Solved

Email messages sent that look like spam

Posted on 2007-11-15
6
209 Views
Last Modified: 2010-05-18
Checked message tracking and noticed emails with abnormal(spam type) subjects being sent from domain users accounts. Some messages went to external email address and some others the sender and the reciepent were the same domain user. I checked the users sent items from their outlook profiles and those sent items were not there. I ran CA antivirus complete scan, nothing found, same with Symantec AV and panda online. Also scanned desktops. Nothing found. These email have been sent at random times, from several different users mailboxes and with different subjects. Cant figure out where they are originating.
0
Comment
Question by:tmharris09
  • 2
  • 2
6 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 20296360
SOmeone is probably spoofing your user addresses.

That is what spammers do.

These probably came from the outside , not the inside.

Else, you have some malware doing this on your LAN.


I hope this helps !
0
 
LVL 3

Expert Comment

by:dipak_in_2k
ID: 20296651
It's all are comes from outside, check IMF security zone and also check if your SMTP might have open relay.
0
 

Author Comment

by:tmharris09
ID: 20298839
How can the messages be sent from the outside if when i view items being sent from that user the spams show up. Message tracking tool does not know the difference if its a spoofed address? Another thing I should note is that, this IP was blacklisted for spam. I do believe there is something on the inside but how do i find it. Server is not an open relay
0
 
LVL 63

Accepted Solution

by:
SysExpert earned 500 total points
ID: 20300083
You may need to do network packet analysis, or use something like Hijackthis logging on each machine to look for malware.

malware - Leetutor list
Have you tried running virus scans and spyware scans  This could be a problem with viruses/trojans/spyware or other malware. Some free online virus scanners:

http://housecall.antivirus.com  

http://www.pcpitstop.com/antivirus/default.asp

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Also try these free programs to rid your system of spyware, trojans, and other malware:

http://download.com.com/3000-2144-10194058.html?tag=lst-0-1
Spybot - Search & Destroy

http://download.com.com/3000-2094-10045910.html?legacy=cnet
LavaSoft Ad-aware  

I use BOTH of the above programs on my 3 Windows systems; what one program misses, the other catches.  Also make sure to download the most up-to-date data before you run the programs.

Another very good freeware program for ridding yourself of spyware is this:

http://www.superantispyware.com/
SuperAntiSpyware

You might also try this free program (HijackThis) -- install it in its own folder, don't download to your Desktop:

http://www.spychecker.com/download/download_hijackthis.html

HijackThis is a tool that is for advanced users, because it lists all the installed browser add-on and startup items, allowing you to inspect them and then optionally remove any ones you select.  You must be careful in choosing what to remove, although the program can create a backup of your original settings.  But put a check mark to fix any home page or search page setting that HijackThis detects which you have not entered yourself.  The program has an option to download online updates of the hijack data.

You should first post the log at this site:  

http://www.hijackthis.de/index.php?langselect=english

and it will be automatically analyzed for you (after you click on the button labeled "Analyze" near the bottom of the page), telling you which entries (called "Nasty") should be fixed.  You will also be told if you have any items that are "Possibly Nasty", or "Unnecessary", or "Unknown". If you don't know what to do about these, you might find something on the module name by doing a Google search of the internet.

If you have any questions about what it is asking you to fix that you would like the E-E experts to comment on, then do this:  right above the Analyze button you will see this message: "The following analyses has been stored temporarily", and there will be a link where the analysis file will be saved (for a period of three days). Click on it and then copy the link of that page from the address bar of your browser and paste it here, and experts can check it for you.  (Please DON'T post the entire log itself in your question.)

In case you would like to learn more yourself how to use HijackThis, here are a couple of urls:

http://www.tomcoyote.org/hjt/
HijackThis Quick Start


http://www.spywareinfo.com/~merijn/htlogtutorial.html
HijackThis log tutorial

I hope this helps !
0
 

Author Comment

by:tmharris09
ID: 20302321
Blocked outbound port 25 on firewall except for server, checked logs, and found ip address of machine hitting port 25. CA av did not pick up but Symantec AV found it. Trojan.pandex was the culprit.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now