• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 266
  • Last Modified:

virus problem

We are using Windows XP for our client PCs  and Windows 2003 R2 for the servers.  Amongst others we have a file server and an Exchange 2003 Server. Here are the two problems I'm facing lately:

1.   The file server freezes (and as a result all the clients that are using files that are located on that server freeze as well) every few days e.g. every week

I have scanned the server for viruses (using 2 different products) and all viruses have been cleaned (no viruses at the moment). I have also run extensive hardware diagnostic programs and all hardware appears to work fine.

2.  Emails are being sent to users from themselves (sender and recipient the same) with spam content that have been blocked by our anti-spam software.  Please note that open SMTP relaying has been blocked on the exchange server. The exchange server appears clean from viruses too.

Any suggestion with regards to any of the above is welcome. My question is this:
Could it be a virus causing both my problems? And  If there is  a virus causing it and it is located on the clients PCs (obviously not  being detected by the AV software)
a) How do I find it?
b) How do I clean it? Especially if it is in a number of computers
  • 4
  • 4
1 Solution
The second problem is standard spoofing. It will not be caused by anything local to your network. If you look at the headers of the messages you will see the email has come outside your network. Very basic spammers technique, almost impossible to stop without the use of antispam software.

I would doubt whether a server freeze would be caused by a virus. That is most likely to be a hardware problem. Failing disks, overheating, something like that.

olchsAuthor Commented:
We use Sophos Pure Message for Please find below details of a sample message that was blocked.  Our domain is ourladys.hackney.sch.uk. Can you please advice? Not sure what to do next.

Envelope sender:

Envelope recipients:





Reason for Quarantine:
Item was quarantined due to a content threat

X-PMWin-Version: 2.6.1, Antispam-Engine: 2.5.2, Antivirus-Engine: 2.51.0
thread-index: AcgwGGt1ESJXC2vETIqCcJq2k9noHw==
Received: from potvora ([]) by olc06.OLCHS.local with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 Nov 2007 10:38:01 +0000
Received: (qmail 50823 by uid 298); Mon, 26 Nov 2007 11:34:58 +0100
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Content-class: urn:content-classes:message
Importance: normal
Priority: normal
Message-ID: <20071126123458.50825.qmail@potvora>
To: <lstrotskaia@ourladys.hackney.sch.uk>
Subject: November 71% OFF
From: "Burton@Viagra.com" <lstrotskaia@ourladys.hackney.sch.uk>
Return-Path: <lstrong_vb@icqmail.com>
X-OriginalArrivalTime: 26 Nov 2007 10:38:01.0853 (UTC) FILETIME=[6B5AF2D0:01C83018]
Date: 26 Nov 2007 10:38:01 +0000

begin 666 November 71% OFF.htm

<content removed by sembee>

This is the key line

Received: from potvora ([]) by olc06.OLCHS.local with Microsoft SMTPSVC(6.0.3790.3959

The message came in from outside. That IP address is in the Czech republic.

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

olchsAuthor Commented:
Thank you. Can i do anything to stop this from happening?
olchsAuthor Commented:
How do they do it ? I have blocked open SMTP relaying
Has nothing to do with relaying.

SMTP is insecure. I could send you an email from bill.gates@microsoft.com, tony.blair@downingstreet.co.uk or whatever and it would appear to come from that address. It is only when you look at headers that you can see the message didn't come from a server it should have done.

There have been initiatives to stop this kind of spoofing, such as SPF but their effectiveness is limited because the use is so low.

Practically nothing you can do to stop it without risking a block of legitimate email.

olchsAuthor Commented:
Thank you for that  information and I really appreciate your help. There is however one last thing that is still haven't understood:

What happens is this:  Our users receive messages from the content filtering software saying that that an email that they have sent has been blocked due to its content. That email appears to be one that they have sent to themselves, which they obviously haven't.

If I'm not mistaken you are suggesting  that somebody in Czech republic is sending spam  to our users using their own email address as the sender's address. If that is the case how does he know what their email address is in the first place?

If that is not what you are suggesting could  you please explain  what is happening?

Again, thank you very much for your help and your patience.

Its a machine in the Czech Republic sending the message. The user of the machine probably doesn't know anything about it as their machine will have been compromised is a member of a botnet.

Spammers pick up email address in many ways - users posting newsgroups, websites, forums etc. Straight guess, so most combinations of firstname.lastname or initialsurname etc.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now