How to find Trojan email origin
Posted on 2012-03-28
We have been getting quite a few virus "Trojan.JS.Obfuscator.aa (v)" emails lately that are caught and quarantined by the email security program called "Vipre". I would like find out if these Trojan emails are in fact came from external IP to internal or if there is any Bot on our internal network sending these emails out.
We have a WatchGuard XCS email security appliance that acts as a gateway, filters all incoming emails before they get delivered to the Exchange server. We have another email security program installed on the Exchange server called "Vipre" which then scans all emails for virus, spyware, spam, attachments before they get deliver to users' mailboxes.
We have received about 10 Trojan "Trojan.JS.Obfuscator.aa (v)" emails couple of days ago, all came through almost at the same time that were caught and quarantined by "Vipre". 8 of these emails were from @ups.com, 1 from @hotmail.com, 1 from @gmail.com. The subject was either "UPS tracking number xxxx" or "United Postal Service Tracking Nr xxx". The emails were send to various internal email addresses.
Troubleshooting steps taken:
1. There was no log on the WatchGuard appliance for these Trojan emails to get any information about the origin of these emails. As per WatchGuard tech support, these emails didn't come from external SMTP address. The log files are available for all other emails.
2. The Exchange message tracking center doesn't show any logs for these emails. The logs are available for all other incoming and outgoing emails.
3. The Vipre email security program doesn't have any detailed logs to find origin IP or domain information.
4. since there was no other options, I released one of these email that was quarantined from Vipre to my email address, the email header file only has the information when this email was released from Vipre, there was no previous history in the header. somehow the previous header history is stripped out.
I am stuck at this point as I couldn't find any evidance as to whether these email came from external or internal. I am just worried if there is any Bot in our internal network sending these emails.
Could you please let me know if there is any other way to find sender information for these emails? What do you suggest that I should do so that if it happens again I will capture more details about the email origin?
Thanks again for your help in advance. much appreciated!