This exact same question has just been raised where the contributor had a Sonicwall firewall. The only difference with my issue is we use ISA 2006.
Our pubilc IP address has been blacklisted and I have detected the workstation from which the spam is coming from using ISA 2006 logging and reporting. It is most certainly a trojan or virus of some sort.
We use an off-site mail server so all users either connect with POP/SMTP using MS Outlook or the web mail GUI. All users have the same network configuration and are on the same Win 2003 domain. We use NOD32 for anti-virus.
I have used the following tools to successfully clean various machines that have had suspicious outbound smtp activity:
- Malwarebytes
- Spybot
However in the case of the one machine I am unable to stop the smtp activity using any of the antivirus or malware tools.
How do I address this: Should it be on the workstation or on the ISA server? In either event how do I prevent this from escalating?
Anxiously awaiting a response!
