Let's see if anyone here can tell me what's happening.

We've been receiving emails at my office from some spoofed address at our website.

i.e: noreply@name-of-our-office.com

The funny thing is: I'm in charge of the computer stuff, and there is NO email address on our website called "noreply"

The email goes to say that its from our office team (there is no such thing) and it attaches a file. The email was forwarded to me (without the complete headers) by one of our sales reps who had no idea why we had sent such a thing.

How can I find out if someone at our office is infected and who?

It's possible that you may be able to get an IP Address off the header of the email you received. Or if you have your own mail server you can trace the message through it...

Similar thing was happening to me a couple of weeks ago. The email worm was sending emails to random email addresses to one of my domains. I have a "catch-all" feature and let me tell you it works. I got approx. 175 emails over 2 days. All of them had spoofed "reply to" addresses and some of them were email addresses I never used at my domain.

It's very likely the email may not be originating from within your organization, but could be originating from an outside source. I'd say this is most likely the case, but I wouldn't rule out the possibility of it originating from within.

I was able to determine where mine were originating from by viewing the email headers. Can you gain access to the sales rep's computer and look at the headers? As Narc suggested, do you have access to your email server?

In any case it's a good idea to make sure all computers in your organization are running antivirus software with updated definitions.

That's a very good possibility too, as some of the new virus' around spoof the sender's address.

For instance if I have the virus, and I have Alan's email in my address book, I would be sending the virus out. But my email will look like Alan sent it. The full email header will generally dicern if this is the case though.

Alan & Narc, thanks for replying! We have Antivirus with updated definitions in all the computers that are supposed to be used for internet use. (there may be 4 others that are not supposed to have internet access, and I'll have to check what's happening there).

What is a catch-all feature? We don't have our own email server, it is done through SBCglobal.net (and it has ouw own domain name).

The rep didn't send me the headers, and I accessed his email account to see if I could find that message but I guess he had erased it by then...

Any idea on where I could find more info about this subject? This particular "worm"?

On my email system I can set a "catch all" address, meaning if someone sends an email to Monga@your-domain-here.com it won't get bounced even though Monga isn't a valid email address on your-domain-here.com. Instead it will forward to my "catch all" address which may be catch@your-domain-here.com. I use this feature alot. Everything I do that requires an email address gets a customized one. The only thing I needed to do was activate the catch all feature on my email controls and specify a valid address as the catch all account.

A real life example: Let's say I sign up for B$ which requires a valid email address. I'll make one up, such as bargainshare@your-domain-here.com. When an email is sent to that address it won't get bounced. It will forward to catch@your-domain-here.com. The sender thinks bargainshare@your-domain-here.com is a valid address. Nobody is the wiser

I literally have over a couple hundred email addresses I've made up which all forward to "catch@your-domain-here.com". All I need to do is check one email account and I'm actually checking 200+.

Edit: Monga, can you access a control panel for your domain at your hosting provider? How to you add/remove email accounts? The control panel may have the catch all feature.

A few of them have come out over the past few weeks. They are named Netsky, Beagle and MyDoom and there are versions a, b, c, etc. Other viruses have come out also, but those three are the most, ummmm, popular

Here's a good place for more info on them: http://securityresponse.symantec.com/