Solved

virus problem

Posted on 2007-11-27
8
251 Views
Last Modified: 2013-11-22
We are using Windows XP for our client PCs  and Windows 2003 R2 for the servers.  Amongst others we have a file server and an Exchange 2003 Server. Here are the two problems I'm facing lately:

1.   The file server freezes (and as a result all the clients that are using files that are located on that server freeze as well) every few days e.g. every week

I have scanned the server for viruses (using 2 different products) and all viruses have been cleaned (no viruses at the moment). I have also run extensive hardware diagnostic programs and all hardware appears to work fine.

2.  Emails are being sent to users from themselves (sender and recipient the same) with spam content that have been blocked by our anti-spam software.  Please note that open SMTP relaying has been blocked on the exchange server. The exchange server appears clean from viruses too.

Any suggestion with regards to any of the above is welcome. My question is this:
Could it be a virus causing both my problems? And  If there is  a virus causing it and it is located on the clients PCs (obviously not  being detected by the AV software)
a) How do I find it?
b) How do I clean it? Especially if it is in a number of computers
0
Comment
Question by:olchs
  • 4
  • 4
8 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 20356970
The second problem is standard spoofing. It will not be caused by anything local to your network. If you look at the headers of the messages you will see the email has come outside your network. Very basic spammers technique, almost impossible to stop without the use of antispam software.

I would doubt whether a server freeze would be caused by a virus. That is most likely to be a hardware problem. Failing disks, overheating, something like that.

Simon.
0
 

Author Comment

by:olchs
ID: 20357321
Sembee,
We use Sophos Pure Message for Please find below details of a sample message that was blocked.  Our domain is ourladys.hackney.sch.uk. Can you please advice? Not sure what to do next.

SOURCE:
Envelope sender:
lstrong_vb@icqmail.com

Envelope recipients:
lstrotskaia@ourladys.hackney.sch.uk

From:
lstrotskaia@ourladys.hackney.sch.uk

To:
lstrotskaia@ourladys.hackney.sch.uk

Cc:

Type:
Message

Reason for Quarantine:
Item was quarantined due to a content threat


DETAILS:
X-PMWin-Version: 2.6.1, Antispam-Engine: 2.5.2, Antivirus-Engine: 2.51.0
X-PMWin-Spam: Gauge=XXXXXXXXII, Probability=82%, Report='__HAS_MSGID, __SANE_MSGID, __RUS_MIME_NO_TEXT, EMPTY_BODY, __MIME_TEXT_ONLY, RELAY_IN_CBL'
thread-index: AcgwGGt1ESJXC2vETIqCcJq2k9noHw==
Received: from potvora ([88.83.225.253]) by olc06.OLCHS.local with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 Nov 2007 10:38:01 +0000
Received: (qmail 50823 by uid 298); Mon, 26 Nov 2007 11:34:58 +0100
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Content-class: urn:content-classes:message
Importance: normal
Priority: normal
Message-ID: <20071126123458.50825.qmail@potvora>
To: <lstrotskaia@ourladys.hackney.sch.uk>
Subject: November 71% OFF
From: "Burton@Viagra.com" <lstrotskaia@ourladys.hackney.sch.uk>
Return-Path: <lstrong_vb@icqmail.com>
X-OriginalArrivalTime: 26 Nov 2007 10:38:01.0853 (UTC) FILETIME=[6B5AF2D0:01C83018]
Date: 26 Nov 2007 10:38:01 +0000


begin 666 November 71% OFF.htm

<content removed by sembee>

`
end
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20357503
This is the key line

Received: from potvora ([88.83.225.253]) by olc06.OLCHS.local with Microsoft SMTPSVC(6.0.3790.3959

The message came in from outside. That IP address is in the Czech republic.

Simon.
0
 

Author Comment

by:olchs
ID: 20357515
Thank you. Can i do anything to stop this from happening?
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 

Author Comment

by:olchs
ID: 20357532
How do they do it ? I have blocked open SMTP relaying
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20357557
Has nothing to do with relaying.

SMTP is insecure. I could send you an email from bill.gates@microsoft.com, tony.blair@downingstreet.co.uk or whatever and it would appear to come from that address. It is only when you look at headers that you can see the message didn't come from a server it should have done.

There have been initiatives to stop this kind of spoofing, such as SPF but their effectiveness is limited because the use is so low.

Practically nothing you can do to stop it without risking a block of legitimate email.

Simon.
0
 

Author Comment

by:olchs
ID: 20357699
Thank you for that  information and I really appreciate your help. There is however one last thing that is still haven't understood:

What happens is this:  Our users receive messages from the content filtering software saying that that an email that they have sent has been blocked due to its content. That email appears to be one that they have sent to themselves, which they obviously haven't.

If I'm not mistaken you are suggesting  that somebody in Czech republic is sending spam  to our users using their own email address as the sender's address. If that is the case how does he know what their email address is in the first place?

If that is not what you are suggesting could  you please explain  what is happening?

Again, thank you very much for your help and your patience.

Christos
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 20357804
Its a machine in the Czech Republic sending the message. The user of the machine probably doesn't know anything about it as their machine will have been compromised is a member of a botnet.

Spammers pick up email address in many ways - users posting newsgroups, websites, forums etc. Straight guess, so most combinations of firstname.lastname or initialsurname etc.

Simon.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
how to add IIS SMTP to handle application/Scanner relays into office 365.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now