Solved

Exchange 2003 SPAM and Virus Problem

Posted on 2007-04-05
14
765 Views
Last Modified: 2008-02-26
We are running Exchange 2003 SP2 (on a Win2k3 Server) with Trend Micro Scanmail 7.0 for spam/virus filtering. Trend Micro OfficeScan 7.3 is also running on this server now. The mail clients are a mix of Outlook 2k and 2k3.

I've only been in my position for about 7 months and I've inherited this network configuration. This server is hit by a lot of spam and viruses now.  Here is a little back history on the problem. About 2 months after I started here I came in one morning to find our Internet gateway being flooded with traffic. No one could access the Internet. I unplugged the Exchange Server and everything went back to normal. At that time only Scanmail was installed on the Exchange Server for filtering and virus protection (no OfficeScan). I installed OfficeScan and its real time scan identified a worm (I don't remember which one now) in \Program Files\Exchsrvr\Mailroot\vsi 1\Queue\. OfficeScan reported, “OfficeScan detected a security risk but is unable to clean or quarantine the file”. Even though OfficeScan reported it could not fix the problem the problem stopped! The spamming stopped. So with the help of a Microsoft MCSE we wiped and reloaded the server. (Loaded Exchange with SP2, an Exchange Hotfix, ScanMail 7, and OfficeScan 7.3.) Everything was running great. Some users were getting about 100 spam messages a day and that went to 0 after the reinstall. Well about a month or 2 later OfficeScan started reporting worm after worm in the  \Program Files\Exchsrvr\Mailroot\vsi 1\Queue\ folder (for example, Worm Bagle.JG in infected file NTFS_4bae9c0201c7754900026438.EML (rqrzppmouic.exe)). OfficeScan detects on average 4 to 5 worms a day (Worm Bagle.JG, Possible_Strat-2, Worm Mydoom, Worm Netsky, and Mytob.AE) and now some spam is getting through Scanmail. In a 24 hour period (4/4-4/5) Scanmail Realtime Monitor Reported 219,962 messages scanned and only 2,788 were spam messages. We only have about 70 users and they do not receive that much email! Now I’m afraid Exchange has been compromised and possibly replying spam!

I need some help PLEASE!
0
Comment
Question by:pharmon96
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 10

Expert Comment

by:mcrossland
Comment Utility
The very first thing that I would do is move your spam protection to an external provider.  This lets them handle the load of virus and spam scanning which reduces the load of your exchange server first.
I currently use www.postini.com and am very pleased with delivery time.  Usually within seconds.
As far as your Exchange system already being compromised, I also layer a virus scanning solution on my Exchange servers that uses multiple scan engines.  You can get a free trial which will clean your exchange store at http://www.microsoft.com/antigen/downloads/privacy-exchange-sm.mspx
I have been using Antigen for Exchange for YEARS and it works wonderfully to keep the information store clean of viruses both inbound and outbound.  Such a nice product that Microsoft purchased it.
0
 
LVL 10

Expert Comment

by:mcrossland
Comment Utility
Forgot to mention that when you set up an external smam filter service, best practice is to ONLY accept port 25 email from their IP range.  This takes care of alot of CRAP.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 400 total points
Comment Utility
The first thing you need to do is fix Trend.
OfficeScan should not be scanning anything in \exchsrvr\mailroot. Put exclusions in to stop it from scanning there. That is what Scanmail is for.

Have you got recipient filtering enabled? If not, turn it and tar pit on.
http://www.amset.info/exchange/filterunknown.asp

Are you using IMF? That can cut down on some of the spam the users receive.
http://www.amset.info/exchange/imf.asp

The other thing you might want to consider is greylisting. This is still very effective for me in dealing with spam, one or two get through. As long as your email is not time critical (ie you cannot tolerate a delay of a minute or so) then greylisting can be quite effective.

