Klez has its own SMTP engine, you'd need to look at the message headers to
determine the IP address of the person infected.
-Original Message-
From: Jeremy Pinquist [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 18, 2002 9:25 AM
To: Exchange Discussions
Subject: Tracking Klez on exchange 2k.
Yes, I'm running antivirus, as well as blocking extentions. (norton for
exchange 2.5)
I have a sneaking suspicion that a user, perhaps a remote access machine
that's connecting to exchange may be infected. I'd like to hunt down the
offender and chew them out. Does the message tracking center in System
Manager pull the true sender's email addy, or the klez'ed spoofed one?
I've got NAV CE running on all the on site workstations, so i'm moderately
sure it's no one in my building, but i want to make sure. Question: If a
user who is using Outlook for Corp/Workgroup settings is infected, will
Klez send itself out via the Outlook-Exchange connection, or will it still
use SMTP to distribute itself. If it does worm thru Outlook, does it
still spoof the name? If it does, how can you tell the true originator
without any headers? Couldn't find anything on Symantec's website about
this.
Jeremy
_
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]
_
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin:[EMAIL PROTECTED]
