Exchange 2003 SPAM and Virus Problem

We are running Exchange 2003 SP2 (on a Win2k3 Server) with Trend Micro Scanmail 7.0 for spam/virus filtering. Trend Micro OfficeScan 7.3 is also running on this server now. The mail clients are a mix of Outlook 2k and 2k3.

I've only been in my position for about 7 months and I've inherited this network configuration. This server is hit by a lot of spam and viruses now.  Here is a little back history on the problem. About 2 months after I started here I came in one morning to find our Internet gateway being flooded with traffic. No one could access the Internet. I unplugged the Exchange Server and everything went back to normal. At that time only Scanmail was installed on the Exchange Server for filtering and virus protection (no OfficeScan). I installed OfficeScan and its real time scan identified a worm (I don't remember which one now) in \Program Files\Exchsrvr\Mailroot\vsi 1\Queue\. OfficeScan reported, “OfficeScan detected a security risk but is unable to clean or quarantine the file”. Even though OfficeScan reported it could not fix the problem the problem stopped! The spamming stopped. So with the help of a Microsoft MCSE we wiped and reloaded the server. (Loaded Exchange with SP2, an Exchange Hotfix, ScanMail 7, and OfficeScan 7.3.) Everything was running great. Some users were getting about 100 spam messages a day and that went to 0 after the reinstall. Well about a month or 2 later OfficeScan started reporting worm after worm in the  \Program Files\Exchsrvr\Mailroot\vsi 1\Queue\ folder (for example, Worm Bagle.JG in infected file NTFS_4bae9c0201c7754900026438.EML (rqrzppmouic.exe)). OfficeScan detects on average 4 to 5 worms a day (Worm Bagle.JG, Possible_Strat-2, Worm Mydoom, Worm Netsky, and Mytob.AE) and now some spam is getting through Scanmail. In a 24 hour period (4/4-4/5) Scanmail Realtime Monitor Reported 219,962 messages scanned and only 2,788 were spam messages. We only have about 70 users and they do not receive that much email! Now I’m afraid Exchange has been compromised and possibly replying spam!

I need some help PLEASE!
pharmon96Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mcrosslandCommented:
The very first thing that I would do is move your spam protection to an external provider.  This lets them handle the load of virus and spam scanning which reduces the load of your exchange server first.
I currently use www.postini.com and am very pleased with delivery time.  Usually within seconds.
As far as your Exchange system already being compromised, I also layer a virus scanning solution on my Exchange servers that uses multiple scan engines.  You can get a free trial which will clean your exchange store at http://www.microsoft.com/antigen/downloads/privacy-exchange-sm.mspx
I have been using Antigen for Exchange for YEARS and it works wonderfully to keep the information store clean of viruses both inbound and outbound.  Such a nice product that Microsoft purchased it.
0
mcrosslandCommented:
Forgot to mention that when you set up an external smam filter service, best practice is to ONLY accept port 25 email from their IP range.  This takes care of alot of CRAP.
0
SembeeCommented:
The first thing you need to do is fix Trend.
OfficeScan should not be scanning anything in \exchsrvr\mailroot. Put exclusions in to stop it from scanning there. That is what Scanmail is for.

Have you got recipient filtering enabled? If not, turn it and tar pit on.
http://www.amset.info/exchange/filterunknown.asp

Are you using IMF? That can cut down on some of the spam the users receive.
http://www.amset.info/exchange/imf.asp

The other thing you might want to consider is greylisting. This is still very effective for me in dealing with spam, one or two get through. As long as your email is not time critical (ie you cannot tolerate a delay of a minute or so) then greylisting can be quite effective.

My preferred tool for greylisting is Vamsoft ORF which is cheap and has a 30 day trial so you can see how effective it is.
You could also look at this one: http://www.grynx.com/projects/greylist/ which does just greylisting and is free, but I haven't got round to trying it.

Finally, you may have a compromised administrator account. If you don't have any users sending email through your users with Outlook Express etc, then disable or restrict authenticated relaying.
http://www.amset.info/exchange/smtp-relaysecure.asp

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

pharmon96Author Commented:
Thank you for all the info..

mcrossland:, I will look into your sugestions. We are thinking about purchasing a Barracuda Filter to go in front of Exchange. What do you think of that idea?

Sembee, I understand Trend shouldn't be scanning \exchsrvr\mailroot but I've been afraid to exclude it because of what happened originally when OfficeScan was not installed on the server.. ScanMail did not stop the problem and the server started spamming.
0
mcrosslandCommented:
One of the main reasons that I personally prefer an external spam filter is for bandwidth reasons.  The spam never comes through our internet connection.  I think Barracuda is an internal server, correct?
0
pharmon96Author Commented:
Yes Barracuda is an internal server..
0
mcrosslandCommented:
Never tried it so I'm not the right person to answer that part of the question.  :)
0
SembeeCommented:
I wouldn't necessarily say that an external provider is the solution here. They are not the solution to everything. I have a client who cannot use an external provider because they block too much legitimate email.
If you have already made the investment in the software then you should use that.

Excluding the folders is not a do nothing option. You must do it for Exchange to operate correctly. Otherwise what happens is that the AV software tries to scan the files as Exchange is processing them.

If scanmail didn't catch something then it is not fit for purpose and should be replaced. I always recommend having something different for Exchange AV than what is on the desktops to provide multiple layers of protection.

A barracuda or external service will not help if Trend continues to be incorrectly configured. It is something that they should do automatically - but for some reason do not.

Simon.
0
r-kCommented:
I too would suggest disabling scanning of Exchange files asap. Here is a link you may find helpful:

 http://support.microsoft.com/kb/823166
0
pharmon96Author Commented:
Does Exchange with SP2 have a greylist or blacklist filter built in? If so can someone provide a link on how to set it up.

Sembee, do you have a recommendation for Exchange VA?
Thanks again everyone!
0
SembeeCommented:
There is no greylisting support in Exchange 2003 from Microsoft.
I don't recommend blacklists either.

For Exchange level AV, the market leader was Sybari Antigen, now Microsoft Forefront. The other one I have put in to a few sites with success is GFI Mail Security.
You could also look at Grisoft AVG which I believe can be bought standalone. So many of the AV vendors want you to buy a suite.

Simon.
0
r-kCommented:
Another option is an anti-spam add-on for Exchange. We have been using Ninja (formerly iHateSpam) for about three years. It has some rough edges, but I like the new version quite a bit now. It does have an AV plug-in, but I don't even use it. By simply using Ninja to block executable attachments (i.e. those that end in .exe, .bat, .pif etc.) I have not had an infected file get through in months. The new version also does a great job with spam and phishing type messages, catching maybe about 95%. The main downside is the extra load it puts on the server. If you want more specifics please post back.
0
pharmon96Author Commented:
Have any of you used ScanMail for spam/virus filtering? How does it rank against other products?
0
pharmon96Author Commented:
I noticed in the real time ScanMail Filter log it show messages found at SMTP.  Does this mean Exchange is accepting email from SMTP? I pasted two examples below.. Please let me know..

4/6/2007 12:08:33 PM - Message from "ha-melody.com@vadivorceattorney.com" found at "SMTP" [total 1 recipient(s)]
4/6/2007 12:06:25 PM - Message from "noreply@gearedon.com" found at "SMTP" [total 1 recipient(s)]
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.