virus problem

We are using Windows XP for our client PCs  and Windows 2003 R2 for the servers.  Amongst others we have a file server and an Exchange 2003 Server. Here are the two problems I'm facing lately:

1.   The file server freezes (and as a result all the clients that are using files that are located on that server freeze as well) every few days e.g. every week

I have scanned the server for viruses (using 2 different products) and all viruses have been cleaned (no viruses at the moment). I have also run extensive hardware diagnostic programs and all hardware appears to work fine.

2.  Emails are being sent to users from themselves (sender and recipient the same) with spam content that have been blocked by our anti-spam software.  Please note that open SMTP relaying has been blocked on the exchange server. The exchange server appears clean from viruses too.

Any suggestion with regards to any of the above is welcome. My question is this:
Could it be a virus causing both my problems? And  If there is  a virus causing it and it is located on the clients PCs (obviously not  being detected by the AV software)
a) How do I find it?
b) How do I clean it? Especially if it is in a number of computers
olchsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
SembeeCommented:
The second problem is standard spoofing. It will not be caused by anything local to your network. If you look at the headers of the messages you will see the email has come outside your network. Very basic spammers technique, almost impossible to stop without the use of antispam software.

I would doubt whether a server freeze would be caused by a virus. That is most likely to be a hardware problem. Failing disks, overheating, something like that.

Simon.
0
 
olchsAuthor Commented:
Sembee,
We use Sophos Pure Message for Please find below details of a sample message that was blocked.  Our domain is ourladys.hackney.sch.uk. Can you please advice? Not sure what to do next.

SOURCE:
Envelope sender:
lstrong_vb@icqmail.com

Envelope recipients:
lstrotskaia@ourladys.hackney.sch.uk

From:
lstrotskaia@ourladys.hackney.sch.uk

To:
lstrotskaia@ourladys.hackney.sch.uk

Cc:

Type:
Message

Reason for Quarantine:
Item was quarantined due to a content threat


DETAILS:
X-PMWin-Version: 2.6.1, Antispam-Engine: 2.5.2, Antivirus-Engine: 2.51.0
X-PMWin-Spam: Gauge=XXXXXXXXII, Probability=82%, Report='__HAS_MSGID, __SANE_MSGID, __RUS_MIME_NO_TEXT, EMPTY_BODY, __MIME_TEXT_ONLY, RELAY_IN_CBL'
thread-index: AcgwGGt1ESJXC2vETIqCcJq2k9noHw==
Received: from potvora ([88.83.225.253]) by olc06.OLCHS.local with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 Nov 2007 10:38:01 +0000
Received: (qmail 50823 by uid 298); Mon, 26 Nov 2007 11:34:58 +0100
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Content-class: urn:content-classes:message
Importance: normal
Priority: normal
Message-ID: <20071126123458.50825.qmail@potvora>
To: <lstrotskaia@ourladys.hackney.sch.uk>
Subject: November 71% OFF
From: "Burton@Viagra.com" <lstrotskaia@ourladys.hackney.sch.uk>
Return-Path: <lstrong_vb@icqmail.com>
X-OriginalArrivalTime: 26 Nov 2007 10:38:01.0853 (UTC) FILETIME=[6B5AF2D0:01C83018]
Date: 26 Nov 2007 10:38:01 +0000


begin 666 November 71% OFF.htm

<content removed by sembee>

`
end
0
 
SembeeCommented:
This is the key line

Received: from potvora ([88.83.225.253]) by olc06.OLCHS.local with Microsoft SMTPSVC(6.0.3790.3959

The message came in from outside. That IP address is in the Czech republic.

Simon.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
olchsAuthor Commented:
Thank you. Can i do anything to stop this from happening?
0
 
olchsAuthor Commented:
How do they do it ? I have blocked open SMTP relaying
0
 
SembeeCommented:
Has nothing to do with relaying.

SMTP is insecure. I could send you an email from bill.gates@microsoft.com, tony.blair@downingstreet.co.uk or whatever and it would appear to come from that address. It is only when you look at headers that you can see the message didn't come from a server it should have done.

There have been initiatives to stop this kind of spoofing, such as SPF but their effectiveness is limited because the use is so low.

Practically nothing you can do to stop it without risking a block of legitimate email.

Simon.
0
 
olchsAuthor Commented:
Thank you for that  information and I really appreciate your help. There is however one last thing that is still haven't understood:

What happens is this:  Our users receive messages from the content filtering software saying that that an email that they have sent has been blocked due to its content. That email appears to be one that they have sent to themselves, which they obviously haven't.

If I'm not mistaken you are suggesting  that somebody in Czech republic is sending spam  to our users using their own email address as the sender's address. If that is the case how does he know what their email address is in the first place?

If that is not what you are suggesting could  you please explain  what is happening?

Again, thank you very much for your help and your patience.

Christos
0
 
SembeeCommented:
Its a machine in the Czech Republic sending the message. The user of the machine probably doesn't know anything about it as their machine will have been compromised is a member of a botnet.

Spammers pick up email address in many ways - users posting newsgroups, websites, forums etc. Straight guess, so most combinations of firstname.lastname or initialsurname etc.

Simon.
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.