[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 245
  • Last Modified:

Huge amounts of Spyware being sent from server

Ok. I have a company that has been sending huge amounts of spam each day. we have made sure that it not an open relay.
I have Installed AVG for networks and scanned each machine
I have also run ad-aware, spybot and windows defender scans on each machine and removed anything that was a threat. all machines have system restore turned off.
each machine including the server is now apparently free of threats, however, when i check the queues in system manager taht i have frozen, there is dozens of spam waiting to go out as " 'RANDOMNAME'@YAHOO.COM "
Is there anyway that i can try to find out which machine is sending this out apart from turning them off individually and seeing which one is the culporate. Or is there a way I can just set my SMTP connector to only allow specific users to send the e-mail through the server and all other e-mail addresses will be denied?
There is 11 machines on the network all running XP Professional SP2 and 1 server running SBS2003 with latest updates
any ideas or help would be hugely appreciated as this is very urgent now

thanx
0
webpolsol
Asked:
webpolsol
  • 3
  • 3
1 Solution
 
NetAdminGuyCommented:
Get Ethereal (or better yet Windump if you prefer command line over gui) and install it along with WinPcap on the mail server.  This is will allow you to see where the offensive language is coming from and you can address that unit without disrupting the rest of the network.  Given the level of scans and such you have doen so far, suspect you've either missed a unit in a closet etc or when you find the unit it should be wiped.
0
 
webpolsolAuthor Commented:
thanks, i'll get hold of ethereal and see what happens from there.
i'll let you know how i get on
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I doubt very much that this is actual SPAM.  Most often emails get stuck in the queue due to SPAM "Backscattering".  (See: Backscatter of email spam at http://en.wikipedia.org/wiki/Backscattering).  

This doesn't mean that your server is open for spammers to relay through, but you should check that as well.

Instructions for checking and cleaning up the queues are here:  
http://www.amset.info/exchange/spam-cleanup.asp

Jeff
TechSoEasy
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
webpolsolAuthor Commented:
The company has had multiple phone calls from demon internet who are their isp saying that they are continuosly sending out spam mail. they have been cut off about twice and have now been allowed to send as long as mail is filtered by the administrator.
I tried downloading and installing ethereal from the official site, but the server will not let me install it saying that it contains a virus or is corrupt.
would spybot/windows defender or avg be blocking this installation or would it be a threatening piece of software?
 if there is a safe place to download the software where should i get it from?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, then the second link I provided woud help you check to make sure the server's not relaying.

But instead of Ethereal, use EXInsight which will give you a direct view of what's happening with Exchange itself.

http://bitrunes.com

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You can install EXInsight on any LAN PC.  Don't put it on the server itself.

Jeff
TechSoEasy
0
 
webpolsolAuthor Commented:
Hi, sorry i haven't been back in touch for a while been monitoring the server
I finally found out what the problem was. one of the employers had installed Warez about a year ago and therefore allowed it through the av and the firewall. So as the trouble has only just started and it wasnt a new program, none of the detectors seemed to pick it up
I only found out by manually searching each employers program files and manually cleaning them. So i've been monitoring for the last 2 weeks now and no spyware has gone out.
have been using exinsight to monitor network usage and everything seems firmly locked down now.

Thanx for your help

Pete
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now