Relays. However just lately spammers are starting to send out e-mail with our users return e-mail addresses. I had posted an earlier message and accidently awarded the points because I am new to the Q&A thing.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

User ID Stolen by spammer

by adeal In reply to User ID Stolen by spammer

Have you checked the header information to verify that the e-mails are actually coming from your server? It's very easy to fake an outbound e-mail address, but the header info is a little harder.

Collapse -

User ID Stolen by spammer

by Coors In reply to User ID Stolen by spammer

The header info was intact

Collapse -

User ID Stolen by spammer

by Still_learning In reply to User ID Stolen by spammer

Sounds an awful like the W32.Klez.H@mm virus. Go to the following web site and follow the instructions for clearing out the virus:
http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html

Good luck. Hope this helps.

Collapse -

User ID Stolen by spammer

by Coors In reply to User ID Stolen by spammer

You were on the right track, but our servers and client computers all came up clean

Collapse -

User ID Stolen by spammer

by [_Rick_> In reply to User ID Stolen by spammer

Agree with the second answer it is the KLEZ.H worm that is the culprit. But I doubt that you are affected.

The KLEZ.H worm will impersonate at random a email address it finds in a message or address book at the system which is infected with the worm. Which means a customer, client, contact, partner, etc of yours could be effected and the worm has built a list of address to use as return addresses and hit (send to) from them. This makes the worm very difficult to find and eliminate, because you don't know where its 'really' coming from.

Best recommendation for your office, if using Outlook 2000 and IE 5.5/6.0 apply all secuirty patches available. Some of the patches are strict - but they will stop an accidental outbreak of this worm.Also there is a May '02 patch for IE, using this patch with the Security Updates with Outlook will prevent the WORM from killing your own enterprise.

Installing these patches will place strict requirements on how attachments, addressing and the use of 3rd party software is used with Outlook. You should also install the Security Admin kit which will allow you to control the security measures of each Outlook client from the server.

Another key - have your FIREWALL port 25 directed to only accept outbound pass-through from your internal SMTP server and to decline all others. The KLEZ worm will use its own SMTP code to send outgoing messages.

Good luck.

Collapse -

User ID Stolen by spammer

by Coors In reply to User ID Stolen by spammer

This is the only thing that seems to make sense, thank you for your answer

Collapse -

User ID Stolen by spammer

by Coors In reply to User ID Stolen by spammer

This question was closed by the author

Back to Software Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums