Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

I think I have a mass mailer on my server, how do I find it and disable it

Posted on 2010-08-31
5
Medium Priority
?
402 Views
Last Modified: 2013-12-06
I think I have a mass mailer virus/bot on my system. I know this because I recieve replys to emials I haven't sent.

Typically it will look like this


Your message did not reach some or all of the intended recipients.

      Subject:      Better sex with organ pills
      Sent:      8/27/2010 3:04 PM

The following recipient(s) cannot be reached:

      Greg McLandsborough on 8/27/2010 3:03 PM
            The e-mail address could not be found.  Perhaps the recipient moved to a different e-mail organization, or there was a mistake in the address.  Check the address and try again.
            < franklin.ultrafast.com.au #5.1.0 SMTP; 554 5.1.0 Sender Denied>

I also occasionally recieve Out of office replys from my contacts in my address book, to whom I have not sent an email.

I have a static Ip and use Exchange for my email system, and have 5 PC running of the Server. I have Trend Micro set up as a virus scanner.

Can anyone give me some advice on how to stop these virus/bots etc
0
Comment
Question by:GregMcL
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 2

Expert Comment

by:jtokarchuk
ID: 33573095
Get your network off of the internet to start with. You are probably going to end up SMTP blacklisted. (www.spamhaus.org)

Get multiple virus scans running on each machine and your server (combofix, malwarebytes, panda activescan to name a few) to clean them out.

I reccommend dropping in a filtering box such as Untangle to control your internet traffic. They have some pretty good spam and spyware/virus guarding, but you get what you pay for. (is free but only so good until you pay for other options)
0
 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 2000 total points
ID: 33573106
You are MOST LIKELY misunderstanding.  ANYONE can send an e-mail message and CLAIM it's from you're e-mail address.   Many malicious programs will simply grab a "random" e-mail address and stick it into the "from" field.  They could get the address from a person's address book of which you are a contact or a random list from somewhere else.  There is virtually nothing you can do about these bounce messages.What you can do is VERIFY that your server is clean - run appropriate anti-malware software to perform a scan, check for unknown services and processes, search for rootkits on the server, and run the mail server check at www.mxtoolbox.com.You can also review the headers of the e-mail messages for any clue that your mail server actually sent the message (probably, the only reference you'll have to your mail server is a message that it received the bounce message).
0
 

Author Comment

by:GregMcL
ID: 33573197
Is it possible to verify the security of my system ?
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 33573208
I'll repeat:
What you can do is VERIFY that your server is clean - run appropriate anti-malware software to perform a scan, check for unknown services and processes, search for rootkits on the server, and run the mail server check at www.mxtoolbox.com.

I assume you understand that appropriate anti-malware software means anti-virus and anti-rootkit software that you should have handy and be able to download from various anti-virus sites.  
0
 
LVL 2

Expert Comment

by:jtokarchuk
ID: 33573218
Take your network off the internet (off of business hours, assuming a business network?) and see if the bounced emails continue. As Leew said, use mxtoolbox.com and see if you have any blacklist records, that will be a pretty clear cut answer for you.

If you have a smart switch, monitor port 25 on your server's switch port.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question