daveyd123
asked on
External email being routed to wrong recipients
I have had this happen 3 times today. This is the first day it has happened...
I have had instances of external email addressed to specific internal users being sent to multiple users mailboxes. For example, an email was sent from an outside source to our exchange server to user@ournetwork.com. That email was then delivered to multiple peoples mailboxes in our internal network. It's like the email was routed to many Distribution Lists instead of the specific user. Everyone on our network did not receive it, just all people in various departments
Like I said, this has happened 3 times today from different external addresses to different internal email addresses.
Any ideas?
I have had instances of external email addressed to specific internal users being sent to multiple users mailboxes. For example, an email was sent from an outside source to our exchange server to user@ournetwork.com. That email was then delivered to multiple peoples mailboxes in our internal network. It's like the email was routed to many Distribution Lists instead of the specific user. Everyone on our network did not receive it, just all people in various departments
Like I said, this has happened 3 times today from different external addresses to different internal email addresses.
Any ideas?
flyguybob
BCC field...
Mailing list...
spam...
ASKER
OK, tons of people just received another email. The email was addressed to a non-existant mailbox on our network, yet people still got it. The messages are the same but come from different sources...
One is:"Registration Confirmation
Account and Password Information are attached!
Visit: http://www.unr.edu"
And another is: Your email was blocked
This is an automatically generated E-Mail Delivery Status Notification.
Mail-Header, Mail-Body and Error Description are attached
We have Exchange's Intelligent Message filtering implemented.
One is:"Registration Confirmation
Account and Password Information are attached!
Visit: http://www.unr.edu"
And another is: Your email was blocked
This is an automatically generated E-Mail Delivery Status Notification.
Mail-Header, Mail-Body and Error Description are attached
We have Exchange's Intelligent Message filtering implemented.
It sounds like someone on your network (client PC) may have a virus, the Sober Worm. These viruses do exactly what you are talking about. Welcome to the life of being an e-mail administrator.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.S
They can also bypass the IMF sometimes because they appear legitimate.
Are you familiar with the term BCC (Blind Carbon Copy, Backstab Carbon Copy) and what it does? The virus application uses the BCC field to address a message to potentially hundreds of users, while only making it appear like it was to 1 user.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.S
They can also bypass the IMF sometimes because they appear legitimate.
Are you familiar with the term BCC (Blind Carbon Copy, Backstab Carbon Copy) and what it does? The virus application uses the BCC field to address a message to potentially hundreds of users, while only making it appear like it was to 1 user.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We do have Virus Scan 8.0i installed on all workstations. It does say its blocking Port 25 on the workstations. If that were the case, how would a user send/receive emails?
On one of the email headers it says.... Received from: bhofngiv.edu 24.53.129.167 (RDNS failed) by our email server.com....from admin@unr.edu To..a non-existant email address@our domiain.com
Would it be best to not let Authenicated users have the ability to relay?
On one of the email headers it says.... Received from: bhofngiv.edu 24.53.129.167 (RDNS failed) by our email server.com....from admin@unr.edu To..a non-existant email address@our domiain.com
Would it be best to not let Authenicated users have the ability to relay?
It looks like a virus coming from the outside, specifically, an Adelphia subscriber in PA.
http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-24-52-0-0-1
What you have is a case of the worms trying to get in. The attachments that are normally associated with the message are likely being quarantined, but the message is being allowed to pass. Make sure the definitions for your Exchange server anti-spam application are updated.
Bob
http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-24-52-0-0-1
What you have is a case of the worms trying to get in. The attachments that are normally associated with the message are likely being quarantined, but the message is being allowed to pass. Make sure the definitions for your Exchange server anti-spam application are updated.
Bob
ASKER
Any reason why the emails are delivered to certain mailboxes and not everyones?
ASKER
Also, I turned on SMTP logging and I am getting a lot of the following Events in Event Viewer...
This is an SMTP protocol error log for virtual server ID1, connection#10 The remote host 208.29.147.107 responded to the SMTP command "xexch50" with "504 Need to authenicate first" The full command sent was "XEXCH50 2108 2" This will probably cause the connection to fail.
There are several of those events...the connection# and the remote host IP address change in each event
This is an SMTP protocol error log for virtual server ID1, connection#10 The remote host 208.29.147.107 responded to the SMTP command "xexch50" with "504 Need to authenicate first" The full command sent was "XEXCH50 2108 2" This will probably cause the connection to fail.
