Solved

Exchange 2003 Virus / Blacklisted

Posted on 2011-09-02
7
352 Views
Last Modified: 2012-05-12
Current System Configuration:

File Server (Domain Controller)
Windows Server 2003
Service Pack 2

Mail Server (Member Server)

Windows Server - Standard Edition 2003
Service Pack 2
Microsoft Exchange Server 2003
Service Pack 2

Problem:

Over the last several weeks we have been getting complaints from users that emails have been getting kicked back from the destination servers with non delivery report errors.  Many of these kick back messages indicated that our server was on a "Blacklist" and therefore any mail coming from us was rejected.  We checked and sure enough we were listed on several blacklist sites as send unsolicated mail.  Upon checking the Exchange Server it was found that the server was producing a large amount of NDR's and the system queue was running with hundreds of messages.

We setup the recipient Filter and enabled it on the SMTP virtual server.  We wanted to clean out all of the mail that was in the queue.  We created a false SMTP connector (99.99.99.99) and routed all mail from the queue to the connector.  we have been monitoring it now for several hours waiting for the number of messages in the queue to stablize to "0" but it has not.  Messages keep appearing in the "Messages Pending Submission" folder.  We checked the messages in the folder and a great many of them are from "postmaser@ourdomain.com".  This is leading us to believe that we may have a virus of some type that is generating the messages and putting them in the queue.  I have Macafee server AV 8.8 Enterprise running on the server and we have run several scans but have found nothing.

I am at a loss and would appriciate any help from someone who has had this type of problem in the past.

Thanks.
0
Comment
Question by:mcgowray
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 17

Expert Comment

by:Kent Dyer
ID: 36476882
You may want to go to something a little more powerful than McAfeee (yes, I understand you may have a grant with them)..  I would go to bleepingcomputer.com and get combofix or Malwarebytes.com to get a good tool to remove this with.  You may also be dealing with a rootkit and Kaspersky has a good rootkit remover..

There is a very, very (did I say very) active virus community - right here at EE..

Have a look here..

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/McAfee/

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/


HTH,

Kent
0
 
LVL 16

Expert Comment

by:Shaik M. Sajid
ID: 36477195
what kind of spam protection u have... ? if mcafee spam protection... then

check this trial version

http://www.mcafee.com/us/products/security-for-email-servers.aspx
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 36477417
1st things first.  This isn't a virus!!

If you are sending postmaster messages, then you are receiving NDR spam and you therefore need to enable Recipient Filtering which will resolve the issue quickly.

Were you listed on backscatterer.org by any chance?

http://www.msexchange.org/tutorials/sender-recipient-filtering.html

I wouldn't worry about scanning your server just yet - a virus is most unlikely.

When recipient filtering is enabled, your server won't be responsible for sending NDR's back to the spammer, their system will be responsible and your problem should clear up very quickly.

If not, I have an article you might need to read.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:mcgowray
ID: 36477773
It may not be a virus but then why is the queue filling up when I have shutdown the inbound SMTP routing?
0
 

Author Comment

by:mcgowray
ID: 36477780
Our server is listed with backscatter.org
0
 

Expert Comment

by:ryanjones
ID: 36482276
Are you running an open relay? even just for internal clients if one of them is infected they will pump out mass spam.

Schedule an immeadiate scan through epo for all machines and set the system resource util to low so that you won't have users complaing about speed.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 36482665
Being listed on Backscatterer.org suggests that you are not Recipient Filtering.  If it is not enabled, please enable it asap :

http://www.msexchange.org/tutorials/sender-recipient-filtering.html
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Flush end users Deleted Items via PowerShell 2 28
In place upgrade Win2008R2 to Win2012R2 5 19
exchange 7 22
Promote Server 2012 R2 on Server 2003 domain 13 23
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Find out what you should include to make the best professional email signature for your organization.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question