Exchange 2003 SPAM and Virus Problem
Posted on 2007-04-05
We are running Exchange 2003 SP2 (on a Win2k3 Server) with Trend Micro Scanmail 7.0 for spam/virus filtering. Trend Micro OfficeScan 7.3 is also running on this server now. The mail clients are a mix of Outlook 2k and 2k3.
I've only been in my position for about 7 months and I've inherited this network configuration. This server is hit by a lot of spam and viruses now. Here is a little back history on the problem. About 2 months after I started here I came in one morning to find our Internet gateway being flooded with traffic. No one could access the Internet. I unplugged the Exchange Server and everything went back to normal. At that time only Scanmail was installed on the Exchange Server for filtering and virus protection (no OfficeScan). I installed OfficeScan and its real time scan identified a worm (I don't remember which one now) in \Program Files\Exchsrvr\Mailroot\vsi 1\Queue\. OfficeScan reported, “OfficeScan detected a security risk but is unable to clean or quarantine the file”. Even though OfficeScan reported it could not fix the problem the problem stopped! The spamming stopped. So with the help of a Microsoft MCSE we wiped and reloaded the server. (Loaded Exchange with SP2, an Exchange Hotfix, ScanMail 7, and OfficeScan 7.3.) Everything was running great. Some users were getting about 100 spam messages a day and that went to 0 after the reinstall. Well about a month or 2 later OfficeScan started reporting worm after worm in the \Program Files\Exchsrvr\Mailroot\vsi 1\Queue\ folder (for example, Worm Bagle.JG in infected file NTFS_4bae9c0201c7754900026438.EML (rqrzppmouic.exe)). OfficeScan detects on average 4 to 5 worms a day (Worm Bagle.JG, Possible_Strat-2, Worm Mydoom, Worm Netsky, and Mytob.AE) and now some spam is getting through Scanmail. In a 24 hour period (4/4-4/5) Scanmail Realtime Monitor Reported 219,962 messages scanned and only 2,788 were spam messages. We only have about 70 users and they do not receive that much email! Now I’m afraid Exchange has been compromised and possibly replying spam!
I need some help PLEASE!