There are several of those events...the connection# and the remote host IP address change in each event
1) Only the people on the BCC for the virus will recieve the message. Since the virus does not send to everyone at once, but continually harvests messages, the e-mails will trickle in.
2) People trying to use your server as a spam relay. If you ever have an open relay, it will be exploited by spammers in about 15 minutes and on the IRC boards as an open relay after about 10 minutes.
Again, welcome to life as an e-mail admin. I was in IT for about 5 years until I had to deal with all of this stuff. There was a worm called Melissa, named for a stripper that danced for the virus writier. There was another worm called ILoveYou. That one was a nightmare. Fortunately the coder was pretty crappy and instead of overwriting .jpg files (many of which users and marketing did not back up), it just renamed them with a .vbs extension. It took ~2 hours to script the fix and run it against ~100GB of data on the file server.
Nimda was not as bad as Melissa or ILoveYou...but it was bad enough.
Fortunately, in most cases, I was paid to go into companies and clean up the mess. In one case it was my mail system that got hit ~3 weeks after a P.O. for Trend's Scanmail for Exchange was declined. I wanted to block extensions and Trend had an anti-virus and anti-spam solution all in one...the only real one at the time.
2) People trying to use your server as a spam relay. If you ever have an open relay, it will be exploited by spammers in about 15 minutes and on the IRC boards as an open relay after about 10 minutes.
Again, welcome to life as an e-mail admin. I was in IT for about 5 years until I had to deal with all of this stuff. There was a worm called Melissa, named for a stripper that danced for the virus writier. There was another worm called ILoveYou. That one was a nightmare. Fortunately the coder was pretty crappy and instead of overwriting .jpg files (many of which users and marketing did not back up), it just renamed them with a .vbs extension. It took ~2 hours to script the fix and run it against ~100GB of data on the file server.
Nimda was not as bad as Melissa or ILoveYou...but it was bad enough.
Fortunately, in most cases, I was paid to go into companies and clean up the mess. In one case it was my mail system that got hit ~3 weeks after a P.O. for Trend's Scanmail for Exchange was declined. I wanted to block extensions and Trend had an anti-virus and anti-spam solution all in one...the only real one at the time.
Did you read the Trend Micro link?
ASKER
OK...It does look like we have the Sober Worm.
Next question...What would be the best way to find out the workstation(s) that have the worm? We have 500+ PCs all running Mcafee 8.0i and ePO orchestrator
It looks like the worm uses its own SMTP to send out emails. I am using Stinger on our Exchange server.
Next question...What would be the best way to find out the workstation(s) that have the worm? We have 500+ PCs all running Mcafee 8.0i and ePO orchestrator
It looks like the worm uses its own SMTP to send out emails. I am using Stinger on our Exchange server.
I am breaking the Experts Exchange rules here by answering so many questions (seriously, there are rules and I have been called on it) and answering a new Security TA question in an Exchange TA group:
Well, from what I have seen in your headers, it appears that someone on Adelphia has the worm, so it could even be a home user of yours, connecting via VPN, is sending the virus.
The best way to find out what workstations have the worm would be to look at the headers and see if any of the IP addresses are yours.
The worm may use it's own SMTP, but it has to connect to your Exchange server in order to send them to your users.
With 500 workstations, you may want to broadcast an e-mail from the helpdesk instructing users to ensure that their anti-virus and definitions at work are up to date. If they use their home PC for work, that they ensure that their definitions (and patches) are up to date for their respective AV application. If they don't have anti-virus 1) That's a bad thing and 2) They can go to http://housecall.trendmicro.com/
Well, from what I have seen in your headers, it appears that someone on Adelphia has the worm, so it could even be a home user of yours, connecting via VPN, is sending the virus.
The best way to find out what workstations have the worm would be to look at the headers and see if any of the IP addresses are yours.
The worm may use it's own SMTP, but it has to connect to your Exchange server in order to send them to your users.
With 500 workstations, you may want to broadcast an e-mail from the helpdesk instructing users to ensure that their anti-virus and definitions at work are up to date. If they use their home PC for work, that they ensure that their definitions (and patches) are up to date for their respective AV application. If they don't have anti-virus 1) That's a bad thing and 2) They can go to http://housecall.trendmicro.com/