Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Exchange 2003 Virus / Blacklisted

Posted on 2011-09-02
7
Medium Priority
?
367 Views
Last Modified: 2012-05-12
Current System Configuration:

File Server (Domain Controller)
Windows Server 2003
Service Pack 2

Mail Server (Member Server)

Windows Server - Standard Edition 2003
Service Pack 2
Microsoft Exchange Server 2003
Service Pack 2

Problem:

Over the last several weeks we have been getting complaints from users that emails have been getting kicked back from the destination servers with non delivery report errors.  Many of these kick back messages indicated that our server was on a "Blacklist" and therefore any mail coming from us was rejected.  We checked and sure enough we were listed on several blacklist sites as send unsolicated mail.  Upon checking the Exchange Server it was found that the server was producing a large amount of NDR's and the system queue was running with hundreds of messages.

We setup the recipient Filter and enabled it on the SMTP virtual server.  We wanted to clean out all of the mail that was in the queue.  We created a false SMTP connector (99.99.99.99) and routed all mail from the queue to the connector.  we have been monitoring it now for several hours waiting for the number of messages in the queue to stablize to "0" but it has not.  Messages keep appearing in the "Messages Pending Submission" folder.  We checked the messages in the folder and a great many of them are from "postmaser@ourdomain.com".  This is leading us to believe that we may have a virus of some type that is generating the messages and putting them in the queue.  I have Macafee server AV 8.8 Enterprise running on the server and we have run several scans but have found nothing.

I am at a loss and would appriciate any help from someone who has had this type of problem in the past.

Thanks.
0
Comment
Question by:mcgowray
7 Comments
 
LVL 17

Expert Comment

by:Kent Dyer
ID: 36476882
You may want to go to something a little more powerful than McAfeee (yes, I understand you may have a grant with them)..  I would go to bleepingcomputer.com and get combofix or Malwarebytes.com to get a good tool to remove this with.  You may also be dealing with a rootkit and Kaspersky has a good rootkit remover..

There is a very, very (did I say very) active virus community - right here at EE..

Have a look here..

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/McAfee/

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/


HTH,

Kent
0
 
LVL 17

Expert Comment

by:Sajid Shaik M
ID: 36477195
what kind of spam protection u have... ? if mcafee spam protection... then

check this trial version

http://www.mcafee.com/us/products/security-for-email-servers.aspx
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 36477417
1st things first.  This isn't a virus!!

If you are sending postmaster messages, then you are receiving NDR spam and you therefore need to enable Recipient Filtering which will resolve the issue quickly.

Were you listed on backscatterer.org by any chance?

http://www.msexchange.org/tutorials/sender-recipient-filtering.html

I wouldn't worry about scanning your server just yet - a virus is most unlikely.

When recipient filtering is enabled, your server won't be responsible for sending NDR's back to the spammer, their system will be responsible and your problem should clear up very quickly.

If not, I have an article you might need to read.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 

Author Comment

by:mcgowray
ID: 36477773
It may not be a virus but then why is the queue filling up when I have shutdown the inbound SMTP routing?
0
 

Author Comment

by:mcgowray
ID: 36477780
Our server is listed with backscatter.org
0
 

Expert Comment

by:ryanjones
ID: 36482276
Are you running an open relay? even just for internal clients if one of them is infected they will pump out mass spam.

Schedule an immeadiate scan through epo for all machines and set the system resource util to low so that you won't have users complaing about speed.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 2000 total points
ID: 36482665
Being listed on Backscatterer.org suggests that you are not Recipient Filtering.  If it is not enabled, please enable it asap :

http://www.msexchange.org/tutorials/sender-recipient-filtering.html
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month20 days, 17 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question