Solved

BadMail and Queue, how to stop virus/attack?

Posted on 2007-11-27
8
1,260 Views
Last Modified: 2013-11-22
Hello,
Our email is hosted on a Win2K server/Win2k Exchange Server.  About 5 days ago the store.exe and inetpub.exe began to use up so much memory that no one was allowed to receive email.  Our server's hard drive space then filled up.  I cleaned up some old data and rebooted the server but then it happened again.

I now see that in the Badmail folder there are so many emails that I can't open it.  Also, in the Queue new spam(?) emails keep appearing from the Navy Credit Union with no receipient (I imagine it gets moved to Badmail).  Is there a virus on this server (doesn't come back with one after being searched by Symantec)?  Is there someone inside the organization that has to have a virus that is causing this?  Can it be someone from the outside?  Our firewall currently allows all SMTP traffic (just got a new firewall a couple of months ago, I've been slow to add our old SMTP rules due to how strange it is with NAT).  Do I just need to update the firewall to accept from only our spam filtering company?

I'm guessing that will help.  Additional question to help me...is Queue showing emails that are coming into the domain or that are leaving?  It seems like coming into, but I just need some clarification.  Thanks.
0
Comment
Question by:youthworks
  • 5
  • 3
8 Comments
 

Author Comment

by:youthworks
Comment Utility
Update:
We are okay right now, but the issue is still there.
The Queue will receive an email(s) that seems to have an SMTP engine of some sorts.  Once that email is in there, other emails are created, maybe an average of 10/sec.  But I can delete a lot of them, and if I stop the SMTP service I can delete them all.  It's good for awhile but then it starts up again.

The memory issue isn't happening as bad, it's really not a big deal.  The big deal is now stopping these emails.

Thanks!
0
 

Author Comment

by:youthworks
Comment Utility
also, how do I delete/rename and delete what's in the Badmail folder?
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
You can delete the entire badmail folder using SHIFT-DEL. Exchange will recreate it when required.
Unfortunately Exchange 2000 doesn't have much spam protection built in, and I don't think the Symantec product will block the basic - email messages to unknown recipients. To do that you will need to use a third party product that can LDAP lookups. The one I usually suggest is Vamsoft ORF http://www.vamsoft.com/

Microsoft have a tool for dealing with Badmail as well, which you can download from here: http://www.microsoft.com/downloads/details.aspx?FamilyId=782AAF0F-6239-40AD-ADDA-97863D852FF7&displaylang=en

Simon.
0
 

Author Comment

by:youthworks
Comment Utility
okay, so I figured out we were getting a "spam attack," from someone in our domain or not I'm not sure.

I changed our open relay settings from allow all authenticated users to just specific internal IPs and the spamming quit going to the Queue and started going straight to Badmail, which is now just receiving a ton of spam.  Is there a way to stop this from happening or to put a size limit on the Badmail folder?  Please remember we are using Win2k server with Exchang2K.

Thanks!
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 104

Expert Comment

by:Sembee
Comment Utility
You have to use the link I have posted above to remove the messages from badmail. Remember badmail is just a copy of the NDRs, and goes down as one of those "nice ideas" Microsoft had with Exchange 2000 (Alongside the M drive). You will need to use a third party tool of some description to protect Exchange 2000, it has no protection of its own.

Simon.
0
 

Author Comment

by:youthworks
Comment Utility
great, thanks.

Any idea how to find what is spamming us?  any tools you can recommend?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
Comment Utility
Spammers are very good at hiding themselves, so you will not find any tools as such to find it, only applications to block the email messages they are trying to send to your users or through your server. Blocking messages going through your server is quite easy to do, blocking messages being sent to your users is more difficult.

The tool I use as a primary defence I have already given to you above - Vamsoft ORF. That can do recipient filtering and greylisting which I find will deal with most spam.

Simon.
0
 

Author Closing Comment

by:youthworks
Comment Utility
thanks for your help
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now