An unknown intruder has been able to spam our network and send users to pornography sites. I don't know how the intruder got my company's internal addresses. The e-mail appears to be sent to ourselves as "email@example.com," where "xxx.xxxxx.xxx" is the name of any organization. There is no mailbox in our network called "data." Further, there appears to be nothing outstanding within the headers or components of the messages. We're stumped. Do you have any idea how the intruder is doing this?
This question posed on 19 June 2002
This sounds like one of the fun Klez-like worms that have been making the rounds of the Web in recent months. Nasty buggers that spoof their "From" headers and proliferate their destinations from the Address Books and even entire hard drives of their unfortunate victims. Some simply deliver a mass-mailer payload, while others exhibit the behavior you describe of directing users to pornographic Web sites. The best technical explanations of the inner workings of e-mail viruses ("how the intruder is doing this") can be found at www.sarc.com, or at the vendor site for Symantec, Network Associates, etc.
As is the case with any e-mail-borne virus, your first and best line of defense is a properly-functioning and frequently-updated antivirus program. Further, if you are maintaining your own e-mail server, ensure that your message transit agents (MTAs) are sufficiently configured to NOT allow spam or mail-relaying. This is a good practice to follow even if you weren't facing this difficulty.
Using MS Exchange as an example, the Exchange Internet Mail Service must be manually configured to "reject any e-mail message that does not have a valid recipient on this server." It's a quick configuration to make, but one that must be manually set nonetheless. If your e-mail is outsourced to an external provider, call them up and bug them to ensure that they are doing likewise.
Editor's note: You can sign up to have free security administration tips delivered to your inbox every Tuesday morning.