We're seeing the same phenomenon here using ISA with NTLM authentication for clients. Certain spams pop up authentication windows, with our domain and a username that does not exists. Unfortunately I don't have an example stored, but I remember that checking the HTML source reveals a few IMG SRC's and a *lot* of unrecognised HTML <>tags, mostly gibberish. I can understand how the IMG SRC would pop an auth window if the resource was protected on the remote server, but as to why it uses the format of (OurDomain\unknownUsername), I have no idea. I'm sure it cannot be an auth request from our own ISA server, as all other Net access works fine on said client using IE's NTLM token. Regards, Brad Webb IT Administrator AJB Publishing t(direct): +61 02 8399 7659 t(switch): +61 02 8399 3611 f: +61 02 8399 3622 e: bwebbat_private -----Original Message----- From: FWAdmin [mailto:FWAdminat_private] Sent: Tuesday, 27 May 2003 12:03 AM To: 'Matt LaFelero'; incidentsat_private Subject: RE: Possible Intrusion Attempt? A few of our users have received the same thing. We also use MS Proxy 2.0, but they get popups for authentication with some weird user name in the user ID box. The text of the message is as follows: <B>Subject:</B> are you tired of being single? ut qw pydxve j<BR><BR></FONT></DIV>Loading please wait... <A href="http://www.beowolfhost.com/1/index.html?a=MTEyfDI="><IMG src="http://beowolfhost.com/4/amateur_match_400x300_01.jpg" NOSEND="1"><A>rr vs sv h qacvntnzzf adcyf nxsci qvi hane o lopp qcnazyh bk gzsdh ic uxjuz u qwx h t </A><BR> The e-mail didn't trigger authentication with me, and all it downloaded was an image. Depending on a user's proxy settings, this message may or may not prompt for authentication. Did you get a look at what the login screen was for? Ours was a login prompt for our proxy cluster, not the remote web site. **************************************************************************** *************************************************************** This message and its attachments may contain legally privileged or confidential information. It is intended solely for the named addressee. If you are not the addressee indicated in this message (or responsible for delivery of the message to the addressee), you may not copy or deliver this message or its attachments to anyone. Rather, you should permanently delete this message and its attachments and kindly notify the sender by reply e-mail. Any content of this message and its attachments which does not relate to the official business of AJB Publishing or its subsidiaries must be taken not to have been sent or endorsed by any of them. No warranty is made that the e-mail or attachment(s) are free from computer virus or other defect. **************************************************************************** *************************************************************** ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue May 27 2003 - 08:44:22 PDT