Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

DNS Inquires between Exchange and DNS for bbb.org - what is causing the inquiry?

Posted on 2007-07-25
4
Medium Priority
?
210 Views
Last Modified: 2013-12-04
An interesting quandary.   I noticed a large number of failed DNS lookups from my MS W2K Exchange server to my MS W2K DNS sever looking for consumer-complaints@bbb.org.  

My admin notes that there was a bogus piece of SPAM that generated a nice little piece of malware claiming to be from bbb.org.

The domain is on SAV 10 and scans are run against all servers and clients.  AV did find three copies of DOWNLOADER Trojan in a users MBX, but it was deleted at the time of detection.  Subsequent scans using both SAV tools and MS Malicious SW removal have turned up a clean machine.  Inspection of the registry show the same - a clean box.   Network scans still show a fair number of inquiries.

Any ideas on how to determine what program is making the inquiry?   I know where the problem is, but still trying to answer what is causing the issue?  
0
Comment
Question by:Penford-DCO
  • 2
4 Comments
 
LVL 8

Expert Comment

by:banks1850
ID: 19565819
tough to do after the fact unless you had message tracking turned on.  If it is still happening, you can turn that on, or you can use Ethereal or some other sniffer and filter for bbb.org in smtp traffic.  Unless you are logging either mail activity or your network activity (doubtful as they both take up a LOT of space and are only useful in limited situations) it's tough to track past email actions.
0
 
LVL 32

Accepted Solution

by:
r-k earned 1500 total points
ID: 19566377
Are the DNS queries for bbb.org still ongoing? Normally the Exch server should cache the results for so many hours.

Probably best to check for malware a bit more:

(1) Run "netstat -an" on the Exch server to see what ports are open. Follow up with TCPView (http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx) if you notice anything unexplained.

(2) Check running processes and startups with HijackThis and/or Autoruns.
(http://www.hijackthis.de/)
(http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx)
0
 

Author Comment

by:Penford-DCO
ID: 19568227
Thank you all - the utilities are extremely useful.

I have review the server and nothing is out of sorts.  

Given the above, I checked the Anti-Spam SW.  It is running SAV for MS Exchange.  In the DNS lookup failures, I noted that some of them were wildcard lookups.   Something one would see in the SAV Blacklist.   When I removed the entries, DNS lookups disappeared.  

Box is happy.
0
 
LVL 32

Expert Comment

by:r-k
ID: 19568989
Thanks for the update. Makes sense in retrospect.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
Microsoft Jet database engine errors can crop up out of nowhere to disrupt the working of the Exchange server. Decoding why a particular error occurs goes a long way in determining the right solution for it.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question