Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 245
  • Last Modified:

Phantom virus on Exchange server?

There was a horror movie some years ago that a baby sitter was being threatened over the phone.  When the police traced the call it was coming from upstairs-- Creepy.

Several people in our organization are receiving emails from various internal email addresses some disabled some non-existent.  We do not have a Sales email account yet we are receiving some from there.  We have an info account but it is disabled.  We also are receiving some from an administrator account that has been renamed.

The virus is the classic W32.mytob.ML@mm

FYI
http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ml@mm.html

The problem is I have run a full scan on the exchange server with 5/28/06 rev 4 defs.  The earlier defs have been doing an awesome job picking up that same virus sent from the outside to one of the inside computers, so I am sure it should pick it up on the exchange server.  I deleted everyting out of quaruntine as well as checked the threat history and made sure everything was clear.  I did not however see any services that may have been running per the web site above.

I ran a trace on the email which was a waste of time because it only told me that the date and time the message was "submitted to advanced queuing."  
I also looked at the message header and it is coming from the server.

How can I find out where these messages originate i.e. virus on the exchange server, virus on someone else’s pc in the network, externally, etc?
0
tjmichael
Asked:
tjmichael
  • 4
  • 4
1 Solution
 
r-kCommented:
"How can I find out where these messages originate i.e. virus on the exchange server, virus on someone else’s pc in the network, externally, etc?"

The mail header should tell you that:

 http://itim.tamu.edu/htmlfs/mailheaders.shtml
 http://www.stopspam.org/email/headers.html
0
 
tjmichaelAuthor Commented:
Yes I checked the header that I know where they come from.  What I do not know is where is the virus creating the emails when the server is clean and all of the PC's are picking up the virus and deleting them when they arrive and they are clean?
0
 
r-kCommented:
Is it possible to post a sample header. You can modify any specific IP address or name by replacing them with xxx or yyy etc.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
tjmichaelAuthor Commented:
Yes I finally got a copy of the header instead of looking over the shoulder of the user.  

Low and behold the first octet is the same as ours, but the other 3 are similar in some numbers and diget length but not the same.  A little oversite.

I went onto DNSstuff.com and ran a query on the IP address and it comes from a verizon DSL subscriber in Tampa FL.
Sounds like someone does not have anti virus on their home PC.

Is there anyway in either a Watchguard firewall or the Exchange 2003 server to look for and block anomolies like spoofed domain names?
0
 
tjmichaelAuthor Commented:
Should I make that another question?
0
 
r-kCommented:
This article gives a good overview of how to control spam with Exchange 2003:

 http://www.microsoft.com/technet/technetmag/issues/2006/01/NewWeapons/default.aspx
0
 
tjmichaelAuthor Commented:
Thanks for the info.  I will try these and see how it goes.
0
 
r-kCommented:
Thanks and good luck.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now