My preferred tool for greylisting is Vamsoft ORF which is cheap and has a 30 day trial so you can see how effective it is.
You could also look at this one: http://www.grynx.com/projects/greylist/ which does just greylisting and is free, but I haven't got round to trying it.

Finally, you may have a compromised administrator account. If you don't have any users sending email through your users with Outlook Express etc, then disable or restrict authenticated relaying.
http://www.amset.info/exchange/smtp-relaysecure.asp

Simon.
0
 

Author Comment

by:pharmon96
Comment Utility
Thank you for all the info..

mcrossland:, I will look into your sugestions. We are thinking about purchasing a Barracuda Filter to go in front of Exchange. What do you think of that idea?

Sembee, I understand Trend shouldn't be scanning \exchsrvr\mailroot but I've been afraid to exclude it because of what happened originally when OfficeScan was not installed on the server.. ScanMail did not stop the problem and the server started spamming.
0
 
LVL 10

Expert Comment

by:mcrossland
Comment Utility
One of the main reasons that I personally prefer an external spam filter is for bandwidth reasons.  The spam never comes through our internet connection.  I think Barracuda is an internal server, correct?
0
 

Author Comment

by:pharmon96
Comment Utility
Yes Barracuda is an internal server..
0
 
LVL 10

Expert Comment

by:mcrossland
Comment Utility
Never tried it so I'm not the right person to answer that part of the question.  :)
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 104

Expert Comment

by:Sembee
Comment Utility
I wouldn't necessarily say that an external provider is the solution here. They are not the solution to everything. I have a client who cannot use an external provider because they block too much legitimate email.
If you have already made the investment in the software then you should use that.

Excluding the folders is not a do nothing option. You must do it for Exchange to operate correctly. Otherwise what happens is that the AV software tries to scan the files as Exchange is processing them.

If scanmail didn't catch something then it is not fit for purpose and should be replaced. I always recommend having something different for Exchange AV than what is on the desktops to provide multiple layers of protection.

A barracuda or external service will not help if Trend continues to be incorrectly configured. It is something that they should do automatically - but for some reason do not.

Simon.
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 100 total points
Comment Utility
I too would suggest disabling scanning of Exchange files asap. Here is a link you may find helpful:

 http://support.microsoft.com/kb/823166
0
 

Author Comment

by:pharmon96
Comment Utility
Does Exchange with SP2 have a greylist or blacklist filter built in? If so can someone provide a link on how to set it up.

Sembee, do you have a recommendation for Exchange VA?
Thanks again everyone!
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
There is no greylisting support in Exchange 2003 from Microsoft.
I don't recommend blacklists either.

For Exchange level AV, the market leader was Sybari Antigen, now Microsoft Forefront. The other one I have put in to a few sites with success is GFI Mail Security.
You could also look at Grisoft AVG which I believe can be bought standalone. So many of the AV vendors want you to buy a suite.

Simon.
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
Another option is an anti-spam add-on for Exchange. We have been using Ninja (formerly iHateSpam) for about three years. It has some rough edges, but I like the new version quite a bit now. It does have an AV plug-in, but I don't even use it. By simply using Ninja to block executable attachments (i.e. those that end in .exe, .bat, .pif etc.) I have not had an infected file get through in months. The new version also does a great job with spam and phishing type messages, catching maybe about 95%. The main downside is the extra load it puts on the server. If you want more specifics please post back.
0
 

Author Comment

by:pharmon96
Comment Utility
Have any of you used ScanMail for spam/virus filtering? How does it rank against other products?
0
 

Author Comment

by:pharmon96
Comment Utility
I noticed in the real time ScanMail Filter log it show messages found at SMTP.  Does this mean Exchange is accepting email from SMTP? I pasted two examples below.. Please let me know..

4/6/2007 12:08:33 PM - Message from "ha-melody.com@vadivorceattorney.com" found at "SMTP" [total 1 recipient(s)]
4/6/2007 12:06:25 PM - Message from "noreply@gearedon.com" found at "SMTP" [total 1 recipient(s)]
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now