We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Virus that send Spam

Infedo
Infedo asked
on
Medium Priority
646 Views
Last Modified: 2013-12-09
Hi

I have a customer that has an antivirus on every PC but since last week some sort of virus that the antivirus does not even see keep sending 1000s of spam. It fill the Que of the Exchange 2003 with emails from postmaster NDR.
I already clean twice the Que on Exchange but on or two day after it start to happen again.
I was wondering if is a virus that run on a schedule and how I can identify the source
Comment
Watch Question

Author

Commented:
This was the first thing I did when the problem start  but it did not fix the problem.
Expert of the Quarter 2009
Expert of the Year 2009
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
I already clean the que 3 times. It's stay empty for a few hours or a day then it start again.
One thing I forgot to do is to restart the SMTP services after I ser Exchange to not accept mail from peoples that are not listed on AD. I did restart only the Default SMTP server on Exchange.
I will keep an eye on for the next few hours and see what happen. I have a user that keep complaining that he sas 80% Network activity and he think he has a virus. I will investigate more.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
If you haven't restarted the SMTP Server service then the change hasn't taken effect.

Simon.

Author

Commented:
Thank you. Let's see if it work this time.
Is there a way to prevent this type of attack at the Firewall level.
What strategy they use to initiate the attack and how they can relay email if the Exchange is not an open relay?
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
Recipient filtering will deal with the problem. Nothing your firewall can do about it.
The server doesn't have to be an open relay to relay email messages. It can also be via authenticated relay.
However if you are seeing postmaster@ messages then the server isn't relaying at all. The server is actually doing what it was designed to do - which is send back emails that were misaddressed to the sender. The problem is the "sender" is spoofed and is the real target of the messages. By default Exchange accepts the messages and then attempts to NDR them, causing what is known as backscatter. Recipient filtering changes that behaviour so that the messages are rejected at the point of delivery.

Simon.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
That isn't NDR spam. That looks like the server is being abused directly.
You are either an open relay or an authenticated relay is being used.

Have you checked for an open relay?
Have you tightened up authenticated relaying?

Simon.

Author

Commented:
I had a NDR before. Every email was from postmaster.
Now I get what is on the list.
I'm sure is not an open relay.
Default SMTP Virtual Server, Acces Tab, Authentification  has Anonymous and Basic adn Windows authentification check. I try to disable Anonymous but then email are not geting in.
Under the Relay Tab I have only the list bellow check with the IP of the Exchange server and also the Allow all computers that authentificate....
What do I mist?
I still have the filling that the trafic come from one infected PC on the network.

Author

Commented:
I installed RUBooted from trend Micro and it find a boot on the Exchange server but house call or my AVG network edition antivirus does not find anything.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
It isn't a virus on your machine. Scanning for a virus is a waste of time.
If you do not have any POP3 clients then turn off allow all computers that authenticate. It is not required for Exchange to operate correctly.

Simon.

Author

Commented:
Ok I will but take a look at the pic. How do you explain that only this machine get this message?

bot.JPG
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
What machine found that?

The fact that you found a BOT may well be a coincidence. BOTs do not use other servers to send their email through. I outlined why that was here: http://blog.sembee.co.uk/archive/2008/03/13/73.aspx

Simon.

Author

Commented:
The Bot was foudn on the excahnge server.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
If the BOT was found on the server then I would say that the server itself is directly infected - but that still wouldn't cause the emails to be listed in the queues due to the nature of how BOTs work.

What I would say though is you need to plan to get your data off that machine. As far as I am concerned, once a machine has been compromised you can never be sure that it is completely clean. I would also be concerned about how it became compromised. The most common way for a BOT to get on a system is for someone to be browsing from the machine.

Simon.

Author

Commented:
I did something else this morning that could help. They have an external Anti Spam and Anti Viru filtering service provider called Securence. I setup the exchange under Default SMPT server Acess and Connection the IP range of Securence so now it will accept messages originating only from that IP range. Will see what happen.

Author

Commented:
I think I stop the spam by setting exchange to receive and send emails only from the Spam filtering provider but now I get the following message from the Trendmicro "Detected DNS query of malicious domain"
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.