Solved

BadMail and Queue, how to stop virus/attack?

Posted on 2007-11-27
8
1,267 Views
Last Modified: 2013-11-22
Hello,
Our email is hosted on a Win2K server/Win2k Exchange Server.  About 5 days ago the store.exe and inetpub.exe began to use up so much memory that no one was allowed to receive email.  Our server's hard drive space then filled up.  I cleaned up some old data and rebooted the server but then it happened again.

I now see that in the Badmail folder there are so many emails that I can't open it.  Also, in the Queue new spam(?) emails keep appearing from the Navy Credit Union with no receipient (I imagine it gets moved to Badmail).  Is there a virus on this server (doesn't come back with one after being searched by Symantec)?  Is there someone inside the organization that has to have a virus that is causing this?  Can it be someone from the outside?  Our firewall currently allows all SMTP traffic (just got a new firewall a couple of months ago, I've been slow to add our old SMTP rules due to how strange it is with NAT).  Do I just need to update the firewall to accept from only our spam filtering company?

I'm guessing that will help.  Additional question to help me...is Queue showing emails that are coming into the domain or that are leaving?  It seems like coming into, but I just need some clarification.  Thanks.
0
Comment
Question by:youthworks
  • 5
  • 3
8 Comments
 

Author Comment

by:youthworks
ID: 20374517
Update:
We are okay right now, but the issue is still there.
The Queue will receive an email(s) that seems to have an SMTP engine of some sorts.  Once that email is in there, other emails are created, maybe an average of 10/sec.  But I can delete a lot of them, and if I stop the SMTP service I can delete them all.  It's good for awhile but then it starts up again.

The memory issue isn't happening as bad, it's really not a big deal.  The big deal is now stopping these emails.

Thanks!
0
 

Author Comment

by:youthworks
ID: 20374526
also, how do I delete/rename and delete what's in the Badmail folder?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20436627
You can delete the entire badmail folder using SHIFT-DEL. Exchange will recreate it when required.
Unfortunately Exchange 2000 doesn't have much spam protection built in, and I don't think the Symantec product will block the basic - email messages to unknown recipients. To do that you will need to use a third party product that can LDAP lookups. The one I usually suggest is Vamsoft ORF http://www.vamsoft.com/

Microsoft have a tool for dealing with Badmail as well, which you can download from here: http://www.microsoft.com/downloads/details.aspx?FamilyId=782AAF0F-6239-40AD-ADDA-97863D852FF7&displaylang=en

Simon.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:youthworks
ID: 20450144
okay, so I figured out we were getting a "spam attack," from someone in our domain or not I'm not sure.

I changed our open relay settings from allow all authenticated users to just specific internal IPs and the spamming quit going to the Queue and started going straight to Badmail, which is now just receiving a ton of spam.  Is there a way to stop this from happening or to put a size limit on the Badmail folder?  Please remember we are using Win2k server with Exchang2K.

Thanks!
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20450190
You have to use the link I have posted above to remove the messages from badmail. Remember badmail is just a copy of the NDRs, and goes down as one of those "nice ideas" Microsoft had with Exchange 2000 (Alongside the M drive). You will need to use a third party tool of some description to protect Exchange 2000, it has no protection of its own.

Simon.
0
 

Author Comment

by:youthworks
ID: 20450316
great, thanks.

Any idea how to find what is spamming us?  any tools you can recommend?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 20450990
Spammers are very good at hiding themselves, so you will not find any tools as such to find it, only applications to block the email messages they are trying to send to your users or through your server. Blocking messages going through your server is quite easy to do, blocking messages being sent to your users is more difficult.

The tool I use as a primary defence I have already given to you above - Vamsoft ORF. That can do recipient filtering and greylisting which I find will deal with most spam.

Simon.
0
 

Author Closing Comment

by:youthworks
ID: 31411301
thanks for your help
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This video discusses moving either the default database or any database to a new volume.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question