Thinking my network might be hacked...

[IanGlinka]

I've been getting a lot of message undeliverables from my Win2k Server's SMTP server postmaster regarding emails that I did not send.

I work in an office with about 50 computers (Win2k), but they are all patched and have updated Norton Corporate Edition virus definitions.

I've noticed many of the email addresses start with "_ink" or end with the "jojomail.com" domain.

I don't understand why this is happening. I think it might have something to do with the 9 or so LAN-LAN VPN tunnels we have set up with our clients. If one of their machines is infected with one of those new mass mailing worms, it could piggyback the VPN tunnel and start sending mails from our SMTP server, right?

Ian

 

[jpm121]

Doesn't even need to be that complex, Ian. Most of the recent virii have their own SMTP engine built in, so they don't need access to Exchange or anything else -- just an internet connection. I think you're in the right neighborhood with this line of reasoning, though.

 

[BitFuzzy]

I wouldn't worry about it, if you check the information you receive and look at the message details, you'll see the ip of the originating address (the address that sent the message) more than likely isn't yours.

The newer worms as jpm121 indicated have their own smtp capabilities. They look up address in the address book of the infected computer and use those address as 'TO' and or 'FROM' addresses.