Solved

Exchange 2003 Virus / Blacklisted

Posted on 2011-09-02
7
347 Views
Last Modified: 2012-05-12
Current System Configuration:

File Server (Domain Controller)
Windows Server 2003
Service Pack 2

Mail Server (Member Server)

Windows Server - Standard Edition 2003
Service Pack 2
Microsoft Exchange Server 2003
Service Pack 2

Problem:

Over the last several weeks we have been getting complaints from users that emails have been getting kicked back from the destination servers with non delivery report errors.  Many of these kick back messages indicated that our server was on a "Blacklist" and therefore any mail coming from us was rejected.  We checked and sure enough we were listed on several blacklist sites as send unsolicated mail.  Upon checking the Exchange Server it was found that the server was producing a large amount of NDR's and the system queue was running with hundreds of messages.

We setup the recipient Filter and enabled it on the SMTP virtual server.  We wanted to clean out all of the mail that was in the queue.  We created a false SMTP connector (99.99.99.99) and routed all mail from the queue to the connector.  we have been monitoring it now for several hours waiting for the number of messages in the queue to stablize to "0" but it has not.  Messages keep appearing in the "Messages Pending Submission" folder.  We checked the messages in the folder and a great many of them are from "postmaser@ourdomain.com".  This is leading us to believe that we may have a virus of some type that is generating the messages and putting them in the queue.  I have Macafee server AV 8.8 Enterprise running on the server and we have run several scans but have found nothing.

I am at a loss and would appriciate any help from someone who has had this type of problem in the past.

Thanks.
0
Comment
Question by:mcgowray
7 Comments
 
LVL 17

Expert Comment

by:Kent Dyer
Comment Utility
You may want to go to something a little more powerful than McAfeee (yes, I understand you may have a grant with them)..  I would go to bleepingcomputer.com and get combofix or Malwarebytes.com to get a good tool to remove this with.  You may also be dealing with a rootkit and Kaspersky has a good rootkit remover..

There is a very, very (did I say very) active virus community - right here at EE..

Have a look here..

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/McAfee/

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/


HTH,

Kent
0
 
LVL 16

Expert Comment

by:Shaik M. Sajid
Comment Utility
what kind of spam protection u have... ? if mcafee spam protection... then

check this trial version

http://www.mcafee.com/us/products/security-for-email-servers.aspx
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
1st things first.  This isn't a virus!!

If you are sending postmaster messages, then you are receiving NDR spam and you therefore need to enable Recipient Filtering which will resolve the issue quickly.

Were you listed on backscatterer.org by any chance?

http://www.msexchange.org/tutorials/sender-recipient-filtering.html

I wouldn't worry about scanning your server just yet - a virus is most unlikely.

When recipient filtering is enabled, your server won't be responsible for sending NDR's back to the spammer, their system will be responsible and your problem should clear up very quickly.

If not, I have an article you might need to read.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:mcgowray
Comment Utility
It may not be a virus but then why is the queue filling up when I have shutdown the inbound SMTP routing?
0
 

Author Comment

by:mcgowray
Comment Utility
Our server is listed with backscatter.org
0
 

Expert Comment

by:ryanjones
Comment Utility
Are you running an open relay? even just for internal clients if one of them is infected they will pump out mass spam.

Schedule an immeadiate scan through epo for all machines and set the system resource util to low so that you won't have users complaing about speed.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
Comment Utility
Being listed on Backscatterer.org suggests that you are not Recipient Filtering.  If it is not enabled, please enable it asap :

http://www.msexchange.org/tutorials/sender-recipient-filtering.html
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now