Solved

How to find Trojan email origin

Posted on 2012-03-28
6
1,479 Views
Last Modified: 2012-04-16
Hi everyone,

We have been getting quite a few virus "Trojan.JS.Obfuscator.aa (v)" emails lately that are caught and quarantined by the email security program called "Vipre".  I would like find out if these Trojan emails are in fact came from external IP to internal or if there is any Bot on our internal network sending these emails out.

Background:
We have a WatchGuard XCS email security appliance that acts as a gateway, filters all incoming emails before they get delivered to the Exchange server.  We have another email security program installed on the Exchange server called "Vipre" which then scans all emails for virus, spyware, spam, attachments before they get deliver to users' mailboxes.

We have received about 10 Trojan "Trojan.JS.Obfuscator.aa (v)" emails couple of days ago, all came through almost at the same time that were caught and quarantined by "Vipre".  8 of these emails were from @ups.com, 1 from @hotmail.com, 1 from @gmail.com.  The subject was either "UPS tracking number xxxx" or "United Postal Service Tracking Nr xxx". The emails were send to various internal email addresses.

Troubleshooting steps taken:
1. There was no log on the WatchGuard appliance for these Trojan emails to get any information about the origin of these emails. As per WatchGuard tech support, these emails didn't come from external SMTP address.  The log files are available for all other emails.

2. The Exchange message tracking center doesn't show any logs for these emails.  The logs are available for all other incoming and outgoing emails.

3. The Vipre email security program doesn't have any detailed logs to find origin IP or domain information.  

4. since there was no other options, I released one of these email that was quarantined from Vipre to my email address, the email header file only has the information when this email was released from Vipre, there was no previous history in the header.  somehow the previous header history is stripped out.

I am stuck at this point as I couldn't find any evidance as to whether these email came from external or internal. I am just worried if there is any Bot in our internal network sending these emails.  

Could you please let me know if there is any other way to find sender information for these emails? What do you suggest that I should do so that if it happens again I will capture more details about the email origin?


Thanks again for your help in advance. much appreciated!
0
Comment
Question by:BeerTime
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 37780668
I see these in my hotmail mail all of the time that gmail will not import as it notifies me that the files are infected. I'd not worry about it.
0
 
LVL 19

Assisted Solution

by:suriyaehnop
suriyaehnop earned 250 total points
ID: 37780743
If you know the sender email address then you can use the message tracking to track that email since the watchguard engineer informed that the email was from external. Once trancking done, looking at client IP address
0
 

Author Comment

by:BeerTime
ID: 37781195
Thanks for your inputs.  The WatchGuard tech said there was no log to proof these email came from external, in other word it didn't pass through the WatchGuard appliance.

I checked the Exchange message tracker, searched by sender, recipient email address that I saw in quarantined messages but found no results.  It is possible that Vipre may have removed these messages as suspected viruses as to why I am not finding any results.

Thank you!
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 27

Assisted Solution

by:tliotta
tliotta earned 250 total points
ID: 37783822
...all came through almost at the same time...

I'd also look for (1) anything like a USB drive plugged in anywhere in your network just before that time, (2) anything like a laptop connecting to your network just before that time, (3) any connections over VPN, etc., into your network just before that time, and possibly anything similar to those. With both WatchGuard and Vipre, your network seems relatively conscious of possibilities, but you never know.

Tom
0
 

Accepted Solution

by:
BeerTime earned 0 total points
ID: 37784013
Thanks Tom, we couldn't find anyone brought their own laptops to work on this particular day.  Users are already told not to use USB devices but it is hard to find if anyone did use it, we have users with iPhone and iPad connected to the corporate email.  Do you think of is there any Bot got installed on these devices?
0
 

Author Closing Comment

by:BeerTime
ID: 37850352
Thanks for everyone's help.  It is still a mystery; we couldn't find the origin of the trojan email.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question