Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

virus problem

Posted on 2007-11-27
8
Medium Priority
?
258 Views
Last Modified: 2013-11-22
We are using Windows XP for our client PCs  and Windows 2003 R2 for the servers.  Amongst others we have a file server and an Exchange 2003 Server. Here are the two problems I'm facing lately:

1.   The file server freezes (and as a result all the clients that are using files that are located on that server freeze as well) every few days e.g. every week

I have scanned the server for viruses (using 2 different products) and all viruses have been cleaned (no viruses at the moment). I have also run extensive hardware diagnostic programs and all hardware appears to work fine.

2.  Emails are being sent to users from themselves (sender and recipient the same) with spam content that have been blocked by our anti-spam software.  Please note that open SMTP relaying has been blocked on the exchange server. The exchange server appears clean from viruses too.

Any suggestion with regards to any of the above is welcome. My question is this:
Could it be a virus causing both my problems? And  If there is  a virus causing it and it is located on the clients PCs (obviously not  being detected by the AV software)
a) How do I find it?
b) How do I clean it? Especially if it is in a number of computers
0
Comment
Question by:olchs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 20356970
The second problem is standard spoofing. It will not be caused by anything local to your network. If you look at the headers of the messages you will see the email has come outside your network. Very basic spammers technique, almost impossible to stop without the use of antispam software.

I would doubt whether a server freeze would be caused by a virus. That is most likely to be a hardware problem. Failing disks, overheating, something like that.

Simon.
0
 

Author Comment

by:olchs
ID: 20357321
Sembee,
We use Sophos Pure Message for Please find below details of a sample message that was blocked.  Our domain is ourladys.hackney.sch.uk. Can you please advice? Not sure what to do next.

SOURCE:
Envelope sender:
lstrong_vb@icqmail.com

Envelope recipients:
lstrotskaia@ourladys.hackney.sch.uk

From:
lstrotskaia@ourladys.hackney.sch.uk

To:
lstrotskaia@ourladys.hackney.sch.uk

Cc:

Type:
Message

Reason for Quarantine:
Item was quarantined due to a content threat


DETAILS:
X-PMWin-Version: 2.6.1, Antispam-Engine: 2.5.2, Antivirus-Engine: 2.51.0
X-PMWin-Spam: Gauge=XXXXXXXXII, Probability=82%, Report='__HAS_MSGID, __SANE_MSGID, __RUS_MIME_NO_TEXT, EMPTY_BODY, __MIME_TEXT_ONLY, RELAY_IN_CBL'
thread-index: AcgwGGt1ESJXC2vETIqCcJq2k9noHw==
Received: from potvora ([88.83.225.253]) by olc06.OLCHS.local with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 Nov 2007 10:38:01 +0000
Received: (qmail 50823 by uid 298); Mon, 26 Nov 2007 11:34:58 +0100
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Content-class: urn:content-classes:message
Importance: normal
Priority: normal
Message-ID: <20071126123458.50825.qmail@potvora>
To: <lstrotskaia@ourladys.hackney.sch.uk>
Subject: November 71% OFF
From: "Burton@Viagra.com" <lstrotskaia@ourladys.hackney.sch.uk>
Return-Path: <lstrong_vb@icqmail.com>
X-OriginalArrivalTime: 26 Nov 2007 10:38:01.0853 (UTC) FILETIME=[6B5AF2D0:01C83018]
Date: 26 Nov 2007 10:38:01 +0000


begin 666 November 71% OFF.htm

<content removed by sembee>

`
end
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20357503
This is the key line

Received: from potvora ([88.83.225.253]) by olc06.OLCHS.local with Microsoft SMTPSVC(6.0.3790.3959

The message came in from outside. That IP address is in the Czech republic.

Simon.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:olchs
ID: 20357515
Thank you. Can i do anything to stop this from happening?
0
 

Author Comment

by:olchs
ID: 20357532
How do they do it ? I have blocked open SMTP relaying
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20357557
Has nothing to do with relaying.

SMTP is insecure. I could send you an email from bill.gates@microsoft.com, tony.blair@downingstreet.co.uk or whatever and it would appear to come from that address. It is only when you look at headers that you can see the message didn't come from a server it should have done.

There have been initiatives to stop this kind of spoofing, such as SPF but their effectiveness is limited because the use is so low.

Practically nothing you can do to stop it without risking a block of legitimate email.

Simon.
0
 

Author Comment

by:olchs
ID: 20357699
Thank you for that  information and I really appreciate your help. There is however one last thing that is still haven't understood:

What happens is this:  Our users receive messages from the content filtering software saying that that an email that they have sent has been blocked due to its content. That email appears to be one that they have sent to themselves, which they obviously haven't.

If I'm not mistaken you are suggesting  that somebody in Czech republic is sending spam  to our users using their own email address as the sender's address. If that is the case how does he know what their email address is in the first place?

If that is not what you are suggesting could  you please explain  what is happening?

Again, thank you very much for your help and your patience.

Christos
0
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 20357804
Its a machine in the Czech Republic sending the message. The user of the machine probably doesn't know anything about it as their machine will have been compromised is a member of a botnet.

Spammers pick up email address in many ways - users posting newsgroups, websites, forums etc. Straight guess, so most combinations of firstname.lastname or initialsurname etc.

Simon.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
how to add IIS SMTP to handle application/Scanner relays into office 365.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question