• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 371
  • Last Modified:

Exchange 2003 Virus / Blacklisted

Current System Configuration:

File Server (Domain Controller)
Windows Server 2003
Service Pack 2

Mail Server (Member Server)

Windows Server - Standard Edition 2003
Service Pack 2
Microsoft Exchange Server 2003
Service Pack 2

Problem:

Over the last several weeks we have been getting complaints from users that emails have been getting kicked back from the destination servers with non delivery report errors.  Many of these kick back messages indicated that our server was on a "Blacklist" and therefore any mail coming from us was rejected.  We checked and sure enough we were listed on several blacklist sites as send unsolicated mail.  Upon checking the Exchange Server it was found that the server was producing a large amount of NDR's and the system queue was running with hundreds of messages.

We setup the recipient Filter and enabled it on the SMTP virtual server.  We wanted to clean out all of the mail that was in the queue.  We created a false SMTP connector (99.99.99.99) and routed all mail from the queue to the connector.  we have been monitoring it now for several hours waiting for the number of messages in the queue to stablize to "0" but it has not.  Messages keep appearing in the "Messages Pending Submission" folder.  We checked the messages in the folder and a great many of them are from "postmaser@ourdomain.com".  This is leading us to believe that we may have a virus of some type that is generating the messages and putting them in the queue.  I have Macafee server AV 8.8 Enterprise running on the server and we have run several scans but have found nothing.

I am at a loss and would appriciate any help from someone who has had this type of problem in the past.

Thanks.
0
mcgowray
Asked:
mcgowray
2 Solutions
 
Kent DyerIT Security Analyst SeniorCommented:
You may want to go to something a little more powerful than McAfeee (yes, I understand you may have a grant with them)..  I would go to bleepingcomputer.com and get combofix or Malwarebytes.com to get a good tool to remove this with.  You may also be dealing with a rootkit and Kaspersky has a good rootkit remover..

There is a very, very (did I say very) active virus community - right here at EE..

Have a look here..

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/McAfee/

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/


HTH,

Kent
0
 
Sajid Shaik MSr. System AdminCommented:
what kind of spam protection u have... ? if mcafee spam protection... then

check this trial version

http://www.mcafee.com/us/products/security-for-email-servers.aspx
0
 
Alan HardistyCo-OwnerCommented:
1st things first.  This isn't a virus!!

If you are sending postmaster messages, then you are receiving NDR spam and you therefore need to enable Recipient Filtering which will resolve the issue quickly.

Were you listed on backscatterer.org by any chance?

http://www.msexchange.org/tutorials/sender-recipient-filtering.html

I wouldn't worry about scanning your server just yet - a virus is most unlikely.

When recipient filtering is enabled, your server won't be responsible for sending NDR's back to the spammer, their system will be responsible and your problem should clear up very quickly.

If not, I have an article you might need to read.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
mcgowrayAuthor Commented:
It may not be a virus but then why is the queue filling up when I have shutdown the inbound SMTP routing?
0
 
mcgowrayAuthor Commented:
Our server is listed with backscatter.org
0
 
ryanjonesCommented:
Are you running an open relay? even just for internal clients if one of them is infected they will pump out mass spam.

Schedule an immeadiate scan through epo for all machines and set the system resource util to low so that you won't have users complaing about speed.
0
 
Alan HardistyCo-OwnerCommented:
Being listed on Backscatterer.org suggests that you are not Recipient Filtering.  If it is not enabled, please enable it asap :

http://www.msexchange.org/tutorials/sender-recipient-filtering.html
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now