I've got an E-mail that went from one of my users to one of my users. user1@domain.com to user1@domain.com or atleast thats what the message says. The sending server is outside though. Here is the message header.
MAIL FROM: kquadere@chesaning.k12.mi.us
RCPT TO: kquadere@chesaning.k12.mi.us
Received: from chesaning.k12.mi.us
([198.173.223.122])
by chesaning.k12.mi.us; Thu, 07 Nov 2002 12:05:24 -0500
FROM: <kquadere@chesaning.k12.mi.us>
DATE: Thu, 7 Nov 2002 12:03:21+0000
X-Mailer: EBT Reporter v 2.x
TO: kquadere@chesaning.k12.mi.us
subject:
Mime-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
The message contained a readme.exe which was infected and the message was
Hello,
Product Name: Microsoft Windows XP
Product Id: 55274-OEM-0011903-00101
Process List:
NtLmSsp NT LM Security Support Provider
ProtectedStorage Protected Storage
SamSs Security Accounts Manager
SharedAccess Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
SysmonLog Performance Logs and Alerts
NtLmSsp NT LM Security Support Provider
ProtectedStorage Protected Storage
SamSs Security Accounts Manager
SharedAccess Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
SysmonLog Performance Logs and Alerts
Thank you.
Any ideas how to tell where this came from? Or how to stop it?
Thanks.
MAIL FROM: kquadere@chesaning.k12.mi.us
RCPT TO: kquadere@chesaning.k12.mi.us
Received: from chesaning.k12.mi.us
([198.173.223.122])
by chesaning.k12.mi.us; Thu, 07 Nov 2002 12:05:24 -0500
FROM: <kquadere@chesaning.k12.mi.us>
DATE: Thu, 7 Nov 2002 12:03:21+0000
X-Mailer: EBT Reporter v 2.x
TO: kquadere@chesaning.k12.mi.us
subject:
Mime-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
The message contained a readme.exe which was infected and the message was
Hello,
Product Name: Microsoft Windows XP
Product Id: 55274-OEM-0011903-00101
Process List:
NtLmSsp NT LM Security Support Provider
ProtectedStorage Protected Storage
SamSs Security Accounts Manager
SharedAccess Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
SysmonLog Performance Logs and Alerts
NtLmSsp NT LM Security Support Provider
ProtectedStorage Protected Storage
SamSs Security Accounts Manager
SharedAccess Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
SysmonLog Performance Logs and Alerts
Thank you.
Any ideas how to tell where this came from? Or how to stop it?
Thanks.