Solved

BadMail and Queue, how to stop virus/attack?

Posted on 2007-11-27
8
1,263 Views
Last Modified: 2013-11-22
Hello,
Our email is hosted on a Win2K server/Win2k Exchange Server.  About 5 days ago the store.exe and inetpub.exe began to use up so much memory that no one was allowed to receive email.  Our server's hard drive space then filled up.  I cleaned up some old data and rebooted the server but then it happened again.

I now see that in the Badmail folder there are so many emails that I can't open it.  Also, in the Queue new spam(?) emails keep appearing from the Navy Credit Union with no receipient (I imagine it gets moved to Badmail).  Is there a virus on this server (doesn't come back with one after being searched by Symantec)?  Is there someone inside the organization that has to have a virus that is causing this?  Can it be someone from the outside?  Our firewall currently allows all SMTP traffic (just got a new firewall a couple of months ago, I've been slow to add our old SMTP rules due to how strange it is with NAT).  Do I just need to update the firewall to accept from only our spam filtering company?

I'm guessing that will help.  Additional question to help me...is Queue showing emails that are coming into the domain or that are leaving?  It seems like coming into, but I just need some clarification.  Thanks.
0
Comment
Question by:youthworks
  • 5
  • 3
8 Comments
 

Author Comment

by:youthworks
ID: 20374517
Update:
We are okay right now, but the issue is still there.
The Queue will receive an email(s) that seems to have an SMTP engine of some sorts.  Once that email is in there, other emails are created, maybe an average of 10/sec.  But I can delete a lot of them, and if I stop the SMTP service I can delete them all.  It's good for awhile but then it starts up again.

The memory issue isn't happening as bad, it's really not a big deal.  The big deal is now stopping these emails.

Thanks!
0
 

Author Comment

by:youthworks
ID: 20374526
also, how do I delete/rename and delete what's in the Badmail folder?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20436627
You can delete the entire badmail folder using SHIFT-DEL. Exchange will recreate it when required.
Unfortunately Exchange 2000 doesn't have much spam protection built in, and I don't think the Symantec product will block the basic - email messages to unknown recipients. To do that you will need to use a third party product that can LDAP lookups. The one I usually suggest is Vamsoft ORF http://www.vamsoft.com/

Microsoft have a tool for dealing with Badmail as well, which you can download from here: http://www.microsoft.com/downloads/details.aspx?FamilyId=782AAF0F-6239-40AD-ADDA-97863D852FF7&displaylang=en

Simon.
0
 

Author Comment

by:youthworks
ID: 20450144
okay, so I figured out we were getting a "spam attack," from someone in our domain or not I'm not sure.

I changed our open relay settings from allow all authenticated users to just specific internal IPs and the spamming quit going to the Queue and started going straight to Badmail, which is now just receiving a ton of spam.  Is there a way to stop this from happening or to put a size limit on the Badmail folder?  Please remember we are using Win2k server with Exchang2K.

Thanks!
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 104

Expert Comment

by:Sembee
ID: 20450190
You have to use the link I have posted above to remove the messages from badmail. Remember badmail is just a copy of the NDRs, and goes down as one of those "nice ideas" Microsoft had with Exchange 2000 (Alongside the M drive). You will need to use a third party tool of some description to protect Exchange 2000, it has no protection of its own.

Simon.
0
 

Author Comment

by:youthworks
ID: 20450316
great, thanks.

Any idea how to find what is spamming us?  any tools you can recommend?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 20450990
Spammers are very good at hiding themselves, so you will not find any tools as such to find it, only applications to block the email messages they are trying to send to your users or through your server. Blocking messages going through your server is quite easy to do, blocking messages being sent to your users is more difficult.

The tool I use as a primary defence I have already given to you above - Vamsoft ORF. That can do recipient filtering and greylisting which I find will deal with most spam.

Simon.
0
 

Author Closing Comment

by:youthworks
ID: 31411301
thanks for your help
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now