Solved

Exchange 2003 SPAM and Virus Problem

Posted on 2007-04-05
14
773 Views
Last Modified: 2008-02-26
We are running Exchange 2003 SP2 (on a Win2k3 Server) with Trend Micro Scanmail 7.0 for spam/virus filtering. Trend Micro OfficeScan 7.3 is also running on this server now. The mail clients are a mix of Outlook 2k and 2k3.

I've only been in my position for about 7 months and I've inherited this network configuration. This server is hit by a lot of spam and viruses now.  Here is a little back history on the problem. About 2 months after I started here I came in one morning to find our Internet gateway being flooded with traffic. No one could access the Internet. I unplugged the Exchange Server and everything went back to normal. At that time only Scanmail was installed on the Exchange Server for filtering and virus protection (no OfficeScan). I installed OfficeScan and its real time scan identified a worm (I don't remember which one now) in \Program Files\Exchsrvr\Mailroot\vsi 1\Queue\. OfficeScan reported, “OfficeScan detected a security risk but is unable to clean or quarantine the file”. Even though OfficeScan reported it could not fix the problem the problem stopped! The spamming stopped. So with the help of a Microsoft MCSE we wiped and reloaded the server. (Loaded Exchange with SP2, an Exchange Hotfix, ScanMail 7, and OfficeScan 7.3.) Everything was running great. Some users were getting about 100 spam messages a day and that went to 0 after the reinstall. Well about a month or 2 later OfficeScan started reporting worm after worm in the  \Program Files\Exchsrvr\Mailroot\vsi 1\Queue\ folder (for example, Worm Bagle.JG in infected file NTFS_4bae9c0201c7754900026438.EML (rqrzppmouic.exe)). OfficeScan detects on average 4 to 5 worms a day (Worm Bagle.JG, Possible_Strat-2, Worm Mydoom, Worm Netsky, and Mytob.AE) and now some spam is getting through Scanmail. In a 24 hour period (4/4-4/5) Scanmail Realtime Monitor Reported 219,962 messages scanned and only 2,788 were spam messages. We only have about 70 users and they do not receive that much email! Now I’m afraid Exchange has been compromised and possibly replying spam!

I need some help PLEASE!
0
Comment
Question by:pharmon96
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 10

Expert Comment

by:mcrossland
ID: 18858535
The very first thing that I would do is move your spam protection to an external provider.  This lets them handle the load of virus and spam scanning which reduces the load of your exchange server first.
I currently use www.postini.com and am very pleased with delivery time.  Usually within seconds.
As far as your Exchange system already being compromised, I also layer a virus scanning solution on my Exchange servers that uses multiple scan engines.  You can get a free trial which will clean your exchange store at http://www.microsoft.com/antigen/downloads/privacy-exchange-sm.mspx
I have been using Antigen for Exchange for YEARS and it works wonderfully to keep the information store clean of viruses both inbound and outbound.  Such a nice product that Microsoft purchased it.
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 18858554
Forgot to mention that when you set up an external smam filter service, best practice is to ONLY accept port 25 email from their IP range.  This takes care of alot of CRAP.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 400 total points
ID: 18858569
The first thing you need to do is fix Trend.
OfficeScan should not be scanning anything in \exchsrvr\mailroot. Put exclusions in to stop it from scanning there. That is what Scanmail is for.

Have you got recipient filtering enabled? If not, turn it and tar pit on.
http://www.amset.info/exchange/filterunknown.asp

Are you using IMF? That can cut down on some of the spam the users receive.
http://www.amset.info/exchange/imf.asp

The other thing you might want to consider is greylisting. This is still very effective for me in dealing with spam, one or two get through. As long as your email is not time critical (ie you cannot tolerate a delay of a minute or so) then greylisting can be quite effective.

My preferred tool for greylisting is Vamsoft ORF which is cheap and has a 30 day trial so you can see how effective it is.
You could also look at this one: http://www.grynx.com/projects/greylist/ which does just greylisting and is free, but I haven't got round to trying it.

Finally, you may have a compromised administrator account. If you don't have any users sending email through your users with Outlook Express etc, then disable or restrict authenticated relaying.
http://www.amset.info/exchange/smtp-relaysecure.asp

Simon.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:pharmon96
ID: 18859005
Thank you for all the info..

mcrossland:, I will look into your sugestions. We are thinking about purchasing a Barracuda Filter to go in front of Exchange. What do you think of that idea?

Sembee, I understand Trend shouldn't be scanning \exchsrvr\mailroot but I've been afraid to exclude it because of what happened originally when OfficeScan was not installed on the server.. ScanMail did not stop the problem and the server started spamming.
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 18859148
One of the main reasons that I personally prefer an external spam filter is for bandwidth reasons.  The spam never comes through our internet connection.  I think Barracuda is an internal server, correct?
0
 

Author Comment

by:pharmon96
ID: 18859176
Yes Barracuda is an internal server..
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 18859213
Never tried it so I'm not the right person to answer that part of the question.  :)
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18859274
I wouldn't necessarily say that an external provider is the solution here. They are not the solution to everything. I have a client who cannot use an external provider because they block too much legitimate email.
If you have already made the investment in the software then you should use that.

Excluding the folders is not a do nothing option. You must do it for Exchange to operate correctly. Otherwise what happens is that the AV software tries to scan the files as Exchange is processing them.

If scanmail didn't catch something then it is not fit for purpose and should be replaced. I always recommend having something different for Exchange AV than what is on the desktops to provide multiple layers of protection.

A barracuda or external service will not help if Trend continues to be incorrectly configured. It is something that they should do automatically - but for some reason do not.

Simon.
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 100 total points
ID: 18859344
I too would suggest disabling scanning of Exchange files asap. Here is a link you may find helpful:

 http://support.microsoft.com/kb/823166
0
 

Author Comment

by:pharmon96
ID: 18859355
Does Exchange with SP2 have a greylist or blacklist filter built in? If so can someone provide a link on how to set it up.

Sembee, do you have a recommendation for Exchange VA?
Thanks again everyone!
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18859378
There is no greylisting support in Exchange 2003 from Microsoft.
I don't recommend blacklists either.

For Exchange level AV, the market leader was Sybari Antigen, now Microsoft Forefront. The other one I have put in to a few sites with success is GFI Mail Security.
You could also look at Grisoft AVG which I believe can be bought standalone. So many of the AV vendors want you to buy a suite.

Simon.
0
 
LVL 32

Expert Comment

by:r-k
ID: 18859573
Another option is an anti-spam add-on for Exchange. We have been using Ninja (formerly iHateSpam) for about three years. It has some rough edges, but I like the new version quite a bit now. It does have an AV plug-in, but I don't even use it. By simply using Ninja to block executable attachments (i.e. those that end in .exe, .bat, .pif etc.) I have not had an infected file get through in months. The new version also does a great job with spam and phishing type messages, catching maybe about 95%. The main downside is the extra load it puts on the server. If you want more specifics please post back.
0
 

Author Comment

by:pharmon96
ID: 18859619
Have any of you used ScanMail for spam/virus filtering? How does it rank against other products?
0
 

Author Comment

by:pharmon96
ID: 18864910
I noticed in the real time ScanMail Filter log it show messages found at SMTP.  Does this mean Exchange is accepting email from SMTP? I pasted two examples below.. Please let me know..

4/6/2007 12:08:33 PM - Message from "ha-melody.com@vadivorceattorney.com" found at "SMTP" [total 1 recipient(s)]
4/6/2007 12:06:25 PM - Message from "noreply@gearedon.com" found at "SMTP" [total 1 recipient(s)]
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question