Solved

Exchange 2003 SPAM and Virus Problem

Posted on 2007-04-05
14
770 Views
Last Modified: 2008-02-26
We are running Exchange 2003 SP2 (on a Win2k3 Server) with Trend Micro Scanmail 7.0 for spam/virus filtering. Trend Micro OfficeScan 7.3 is also running on this server now. The mail clients are a mix of Outlook 2k and 2k3.

I've only been in my position for about 7 months and I've inherited this network configuration. This server is hit by a lot of spam and viruses now.  Here is a little back history on the problem. About 2 months after I started here I came in one morning to find our Internet gateway being flooded with traffic. No one could access the Internet. I unplugged the Exchange Server and everything went back to normal. At that time only Scanmail was installed on the Exchange Server for filtering and virus protection (no OfficeScan). I installed OfficeScan and its real time scan identified a worm (I don't remember which one now) in \Program Files\Exchsrvr\Mailroot\vsi 1\Queue\. OfficeScan reported, “OfficeScan detected a security risk but is unable to clean or quarantine the file”. Even though OfficeScan reported it could not fix the problem the problem stopped! The spamming stopped. So with the help of a Microsoft MCSE we wiped and reloaded the server. (Loaded Exchange with SP2, an Exchange Hotfix, ScanMail 7, and OfficeScan 7.3.) Everything was running great. Some users were getting about 100 spam messages a day and that went to 0 after the reinstall. Well about a month or 2 later OfficeScan started reporting worm after worm in the  \Program Files\Exchsrvr\Mailroot\vsi 1\Queue\ folder (for example, Worm Bagle.JG in infected file NTFS_4bae9c0201c7754900026438.EML (rqrzppmouic.exe)). OfficeScan detects on average 4 to 5 worms a day (Worm Bagle.JG, Possible_Strat-2, Worm Mydoom, Worm Netsky, and Mytob.AE) and now some spam is getting through Scanmail. In a 24 hour period (4/4-4/5) Scanmail Realtime Monitor Reported 219,962 messages scanned and only 2,788 were spam messages. We only have about 70 users and they do not receive that much email! Now I’m afraid Exchange has been compromised and possibly replying spam!

I need some help PLEASE!
0
Comment
Question by:pharmon96
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 10

Expert Comment

by:mcrossland
ID: 18858535
The very first thing that I would do is move your spam protection to an external provider.  This lets them handle the load of virus and spam scanning which reduces the load of your exchange server first.
I currently use www.postini.com and am very pleased with delivery time.  Usually within seconds.
As far as your Exchange system already being compromised, I also layer a virus scanning solution on my Exchange servers that uses multiple scan engines.  You can get a free trial which will clean your exchange store at http://www.microsoft.com/antigen/downloads/privacy-exchange-sm.mspx
I have been using Antigen for Exchange for YEARS and it works wonderfully to keep the information store clean of viruses both inbound and outbound.  Such a nice product that Microsoft purchased it.
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 18858554
Forgot to mention that when you set up an external smam filter service, best practice is to ONLY accept port 25 email from their IP range.  This takes care of alot of CRAP.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 400 total points
ID: 18858569
The first thing you need to do is fix Trend.
OfficeScan should not be scanning anything in \exchsrvr\mailroot. Put exclusions in to stop it from scanning there. That is what Scanmail is for.

Have you got recipient filtering enabled? If not, turn it and tar pit on.
http://www.amset.info/exchange/filterunknown.asp

Are you using IMF? That can cut down on some of the spam the users receive.
http://www.amset.info/exchange/imf.asp

The other thing you might want to consider is greylisting. This is still very effective for me in dealing with spam, one or two get through. As long as your email is not time critical (ie you cannot tolerate a delay of a minute or so) then greylisting can be quite effective.

My preferred tool for greylisting is Vamsoft ORF which is cheap and has a 30 day trial so you can see how effective it is.
You could also look at this one: http://www.grynx.com/projects/greylist/ which does just greylisting and is free, but I haven't got round to trying it.

Finally, you may have a compromised administrator account. If you don't have any users sending email through your users with Outlook Express etc, then disable or restrict authenticated relaying.
http://www.amset.info/exchange/smtp-relaysecure.asp

Simon.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:pharmon96
ID: 18859005
Thank you for all the info..

mcrossland:, I will look into your sugestions. We are thinking about purchasing a Barracuda Filter to go in front of Exchange. What do you think of that idea?

Sembee, I understand Trend shouldn't be scanning \exchsrvr\mailroot but I've been afraid to exclude it because of what happened originally when OfficeScan was not installed on the server.. ScanMail did not stop the problem and the server started spamming.
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 18859148
One of the main reasons that I personally prefer an external spam filter is for bandwidth reasons.  The spam never comes through our internet connection.  I think Barracuda is an internal server, correct?
0
 

Author Comment

by:pharmon96
ID: 18859176
Yes Barracuda is an internal server..
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 18859213
Never tried it so I'm not the right person to answer that part of the question.  :)
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18859274
I wouldn't necessarily say that an external provider is the solution here. They are not the solution to everything. I have a client who cannot use an external provider because they block too much legitimate email.
If you have already made the investment in the software then you should use that.

Excluding the folders is not a do nothing option. You must do it for Exchange to operate correctly. Otherwise what happens is that the AV software tries to scan the files as Exchange is processing them.

If scanmail didn't catch something then it is not fit for purpose and should be replaced. I always recommend having something different for Exchange AV than what is on the desktops to provide multiple layers of protection.

A barracuda or external service will not help if Trend continues to be incorrectly configured. It is something that they should do automatically - but for some reason do not.

Simon.
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 100 total points
ID: 18859344
I too would suggest disabling scanning of Exchange files asap. Here is a link you may find helpful:

 http://support.microsoft.com/kb/823166
0
 

Author Comment

by:pharmon96
ID: 18859355
Does Exchange with SP2 have a greylist or blacklist filter built in? If so can someone provide a link on how to set it up.

Sembee, do you have a recommendation for Exchange VA?
Thanks again everyone!
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18859378
There is no greylisting support in Exchange 2003 from Microsoft.
I don't recommend blacklists either.

For Exchange level AV, the market leader was Sybari Antigen, now Microsoft Forefront. The other one I have put in to a few sites with success is GFI Mail Security.
You could also look at Grisoft AVG which I believe can be bought standalone. So many of the AV vendors want you to buy a suite.

Simon.
0
 
LVL 32

Expert Comment

by:r-k
ID: 18859573
Another option is an anti-spam add-on for Exchange. We have been using Ninja (formerly iHateSpam) for about three years. It has some rough edges, but I like the new version quite a bit now. It does have an AV plug-in, but I don't even use it. By simply using Ninja to block executable attachments (i.e. those that end in .exe, .bat, .pif etc.) I have not had an infected file get through in months. The new version also does a great job with spam and phishing type messages, catching maybe about 95%. The main downside is the extra load it puts on the server. If you want more specifics please post back.
0
 

Author Comment

by:pharmon96
ID: 18859619
Have any of you used ScanMail for spam/virus filtering? How does it rank against other products?
0
 

Author Comment

by:pharmon96
ID: 18864910
I noticed in the real time ScanMail Filter log it show messages found at SMTP.  Does this mean Exchange is accepting email from SMTP? I pasted two examples below.. Please let me know..

4/6/2007 12:08:33 PM - Message from "ha-melody.com@vadivorceattorney.com" found at "SMTP" [total 1 recipient(s)]
4/6/2007 12:06:25 PM - Message from "noreply@gearedon.com" found at "SMTP" [total 1 recipient(s)]
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question