cancel
Showing results for 
Search instead for 
Did you mean: 

Plusnet Phishing report

N/A

Plusnet Phishing report

So, I get an email from PlusNet abuse informing me that a computer on my lan has been sending out phishing emails.

Sure enough, our public IP is listed in the FROM: header, complete with a valid hostname of a computer on our lan. However, I've checked and double checked that computer and no viri/worm exists.

How was the phishing email originated from the machine in question?
5 REPLIES
Community Veteran
Posts: 5,877
Thanks: 1
Registered: 05-04-2007

Plusnet Phishing report

Worm, Virus, Spyware?
N/A

Plusnet Phishing report

How is your network setup?
Do you have a proxy server in place, that is opene to abuse by others?
N/A

Plusnet Phishing report

No proxy here. adsl router in -> symantec firewall appliance -> lan. Win2003 box hosts local DNS.

I'm thinking along the lines that the header has been spoofed, but...to get our IP address AND hostname of a workstation on the lan correct I think is stretching it...

The machine in question scans clean for spyware/viri, and for PlusNet to have only report this latest incident once to me, suggests it might've been caused by a java type application (the only variant that seems to escape viri scanning innoculation) that has since been deleted/removed by the user.

Does anyone know of any particular worm/viri that is responsible for zombifying machines to send out the Southtrust Bank phishing mails? I've searched and searched on Google, nor really come up with anything concrete...
N/A

Plusnet Phishing report

Couldn't be that they'd 'captured' the details from some event earlier in time?
Seems to suspoect to be a fluke, there has to be a way that they've discovered the details and used tham later on, or actually sent them via your machine?
How is your mail handled internally? Is there a mailserver whose logs you can query to check if they actually were from one of your machines?
N/A

Plusnet Phishing report

We've got an exchange server here, and looking at the headers that plusnet sent to me concerning this "abuse", there is absolutely nothing there to suggest the mail went anywhere near our server. The connection and relay settings of our server are all locked down to IP address of our peers. In this case, inbound and outbound is via MessageLabs.

If anyone wants to take a look at these headers, perhaps some more light might be shone on the problem:

[ Offending message ]
Return-Path:
Delivery-Date: Fri, 17 Jun 2005 10:41:54 +0100
Received: from C2bthimr09.btconnect.com (actually host 218.73.73.194.in-addr.arpa) by dswu27.btconnect.com with SMTP-IBMR (XT-PP) with ESMTP; Fri, 17 Jun 2005 10:41:53 +0100
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183])
by C2bthimr09.btconnect.com (MOS 3.5.8-GR)
with ESMTP id BJD96411;
Fri, 17 Jun 2005 10:35:28 +0100 (BST)
Received: from [VALID IP ADDRESS] (helo=VALID HOSTNAME ON MY LAN)
by mxeu7.kundenserver.de with ESMTP (Nemesis),
id 0MKsxo-1DjCsg1tBu-0008Uo for x; Fri, 17 Jun 2005 11:11:18 +0200
From: "SOUTHTRUST BANK"
To:
Subject: *SPAM?* Customer Notification: Data Confirmation Fri, 17 Jun 2005 10:13:21 +0100
X-Old-Subject: Customer Notification: Data Confirmation Fri, 17 Jun 2005 10:13:21 +0100
Date: Fri, 17 Jun 2005 10:13:21 +0100
Message-ID:
X-MSMail-Priority: Normal
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----hajmeqmbhbaunbymyezgvqcu"
X-Mailer: WEBMail
X-Junkmail: UCE(125)
X-Junkmail-Status: score=125/90, host=C2bthimr09.btconnect.com
X-Antivirus: AVG for E-mail 7.0.323 [267.7.7]