[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Virus on Small Business Server.... "Mass Mailer Virus" 500Pts - Be quick I'm ready to reinstall!

Posted on 2005-05-16
8
Medium Priority
?
411 Views
Last Modified: 2012-06-21
Hi,

Having a major problem with a virus infection on a Small Business Server.. the major part of the problem is that I cannot work out what the infection is!

We have been disconnected (blocked) from our ISPs SMTP server for sending an excessive amount of email... although we can find no evidence of this...apart from symantec mail security popping up every now and again saying "mail security detected a mass mailer virus" (but that's it, no name or location! very helpfull!)

I have just installed Symentec Anti-Virus multi-tier 9.0 and updated run everything... didn't find anything (apart from some items in the "badmail" folder which where deleted).
I have also run every other online virus scan I can find (symantec, trendmicro, panda, etc, etc, all of which find nothing!)...(also don the same on all the client PCs, only 2!)

The server is not an open relay and we have a Servgate SG100 Firewall protecting the server.

What I have noticed is strange network activity, a small blip every other half second (0.4% network usage), which stops when I terminate dlbtnmon.exe (a small app that comes with a Dell All-in-One printer Scanner)...relaited?

Anyone got any ideas atall???? PLEASE! I have reached the point of re-installing the server from scratch as I cannot find any evidence of the virus.

The ISP originally said it was Netsky - (so I downloaded the symantec tool and ran that, found nothing on server or clients). now they say we are exceeding the send limit of 600 mails per hour).

PLEASE PLEASE get back ASAP - Will be wiping the damn thing this evening if I don't here anything..500Pts could go down the drain!

Cheers,
Adam.
0
Comment
Question by:Netitude
  • 3
  • 3
  • 2
8 Comments
 
LVL 1

Author Comment

by:Netitude
ID: 14011274
Has anyone come across problems with dlbtnmon.exe before.. I reckon this file is the virus.. but it's just a hunch and the AV software finds nothing wrong with it...
0
 
LVL 1

Author Comment

by:Netitude
ID: 14011293
PS.. I spoke to symantec Tech support... they say (as of course they would) that Symantec AV would have found a virus if it was infected and think that someone is spoofing our IP, so I changed our IP... still no change!
0
 
LVL 7

Expert Comment

by:sr_millar
ID: 14013243
Hi,

Have you considered your mail server is an open relay?  If it is it would allow a hacker to use it to send out mass email - appearing like a virus but not really one.

Can you confirm your server is not set to allow anyone to relay via it?

Stuart
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
LVL 7

Expert Comment

by:sr_millar
ID: 14013247
Hi Netitude,

Sorry just read your post again about the open relay.  I will look into it a bit more....

Stuart
0
 
LVL 5

Expert Comment

by:mleman
ID: 14014354
could it be a desktop on the network
0
 
LVL 5

Expert Comment

by:mleman
ID: 14014374
sorry i ment to add, some viruses have there own smtp agent for sending email, bypassing the exchange and going straight out to the web
0
 
LVL 1

Author Comment

by:Netitude
ID: 14014934
well... Our ISP complained as we where sending mail to there smtp server... so It can't be a virus sending on it's own smtp engine... also checked all the desktops for viruses... nothing...

but... I have just had a thought... suppose someone was sending spam / viruses  using our domain name (this has happened in the past), some of this could bounce back, ending up in our pop3 server, and so picked up by our small business server (pop3 connector), the sbs server would not recognize the email addresses and forward them on to our ISP... possibily alotta times in one hour.. triggering our ISP to trigger a block... a bit of a weird one but I think I will take a look tomorrow...

0
 
LVL 7

Accepted Solution

by:
sr_millar earned 1500 total points
ID: 14016498
Hi,

Yes, tha could be a possibility.  Could you change your configuration to an SMTP setup where your mail comes directly to your server and you also send it out, instead of using your ISP's mail server to do it?

That would mean any undeliverables come back to you rather than via your ISP.

Stuart
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question