Virus that send Spam

Hi

I have a customer that has an antivirus on every PC but since last week some sort of virus that the antivirus does not even see keep sending 1000s of spam. It fill the Que of the Exchange 2003 with emails from postmaster NDR.
I already clean twice the Que on Exchange but on or two day after it start to happen again.
I was wondering if is a virus that run on a schedule and how I can identify the source
InfedoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

InfedoAuthor Commented:
This was the first thing I did when the problem start  but it did not fix the problem.
0
MesthaCommented:
Postmaster@ messages are not caused by something internally.
Furthermore, making the change after the messages have started to appear does not clear the queues. You need to clear the queues completely and then restart the SMTP Server service. Due to the way ESM works, it will continue to show new messages appearing in the queues, even if there are no new messages being delivered. This is because ESM is bad at displaying very large queues.

You need to clean the queue.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

InfedoAuthor Commented:
I already clean the que 3 times. It's stay empty for a few hours or a day then it start again.
One thing I forgot to do is to restart the SMTP services after I ser Exchange to not accept mail from peoples that are not listed on AD. I did restart only the Default SMTP server on Exchange.
I will keep an eye on for the next few hours and see what happen. I have a user that keep complaining that he sas 80% Network activity and he think he has a virus. I will investigate more.
0
MesthaCommented:
If you haven't restarted the SMTP Server service then the change hasn't taken effect.

Simon.
0
InfedoAuthor Commented:
Thank you. Let's see if it work this time.
Is there a way to prevent this type of attack at the Firewall level.
What strategy they use to initiate the attack and how they can relay email if the Exchange is not an open relay?
0
MesthaCommented:
Recipient filtering will deal with the problem. Nothing your firewall can do about it.
The server doesn't have to be an open relay to relay email messages. It can also be via authenticated relay.
However if you are seeing postmaster@ messages then the server isn't relaying at all. The server is actually doing what it was designed to do - which is send back emails that were misaddressed to the sender. The problem is the "sender" is spoofed and is the real target of the messages. By default Exchange accepts the messages and then attempts to NDR them, causing what is known as backscatter. Recipient filtering changes that behaviour so that the messages are rejected at the point of delivery.

Simon.
0
MesthaCommented:
That isn't NDR spam. That looks like the server is being abused directly.
You are either an open relay or an authenticated relay is being used.

Have you checked for an open relay?
Have you tightened up authenticated relaying?

Simon.
0
InfedoAuthor Commented:
I had a NDR before. Every email was from postmaster.
Now I get what is on the list.
I'm sure is not an open relay.
Default SMTP Virtual Server, Acces Tab, Authentification  has Anonymous and Basic adn Windows authentification check. I try to disable Anonymous but then email are not geting in.
Under the Relay Tab I have only the list bellow check with the IP of the Exchange server and also the Allow all computers that authentificate....
What do I mist?
I still have the filling that the trafic come from one infected PC on the network.
0
InfedoAuthor Commented:
I installed RUBooted from trend Micro and it find a boot on the Exchange server but house call or my AVG network edition antivirus does not find anything.
0
MesthaCommented:
It isn't a virus on your machine. Scanning for a virus is a waste of time.
If you do not have any POP3 clients then turn off allow all computers that authenticate. It is not required for Exchange to operate correctly.

Simon.
0
InfedoAuthor Commented:
Ok I will but take a look at the pic. How do you explain that only this machine get this message?

bot.JPG
0
MesthaCommented:
What machine found that?

The fact that you found a BOT may well be a coincidence. BOTs do not use other servers to send their email through. I outlined why that was here: http://blog.sembee.co.uk/archive/2008/03/13/73.aspx

Simon.
0
InfedoAuthor Commented:
The Bot was foudn on the excahnge server.
0
MesthaCommented:
If the BOT was found on the server then I would say that the server itself is directly infected - but that still wouldn't cause the emails to be listed in the queues due to the nature of how BOTs work.

What I would say though is you need to plan to get your data off that machine. As far as I am concerned, once a machine has been compromised you can never be sure that it is completely clean. I would also be concerned about how it became compromised. The most common way for a BOT to get on a system is for someone to be browsing from the machine.

Simon.
0
InfedoAuthor Commented:
I did something else this morning that could help. They have an external Anti Spam and Anti Viru filtering service provider called Securence. I setup the exchange under Default SMPT server Acess and Connection the IP range of Securence so now it will accept messages originating only from that IP range. Will see what happen.
0
InfedoAuthor Commented:
I think I stop the spam by setting exchange to receive and send emails only from the Spam filtering provider but now I get the following message from the Trendmicro "Detected DNS query of malicious domain"
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AntiSpam

From novice to tech pro — start learning today.