?
Solved

Exchange 2003 Virus / Blacklisted

Posted on 2011-09-02
7
Medium Priority
?
361 Views
Last Modified: 2012-05-12
Current System Configuration:

File Server (Domain Controller)
Windows Server 2003
Service Pack 2

Mail Server (Member Server)

Windows Server - Standard Edition 2003
Service Pack 2
Microsoft Exchange Server 2003
Service Pack 2

Problem:

Over the last several weeks we have been getting complaints from users that emails have been getting kicked back from the destination servers with non delivery report errors.  Many of these kick back messages indicated that our server was on a "Blacklist" and therefore any mail coming from us was rejected.  We checked and sure enough we were listed on several blacklist sites as send unsolicated mail.  Upon checking the Exchange Server it was found that the server was producing a large amount of NDR's and the system queue was running with hundreds of messages.

We setup the recipient Filter and enabled it on the SMTP virtual server.  We wanted to clean out all of the mail that was in the queue.  We created a false SMTP connector (99.99.99.99) and routed all mail from the queue to the connector.  we have been monitoring it now for several hours waiting for the number of messages in the queue to stablize to "0" but it has not.  Messages keep appearing in the "Messages Pending Submission" folder.  We checked the messages in the folder and a great many of them are from "postmaser@ourdomain.com".  This is leading us to believe that we may have a virus of some type that is generating the messages and putting them in the queue.  I have Macafee server AV 8.8 Enterprise running on the server and we have run several scans but have found nothing.

I am at a loss and would appriciate any help from someone who has had this type of problem in the past.

Thanks.
0
Comment
Question by:mcgowray
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 17

Expert Comment

by:Kent Dyer
ID: 36476882
You may want to go to something a little more powerful than McAfeee (yes, I understand you may have a grant with them)..  I would go to bleepingcomputer.com and get combofix or Malwarebytes.com to get a good tool to remove this with.  You may also be dealing with a rootkit and Kaspersky has a good rootkit remover..

There is a very, very (did I say very) active virus community - right here at EE..

Have a look here..

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/McAfee/

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/


HTH,

Kent
0
 
LVL 16

Expert Comment

by:Shaik M. Sajid
ID: 36477195
what kind of spam protection u have... ? if mcafee spam protection... then

check this trial version

http://www.mcafee.com/us/products/security-for-email-servers.aspx
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 36477417
1st things first.  This isn't a virus!!

If you are sending postmaster messages, then you are receiving NDR spam and you therefore need to enable Recipient Filtering which will resolve the issue quickly.

Were you listed on backscatterer.org by any chance?

http://www.msexchange.org/tutorials/sender-recipient-filtering.html

I wouldn't worry about scanning your server just yet - a virus is most unlikely.

When recipient filtering is enabled, your server won't be responsible for sending NDR's back to the spammer, their system will be responsible and your problem should clear up very quickly.

If not, I have an article you might need to read.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:mcgowray
ID: 36477773
It may not be a virus but then why is the queue filling up when I have shutdown the inbound SMTP routing?
0
 

Author Comment

by:mcgowray
ID: 36477780
Our server is listed with backscatter.org
0
 

Expert Comment

by:ryanjones
ID: 36482276
Are you running an open relay? even just for internal clients if one of them is infected they will pump out mass spam.

Schedule an immeadiate scan through epo for all machines and set the system resource util to low so that you won't have users complaing about speed.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 2000 total points
ID: 36482665
Being listed on Backscatterer.org suggests that you are not Recipient Filtering.  If it is not enabled, please enable it asap :

http://www.msexchange.org/tutorials/sender-recipient-filtering.html
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses
Course of the Month12 days, 5 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question