Solved

Virus that send Spam

Posted on 2009-07-06
18
578 Views
Last Modified: 2013-12-09
Hi

I have a customer that has an antivirus on every PC but since last week some sort of virus that the antivirus does not even see keep sending 1000s of spam. It fill the Que of the Exchange 2003 with emails from postmaster NDR.
I already clean twice the Que on Exchange but on or two day after it start to happen again.
I was wondering if is a virus that run on a schedule and how I can identify the source
0
Comment
Question by:Infedo
  • 9
  • 7
18 Comments
 
LVL 13

Expert Comment

by:marine7275
Comment Utility
0
 

Author Comment

by:Infedo
Comment Utility
This was the first thing I did when the problem start  but it did not fix the problem.
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
Comment Utility
Postmaster@ messages are not caused by something internally.
Furthermore, making the change after the messages have started to appear does not clear the queues. You need to clear the queues completely and then restart the SMTP Server service. Due to the way ESM works, it will continue to show new messages appearing in the queues, even if there are no new messages being delivered. This is because ESM is bad at displaying very large queues.

You need to clean the queue.

Simon.
0
 

Author Comment

by:Infedo
Comment Utility
I already clean the que 3 times. It's stay empty for a few hours or a day then it start again.
One thing I forgot to do is to restart the SMTP services after I ser Exchange to not accept mail from peoples that are not listed on AD. I did restart only the Default SMTP server on Exchange.
I will keep an eye on for the next few hours and see what happen. I have a user that keep complaining that he sas 80% Network activity and he think he has a virus. I will investigate more.
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
If you haven't restarted the SMTP Server service then the change hasn't taken effect.

Simon.
0
 

Author Comment

by:Infedo
Comment Utility
Thank you. Let's see if it work this time.
Is there a way to prevent this type of attack at the Firewall level.
What strategy they use to initiate the attack and how they can relay email if the Exchange is not an open relay?
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
Recipient filtering will deal with the problem. Nothing your firewall can do about it.
The server doesn't have to be an open relay to relay email messages. It can also be via authenticated relay.
However if you are seeing postmaster@ messages then the server isn't relaying at all. The server is actually doing what it was designed to do - which is send back emails that were misaddressed to the sender. The problem is the "sender" is spoofed and is the real target of the messages. By default Exchange accepts the messages and then attempts to NDR them, causing what is known as backscatter. Recipient filtering changes that behaviour so that the messages are rejected at the point of delivery.

Simon.
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
That isn't NDR spam. That looks like the server is being abused directly.
You are either an open relay or an authenticated relay is being used.

Have you checked for an open relay?
Have you tightened up authenticated relaying?

Simon.
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 

Author Comment

by:Infedo
Comment Utility
I had a NDR before. Every email was from postmaster.
Now I get what is on the list.
I'm sure is not an open relay.
Default SMTP Virtual Server, Acces Tab, Authentification  has Anonymous and Basic adn Windows authentification check. I try to disable Anonymous but then email are not geting in.
Under the Relay Tab I have only the list bellow check with the IP of the Exchange server and also the Allow all computers that authentificate....
What do I mist?
I still have the filling that the trafic come from one infected PC on the network.
0
 

Author Comment

by:Infedo
Comment Utility
I installed RUBooted from trend Micro and it find a boot on the Exchange server but house call or my AVG network edition antivirus does not find anything.
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
It isn't a virus on your machine. Scanning for a virus is a waste of time.
If you do not have any POP3 clients then turn off allow all computers that authenticate. It is not required for Exchange to operate correctly.

Simon.
0
 

Author Comment

by:Infedo
Comment Utility
Ok I will but take a look at the pic. How do you explain that only this machine get this message?

bot.JPG
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
What machine found that?

The fact that you found a BOT may well be a coincidence. BOTs do not use other servers to send their email through. I outlined why that was here: http://blog.sembee.co.uk/archive/2008/03/13/73.aspx

Simon.
0
 

Author Comment

by:Infedo
Comment Utility
The Bot was foudn on the excahnge server.
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
If the BOT was found on the server then I would say that the server itself is directly infected - but that still wouldn't cause the emails to be listed in the queues due to the nature of how BOTs work.

What I would say though is you need to plan to get your data off that machine. As far as I am concerned, once a machine has been compromised you can never be sure that it is completely clean. I would also be concerned about how it became compromised. The most common way for a BOT to get on a system is for someone to be browsing from the machine.

Simon.
0
 

Author Comment

by:Infedo
Comment Utility
I did something else this morning that could help. They have an external Anti Spam and Anti Viru filtering service provider called Securence. I setup the exchange under Default SMPT server Acess and Connection the IP range of Securence so now it will accept messages originating only from that IP range. Will see what happen.
0
 

Author Comment

by:Infedo
Comment Utility
I think I stop the spam by setting exchange to receive and send emails only from the Spam filtering provider but now I get the following message from the Trendmicro "Detected DNS query of malicious domain"
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This video demonstrates how to use each tool, their shortcuts, where and when to use them, and how to use the keyboard to improve workflow.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now