Axis52401
asked on
Virus sending out Pam through Exchanges server
I've got an office with a virus sending out Spam through our Exchange server. The Queue shows thousands of messages. The Trend Antivirus we have on the server and PC's seems unable to isolate this problem or even tell me the PC that is the source of the problem. I have run Trend and Malwarebyets scans on every station and the server. I have checked and its not an 'open relay' How can I find the source of the problem and remove the virus.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There is noting in the exchange logs because these messages are relaying through the server not coming from a users Outlook so there is nothing in the logs but in the morning the Que has thousands of messages. And They don't make a network scanner that will just tell me what IP address is sending out port 25 traffic on a network. I've looked.
If you have a firewall, add an entry so only smtp traffic is allowed from Exchange.
ASKER
How would that help, this Spam is SMTP traffic?
Outbound mail is SMTP traffic. If you stop the SMPT service on the server, that would stop the virus and all user traffic from sending outbound email. Normally when a virus sends out this mail, it sends out tins of it and I would expect your IP address or domain to be blacklisted by now. That has happened to a few clients of mine before I installed a firewall with a rule that only allows outbound traffic from the Exchange server.
Did the solution above stop the spam from being sent out?
ASKER
Yes but I can't leave it off because then the company can't send out mail. i need a way of finding the virus and removing it.
Did you look in message tracker in ESM and trace one of the messages? It should show you which Pc sent it out. Then disconnec that pc from the network and run Malwarebytes on it to see what spyware or viruses it finds and cleans up.
Tricky question.
The virus is probably using "stealth" techniques to awoid detection.
Some idéas:
- install a network scanner and sniff traffic to see which IP is spamming.
- look in the exchange log for ip/hostname of the sender
- try shutting down the computers one by one
//zazagor