Solved

Virus that send Spam

Posted on 2009-07-06
18
617 Views
Last Modified: 2013-12-09
Hi

I have a customer that has an antivirus on every PC but since last week some sort of virus that the antivirus does not even see keep sending 1000s of spam. It fill the Que of the Exchange 2003 with emails from postmaster NDR.
I already clean twice the Que on Exchange but on or two day after it start to happen again.
I was wondering if is a virus that run on a schedule and how I can identify the source
0
Comment
Question by:Infedo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
18 Comments
 
LVL 13

Expert Comment

by:marine7275
ID: 24789399
0
 

Author Comment

by:Infedo
ID: 24789415
This was the first thing I did when the problem start  but it did not fix the problem.
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
ID: 24790209
Postmaster@ messages are not caused by something internally.
Furthermore, making the change after the messages have started to appear does not clear the queues. You need to clear the queues completely and then restart the SMTP Server service. Due to the way ESM works, it will continue to show new messages appearing in the queues, even if there are no new messages being delivered. This is because ESM is bad at displaying very large queues.

You need to clean the queue.

Simon.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Infedo
ID: 24790352
I already clean the que 3 times. It's stay empty for a few hours or a day then it start again.
One thing I forgot to do is to restart the SMTP services after I ser Exchange to not accept mail from peoples that are not listed on AD. I did restart only the Default SMTP server on Exchange.
I will keep an eye on for the next few hours and see what happen. I have a user that keep complaining that he sas 80% Network activity and he think he has a virus. I will investigate more.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24790458
If you haven't restarted the SMTP Server service then the change hasn't taken effect.

Simon.
0
 

Author Comment

by:Infedo
ID: 24790538
Thank you. Let's see if it work this time.
Is there a way to prevent this type of attack at the Firewall level.
What strategy they use to initiate the attack and how they can relay email if the Exchange is not an open relay?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24793330
Recipient filtering will deal with the problem. Nothing your firewall can do about it.
The server doesn't have to be an open relay to relay email messages. It can also be via authenticated relay.
However if you are seeing postmaster@ messages then the server isn't relaying at all. The server is actually doing what it was designed to do - which is send back emails that were misaddressed to the sender. The problem is the "sender" is spoofed and is the real target of the messages. By default Exchange accepts the messages and then attempts to NDR them, causing what is known as backscatter. Recipient filtering changes that behaviour so that the messages are rejected at the point of delivery.

Simon.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24816903
That isn't NDR spam. That looks like the server is being abused directly.
You are either an open relay or an authenticated relay is being used.

Have you checked for an open relay?
Have you tightened up authenticated relaying?

Simon.
0
 

Author Comment

by:Infedo
ID: 24817310
I had a NDR before. Every email was from postmaster.
Now I get what is on the list.
I'm sure is not an open relay.
Default SMTP Virtual Server, Acces Tab, Authentification  has Anonymous and Basic adn Windows authentification check. I try to disable Anonymous but then email are not geting in.
Under the Relay Tab I have only the list bellow check with the IP of the Exchange server and also the Allow all computers that authentificate....
What do I mist?
I still have the filling that the trafic come from one infected PC on the network.
0
 

Author Comment

by:Infedo
ID: 24818681
I installed RUBooted from trend Micro and it find a boot on the Exchange server but house call or my AVG network edition antivirus does not find anything.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24818980
It isn't a virus on your machine. Scanning for a virus is a waste of time.
If you do not have any POP3 clients then turn off allow all computers that authenticate. It is not required for Exchange to operate correctly.

Simon.
0
 

Author Comment

by:Infedo
ID: 24819726
Ok I will but take a look at the pic. How do you explain that only this machine get this message?

bot.JPG
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24821808
What machine found that?

The fact that you found a BOT may well be a coincidence. BOTs do not use other servers to send their email through. I outlined why that was here: http://blog.sembee.co.uk/archive/2008/03/13/73.aspx

Simon.
0
 

Author Comment

by:Infedo
ID: 24823967
The Bot was foudn on the excahnge server.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24824162
If the BOT was found on the server then I would say that the server itself is directly infected - but that still wouldn't cause the emails to be listed in the queues due to the nature of how BOTs work.

What I would say though is you need to plan to get your data off that machine. As far as I am concerned, once a machine has been compromised you can never be sure that it is completely clean. I would also be concerned about how it became compromised. The most common way for a BOT to get on a system is for someone to be browsing from the machine.

Simon.
0
 

Author Comment

by:Infedo
ID: 24824278
I did something else this morning that could help. They have an external Anti Spam and Anti Viru filtering service provider called Securence. I setup the exchange under Default SMPT server Acess and Connection the IP range of Securence so now it will accept messages originating only from that IP range. Will see what happen.
0
 

Author Comment

by:Infedo
ID: 24845071
I think I stop the spam by setting exchange to receive and send emails only from the Spam filtering provider but now I get the following message from the Trendmicro "Detected DNS query of malicious domain"
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
Invest in your employees with these five simple steps to improve employee engagement and retention.
This video discusses moving either the default database or any database to a new volume.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question