Solved

virus problem

Posted on 2007-11-27
8
256 Views
Last Modified: 2013-11-22
We are using Windows XP for our client PCs  and Windows 2003 R2 for the servers.  Amongst others we have a file server and an Exchange 2003 Server. Here are the two problems I'm facing lately:

1.   The file server freezes (and as a result all the clients that are using files that are located on that server freeze as well) every few days e.g. every week

I have scanned the server for viruses (using 2 different products) and all viruses have been cleaned (no viruses at the moment). I have also run extensive hardware diagnostic programs and all hardware appears to work fine.

2.  Emails are being sent to users from themselves (sender and recipient the same) with spam content that have been blocked by our anti-spam software.  Please note that open SMTP relaying has been blocked on the exchange server. The exchange server appears clean from viruses too.

Any suggestion with regards to any of the above is welcome. My question is this:
Could it be a virus causing both my problems? And  If there is  a virus causing it and it is located on the clients PCs (obviously not  being detected by the AV software)
a) How do I find it?
b) How do I clean it? Especially if it is in a number of computers
0
Comment
Question by:olchs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 20356970
The second problem is standard spoofing. It will not be caused by anything local to your network. If you look at the headers of the messages you will see the email has come outside your network. Very basic spammers technique, almost impossible to stop without the use of antispam software.

I would doubt whether a server freeze would be caused by a virus. That is most likely to be a hardware problem. Failing disks, overheating, something like that.

Simon.
0
 

Author Comment

by:olchs
ID: 20357321
Sembee,
We use Sophos Pure Message for Please find below details of a sample message that was blocked.  Our domain is ourladys.hackney.sch.uk. Can you please advice? Not sure what to do next.

SOURCE:
Envelope sender:
lstrong_vb@icqmail.com

Envelope recipients:
lstrotskaia@ourladys.hackney.sch.uk

From:
lstrotskaia@ourladys.hackney.sch.uk

To:
lstrotskaia@ourladys.hackney.sch.uk

Cc:

Type:
Message

Reason for Quarantine:
Item was quarantined due to a content threat


DETAILS:
X-PMWin-Version: 2.6.1, Antispam-Engine: 2.5.2, Antivirus-Engine: 2.51.0
X-PMWin-Spam: Gauge=XXXXXXXXII, Probability=82%, Report='__HAS_MSGID, __SANE_MSGID, __RUS_MIME_NO_TEXT, EMPTY_BODY, __MIME_TEXT_ONLY, RELAY_IN_CBL'
thread-index: AcgwGGt1ESJXC2vETIqCcJq2k9noHw==
Received: from potvora ([88.83.225.253]) by olc06.OLCHS.local with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 Nov 2007 10:38:01 +0000
Received: (qmail 50823 by uid 298); Mon, 26 Nov 2007 11:34:58 +0100
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Content-class: urn:content-classes:message
Importance: normal
Priority: normal
Message-ID: <20071126123458.50825.qmail@potvora>
To: <lstrotskaia@ourladys.hackney.sch.uk>
Subject: November 71% OFF
From: "Burton@Viagra.com" <lstrotskaia@ourladys.hackney.sch.uk>
Return-Path: <lstrong_vb@icqmail.com>
X-OriginalArrivalTime: 26 Nov 2007 10:38:01.0853 (UTC) FILETIME=[6B5AF2D0:01C83018]
Date: 26 Nov 2007 10:38:01 +0000


begin 666 November 71% OFF.htm

<content removed by sembee>

`
end
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20357503
This is the key line

Received: from potvora ([88.83.225.253]) by olc06.OLCHS.local with Microsoft SMTPSVC(6.0.3790.3959

The message came in from outside. That IP address is in the Czech republic.

Simon.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:olchs
ID: 20357515
Thank you. Can i do anything to stop this from happening?
0
 

Author Comment

by:olchs
ID: 20357532
How do they do it ? I have blocked open SMTP relaying
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20357557
Has nothing to do with relaying.

SMTP is insecure. I could send you an email from bill.gates@microsoft.com, tony.blair@downingstreet.co.uk or whatever and it would appear to come from that address. It is only when you look at headers that you can see the message didn't come from a server it should have done.

There have been initiatives to stop this kind of spoofing, such as SPF but their effectiveness is limited because the use is so low.

Practically nothing you can do to stop it without risking a block of legitimate email.

Simon.
0
 

Author Comment

by:olchs
ID: 20357699
Thank you for that  information and I really appreciate your help. There is however one last thing that is still haven't understood:

What happens is this:  Our users receive messages from the content filtering software saying that that an email that they have sent has been blocked due to its content. That email appears to be one that they have sent to themselves, which they obviously haven't.

If I'm not mistaken you are suggesting  that somebody in Czech republic is sending spam  to our users using their own email address as the sender's address. If that is the case how does he know what their email address is in the first place?

If that is not what you are suggesting could  you please explain  what is happening?

Again, thank you very much for your help and your patience.

Christos
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 20357804
Its a machine in the Czech Republic sending the message. The user of the machine probably doesn't know anything about it as their machine will have been compromised is a member of a botnet.

Spammers pick up email address in many ways - users posting newsgroups, websites, forums etc. Straight guess, so most combinations of firstname.lastname or initialsurname etc.

Simon.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
how to add IIS SMTP to handle application/Scanner relays into office 365.

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question