RE: Life Insurance Spam with strange addressing

[Carl Houseman]

Title: Message

Would you clarify "gone to staff"?   Are you quite certain that EVERY individual on "staff" has received the identical spam?  I mean ask each and very one of them, or check message tracking in Exchange.   The logs should also be able to tell you whether you got 50 copies of the message for 50 recipients, or 1 copy that got to 50 people.  If only one copy came in and 50 people got it, then your DL is available to the outside world.  Do your DLs have Internet addresses?   Carl   -----Original Message----- From: William Smith [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 18, 2002 1:19 PM To: MS-Exchange Admin Issues Subject: RE: Life Insurance Spam with strange addressing Ok.  I misread one of the lines in the header. The messages are indeed coming from another source (one hosted by Cogent the other won't resolve) hitting our fw then exchange.  I can see the idea of addressing to me from me, but how would this explain that the messages appear to have gone to staff, unless they did it one by one. Also not my staff mailing/distro lists are not accessible from the outside. Thanks for your input, W -----Original Message----- From: Purviance, Chad [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 18, 2002 12:12 PM To: MS-Exchange Admin Issues Subject: RE: Life Insurance Spam with strange addressing William             Review the actual header of the message (View, Options, Internet Headers) and see where it really originated and if it even used your system. It is a common practice now to send mail to you from you.   CJP   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 18, 2002 11:00 AM To: [EMAIL PROTECTED] Subject: Life Insurance Spam with strange addressing     Has anyone seen a recent crop of Life Insurance spam coming in with strange addressing? Last week we received the 2 emails. Normally I wouldn't be concerned with spam like this, but if I look at the addressing it is coming from a valid address (of course it has to be of two executives...) and then delivering to staff.  The first message reads from [EMAIL PROTECTED], to [EMAIL PROTECTED] but was delivered to staff. The second message reads from [EMAIL PROTECTED], to [EMAIL PROTECTED], and again was delivered to staff. The thing that really makes me wonder is that [EMAIL PROTECTED] no longer works here and her email address is hidden from the address book. The headers indicate that the messages are coming from our mail server, but obviously we aren't sending our self spam. Is there a way to spoof this? Possibly a worm? I've found references to the subject lines on Google, but no one mentions the addressing issue, only that it is spam. These are the subjects: $250,000 policy for only $8.50/month! Best Life Insurance, Lowest Cost. Thanks,   William L. Smith Systems Administrator Riptech, Inc. Real-Time Information Protection 2800 Eisenhower Avenue Alexandria, VA 22314 http://www.riptech.com w: (703) 373-5158 c:  (703) 946-0894 f:   (703) 373-6158 e:  [EMAIL PROTECTED] List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm