Virus Clean-up issues


A few weeks ago, one of my clients' Win2K3 SBS server (running Exchange 2003) got infected with a virus (they had ignored my pleas for installing A/V software, so it never got done. Lo and behold, they finally got a virus infection...go figure!). Of course, your truly was left to clean up the mess, but that's why they hired me in the first place. It took a long time, and I don't know the name of the virus, since it ran on the server undetected, even AFTER installing A/V software with updated vdefs, and running multiple scans. However, I eventually located the offending EXE (it was a re-generating mutex), and was eventually able to kill it using a tool called "KillBox." This trojan had turned the server into  a spamming Zombie [server] and was sending out thousands of spam messages at once. My client is not totally convinced that the server is totally clean, in part because every night around 10-11PM the Exchange information store (store.exe) process runs a higher RAM utilitzation, which triggers an e-mail event to us (the administrators) - this time of day was usually when the trojan would kick-up its spam-sending activity before we "cleaned" it. below is the Alert message that is send nightly:

"Alert on <servername> at 10/28/2006 11:10:10 PM
The store.exe process is allocating more memory than usual.
Check to see if you are having problems with e-mail. If so, stop and then restart the Microsoft Exchange Information Store service.
You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad."

Ok, after all that "background" information, here's my ACTUAL question:

Do you know of a utility (Microsoft OR third-party) that can create a report of the number of outbound messages on an hourly schedule, and possibly show me the outbound message numbers over the past 24 hours, to where we can see a trend in elevation of the outbound mail queue. I would like to see if there are message spikes at certain times of the day.

Any help would be greatly appreciated.

Who is Participating?
SembeeConnect With a Mentor Commented:
There is definitely something in the SBS reports because it crops up on here every so often with people asking how "administrator" could send 2500 in 24 hours. SBS queries though are best put in the SBS topic area, where I expect Jeff will be able to confirm.

The only other way you would get something is to use logging on the SMTP virtual server, then something to process those logs. They are standard IIS formatted logs so are easily processed by any number of applications.

If that was one of my servers that had been compromised I wouldn't have repaired it. It would have had its data lifted and then been wiped. You cannot be sure what else has got on there.

I doubt whether this is bot related at all. Bots, trojans whatever you want to call them just don't use any applications on the host for sending their stuff. That makes them easy to spot.
Furthermore in my experience, if the Exchange server is being used to send email then it leaves a mess behind in the form of lots of undeliverable messages. Spammers lists are not known for being very clean.

As for the message you are getting, you do know that Exchange is designed to use as much RAM as it requires. You are also aware that Exchange runs nightly maintenance on its database. One of the time windows you can use for that starts at 11pm. You may want to check the maintenance window setting in ESM to see when this server is set to run.

SBS can do that on its own. There are reporting functions built in.

Otherwise you could enable Message Tracking and then run some processes against the logs it processes.

However I would start with the built in reporting and see what that says.

ethernet69Author Commented:

I don't want to do message tracking, but rather I want to check the 'state' of the SMTP queue - I checked SBS reporting, but found nothing obvious in the Performance/Usage reports section that would show what I want to know :-(

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.