DNS Inquires between Exchange and DNS for - what is causing the inquiry?

Posted on 2007-07-25
Last Modified: 2013-12-04
An interesting quandary.   I noticed a large number of failed DNS lookups from my MS W2K Exchange server to my MS W2K DNS sever looking for  

My admin notes that there was a bogus piece of SPAM that generated a nice little piece of malware claiming to be from

The domain is on SAV 10 and scans are run against all servers and clients.  AV did find three copies of DOWNLOADER Trojan in a users MBX, but it was deleted at the time of detection.  Subsequent scans using both SAV tools and MS Malicious SW removal have turned up a clean machine.  Inspection of the registry show the same - a clean box.   Network scans still show a fair number of inquiries.

Any ideas on how to determine what program is making the inquiry?   I know where the problem is, but still trying to answer what is causing the issue?  
Question by:Penford-DCO
    LVL 8

    Expert Comment

    tough to do after the fact unless you had message tracking turned on.  If it is still happening, you can turn that on, or you can use Ethereal or some other sniffer and filter for in smtp traffic.  Unless you are logging either mail activity or your network activity (doubtful as they both take up a LOT of space and are only useful in limited situations) it's tough to track past email actions.
    LVL 32

    Accepted Solution

    Are the DNS queries for still ongoing? Normally the Exch server should cache the results for so many hours.

    Probably best to check for malware a bit more:

    (1) Run "netstat -an" on the Exch server to see what ports are open. Follow up with TCPView ( if you notice anything unexplained.

    (2) Check running processes and startups with HijackThis and/or Autoruns.

    Author Comment

    Thank you all - the utilities are extremely useful.

    I have review the server and nothing is out of sorts.  

    Given the above, I checked the Anti-Spam SW.  It is running SAV for MS Exchange.  In the DNS lookup failures, I noted that some of them were wildcard lookups.   Something one would see in the SAV Blacklist.   When I removed the entries, DNS lookups disappeared.  

    Box is happy.
    LVL 32

    Expert Comment

    Thanks for the update. Makes sense in retrospect.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Are end users causing IT problems again?

    You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

    Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
    In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now