Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 267
  • Last Modified:

Virus sending out Pam through Exchanges server

I've got an office with a virus sending out Spam through our Exchange server. The Queue shows thousands of messages. The Trend Antivirus we have on the server and PC's seems unable to isolate this problem or even tell me the PC that is the source of the problem. I have run Trend and Malwarebyets scans on every station and the server. I have checked and its not an 'open relay'  How can I find the source of the problem and remove the virus.
0
Axis52401
Asked:
Axis52401
  • 5
  • 3
1 Solution
 
Tony GiangrecoCommented:
Initially, if you can, stop the SMTP service on the server. This will stop all outgoing exchange mail. Then open Exchange System Manager and go to message tracker under tools and perform a seach by enter user names to determine what Pc or email account is sending the spam. At that point, I would disconnect those Pc's from the network, run Malwarebytes or other spyware checker to clean them up.

Don't forget to restart the SMTP service after you find the account(s) causing the problem.
0
 
zazagorCommented:
Hi,

Tricky question.
The virus is probably using "stealth" techniques to awoid detection.
Some idéas:
- install a network scanner and sniff traffic to see which IP is spamming.
- look in the exchange log for ip/hostname of the sender
- try shutting down the computers one by one

//zazagor
0
 
Axis52401Security AnalystAuthor Commented:
There is noting in the exchange logs because these messages are relaying through the server not coming from a users Outlook so there is nothing in the logs but in the morning the Que has thousands of messages. And They don't make a network scanner that will just tell me what IP address is sending out port 25 traffic on a network. I've looked.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Tony GiangrecoCommented:
If you have a firewall, add an entry so only smtp traffic is allowed from Exchange.
0
 
Axis52401Security AnalystAuthor Commented:
How would that help, this Spam is SMTP traffic?
0
 
Tony GiangrecoCommented:
Outbound mail is SMTP traffic. If you stop the SMPT service on the server, that would stop the virus and all user traffic from sending outbound email. Normally when a virus sends out this mail, it sends out tins of it and I would expect your IP address or domain to be blacklisted by now. That has happened to a few clients of mine before I installed a firewall with a rule that only allows outbound traffic from the Exchange server.
0
 
Tony GiangrecoCommented:
Did the solution above stop the spam from being sent out?
0
 
Axis52401Security AnalystAuthor Commented:
Yes but I can't leave it off because then the company can't send out mail. i need a way of finding the virus and removing it.
0
 
Tony GiangrecoCommented:
Did you look in message tracker in ESM and trace one of the messages? It should show you which Pc sent it out. Then disconnec that pc from the network and run Malwarebytes on it to see what spyware or viruses it finds and cleans up.
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now