Solved

I think I have a mass mailer on my server, how do I find it and disable it

Posted on 2010-08-31
5
382 Views
Last Modified: 2013-12-06
I think I have a mass mailer virus/bot on my system. I know this because I recieve replys to emials I haven't sent.

Typically it will look like this


Your message did not reach some or all of the intended recipients.

      Subject:      Better sex with organ pills
      Sent:      8/27/2010 3:04 PM

The following recipient(s) cannot be reached:

      Greg McLandsborough on 8/27/2010 3:03 PM
            The e-mail address could not be found.  Perhaps the recipient moved to a different e-mail organization, or there was a mistake in the address.  Check the address and try again.
            < franklin.ultrafast.com.au #5.1.0 SMTP; 554 5.1.0 Sender Denied>

I also occasionally recieve Out of office replys from my contacts in my address book, to whom I have not sent an email.

I have a static Ip and use Exchange for my email system, and have 5 PC running of the Server. I have Trend Micro set up as a virus scanner.

Can anyone give me some advice on how to stop these virus/bots etc
0
Comment
Question by:GregMcL
  • 2
  • 2
5 Comments
 
LVL 2

Expert Comment

by:jtokarchuk
ID: 33573095
Get your network off of the internet to start with. You are probably going to end up SMTP blacklisted. (www.spamhaus.org)

Get multiple virus scans running on each machine and your server (combofix, malwarebytes, panda activescan to name a few) to clean them out.

I reccommend dropping in a filtering box such as Untangle to control your internet traffic. They have some pretty good spam and spyware/virus guarding, but you get what you pay for. (is free but only so good until you pay for other options)
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 500 total points
ID: 33573106
You are MOST LIKELY misunderstanding.  ANYONE can send an e-mail message and CLAIM it's from you're e-mail address.   Many malicious programs will simply grab a "random" e-mail address and stick it into the "from" field.  They could get the address from a person's address book of which you are a contact or a random list from somewhere else.  There is virtually nothing you can do about these bounce messages.What you can do is VERIFY that your server is clean - run appropriate anti-malware software to perform a scan, check for unknown services and processes, search for rootkits on the server, and run the mail server check at www.mxtoolbox.com.You can also review the headers of the e-mail messages for any clue that your mail server actually sent the message (probably, the only reference you'll have to your mail server is a message that it received the bounce message).
0
 

Author Comment

by:GregMcL
ID: 33573197
Is it possible to verify the security of my system ?
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33573208
I'll repeat:
What you can do is VERIFY that your server is clean - run appropriate anti-malware software to perform a scan, check for unknown services and processes, search for rootkits on the server, and run the mail server check at www.mxtoolbox.com.

I assume you understand that appropriate anti-malware software means anti-virus and anti-rootkit software that you should have handy and be able to download from various anti-virus sites.  
0
 
LVL 2

Expert Comment

by:jtokarchuk
ID: 33573218
Take your network off the internet (off of business hours, assuming a business network?) and see if the bounced emails continue. As Leew said, use mxtoolbox.com and see if you have any blacklist records, that will be a pretty clear cut answer for you.

If you have a smart switch, monitor port 25 on your server's switch port.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now