Link to home
Start Free TrialLog in
Avatar of Axis52401
Axis52401Flag for United States of America

asked on

Virus sending out Pam through Exchanges server

I've got an office with a virus sending out Spam through our Exchange server. The Queue shows thousands of messages. The Trend Antivirus we have on the server and PC's seems unable to isolate this problem or even tell me the PC that is the source of the problem. I have run Trend and Malwarebyets scans on every station and the server. I have checked and its not an 'open relay'  How can I find the source of the problem and remove the virus.
ASKER CERTIFIED SOLUTION
Avatar of Tony Giangreco
Tony Giangreco
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of zazagor
zazagor
Flag of Sweden image
Hi,

Tricky question.
The virus is probably using "stealth" techniques to awoid detection.
Some idéas:
- install a network scanner and sniff traffic to see which IP is spamming.
- look in the exchange log for ip/hostname of the sender
- try shutting down the computers one by one

//zazagor
Avatar of Axis52401
Axis52401
Flag of United States of America image

ASKER

There is noting in the exchange logs because these messages are relaying through the server not coming from a users Outlook so there is nothing in the logs but in the morning the Que has thousands of messages. And They don't make a network scanner that will just tell me what IP address is sending out port 25 traffic on a network. I've looked.
Avatar of Tony Giangreco
Tony Giangreco
Flag of United States of America image
If you have a firewall, add an entry so only smtp traffic is allowed from Exchange.
Avatar of Axis52401
Axis52401
Flag of United States of America image

ASKER

How would that help, this Spam is SMTP traffic?
Avatar of Tony Giangreco
Tony Giangreco
Flag of United States of America image
Outbound mail is SMTP traffic. If you stop the SMPT service on the server, that would stop the virus and all user traffic from sending outbound email. Normally when a virus sends out this mail, it sends out tins of it and I would expect your IP address or domain to be blacklisted by now. That has happened to a few clients of mine before I installed a firewall with a rule that only allows outbound traffic from the Exchange server.
Avatar of Tony Giangreco
Tony Giangreco
Flag of United States of America image
Did the solution above stop the spam from being sent out?
Avatar of Axis52401
Axis52401
Flag of United States of America image

ASKER

Yes but I can't leave it off because then the company can't send out mail. i need a way of finding the virus and removing it.
Avatar of Tony Giangreco
Tony Giangreco
Flag of United States of America image
Did you look in message tracker in ESM and trace one of the messages? It should show you which Pc sent it out. Then disconnec that pc from the network and run Malwarebytes on it to see what spyware or viruses it finds and cleans up.