+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 30
Enterprise Software Thread, Exchange Virus? in Technical; I have a mailbox on our exchange 2003 server that sent out a large amount of phishing/spam e-mails lastnight. I ...
  1. #1
    arthur231283's Avatar
    Join Date
    Sep 2008
    Location
    Dartford
    Posts
    164
    Thank Post
    34
    Thanked 37 Times in 23 Posts
    Rep Power
    18

    Exchange Virus?

    I have a mailbox on our exchange 2003 server that sent out a large amount of phishing/spam e-mails lastnight.

    I have sophos installed on the server that covers anti-virus for the OS (server 2003) and Symantec Mail security that scans e-mails and mailboxes so the server should be covered but the only thing I can think of that could cause this is a virus

    Is there anything I should look at or check to see why these e-mails are being sent?

    Thanks

  2. #2
    bodminman's Avatar
    Join Date
    Apr 2007
    Location
    Sunny Suffolk
    Posts
    1,153
    Thank Post
    724
    Thanked 224 Times in 116 Posts
    Rep Power
    84
    Were the emails sent from a staff members mailbox who also happens to use his/her school laptop at home?

  3. #3
    danbuntu's Avatar
    Join Date
    Dec 2009
    Location
    Maidstone, Kent
    Posts
    290
    Thank Post
    0
    Thanked 52 Times in 49 Posts
    Rep Power
    19
    check you're not an open relay

  4. #4

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    This will help you:

    Using the Exchange 2003 Mail Wizard

    There's a section in here on open relay & how to close it.
    Last edited by timzim; 18th March 2011 at 10:45 AM.

  5. #5
    arthur231283's Avatar
    Join Date
    Sep 2008
    Location
    Dartford
    Posts
    164
    Thank Post
    34
    Thanked 37 Times in 23 Posts
    Rep Power
    18
    Quote Originally Posted by bodminman View Post
    Were the emails sent from a staff members mailbox who also happens to use his/her school laptop at home?
    No, the staff don't have their own laptops and they can only access their mail box from home via OWA

  6. #6

    Join Date
    Dec 2008
    Location
    Nottingham
    Posts
    572
    Thank Post
    38
    Thanked 114 Times in 104 Posts
    Rep Power
    46
    Considering the measures you have in place on your server, have you checked message headers to confirm that the emails have come from your server (and not spoofed address by some external mail server)? If so, have you checked IIS logs to for the time the emails were sent to see if someone was logged into that account? The headers may also suggest the method used to connect to your exchange server to send the emails.

    Cheers

    Will

  7. #7
    arthur231283's Avatar
    Join Date
    Sep 2008
    Location
    Dartford
    Posts
    164
    Thank Post
    34
    Thanked 37 Times in 23 Posts
    Rep Power
    18
    Quote Originally Posted by timzim View Post
    This will help you:

    Using the Exchange 2003 Mail Wizard

    There's a section in here on open relay & how to close it.
    Thanks for this.

    When I get to the step where "Receive Internet e-Mail" and "Send Internet e-mail" are ticked and I press next I get an error message:

    To send Internet e-mail, the selected server cannot be a bridgehead server

    ID no: c103b530
    Exchange System Manger

    I have googled the error message and not found a solution so far

  8. #8
    arthur231283's Avatar
    Join Date
    Sep 2008
    Location
    Dartford
    Posts
    164
    Thank Post
    34
    Thanked 37 Times in 23 Posts
    Rep Power
    18
    Quote Originally Posted by Willott View Post
    Considering the measures you have in place on your server, have you checked message headers to confirm that the emails have come from your server (and not spoofed address by some external mail server)? If so, have you checked IIS logs to for the time the emails were sent to see if someone was logged into that account? The headers may also suggest the method used to connect to your exchange server to send the emails.

    Cheers

    Will
    I did a search using the Message Tracking Center and it shows the e-mails being sent
    Attached Images Attached Images

  9. #9

    Join Date
    Dec 2008
    Location
    Nottingham
    Posts
    572
    Thank Post
    38
    Thanked 114 Times in 104 Posts
    Rep Power
    46
    Look for headers to confirm whether the message originated at your server or was sent through it as an open relay. If it originated at your server, check IIS logs - if the user is showing as logged on it may suggest virus/malware on their home PC, or a compromised user account.

    Cheers

    Will

  10. #10

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    1. You mentioned the products which have been installed. My understanding from the thread is this covers only AV. You have not mentioned AS.
    2. When external mail enters your Exch Org, do you have any gateways before the message goes to the BH?
    3. Do you screen AS yourself or 3rf party, e.g MessageLabs/Postini?
    4. Who received the spam messages within your Org? What time? who was the sender? Track the message using ESM and determine the source.
    5. Check the message headers and look at orginating IP and SCL level.

    Post example of spam and message headers in post.

    Sukh

  11. #11

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    Quote Originally Posted by arthur231283 View Post
    Thanks for this.

    When I get to the step where "Receive Internet e-Mail" and "Send Internet e-mail" are ticked and I press next I get an error message:

    To send Internet e-mail, the selected server cannot be a bridgehead server

    ID no: c103b530
    Exchange System Manger

    I have googled the error message and not found a solution so far
    Sorry, my link was too vague - you shouldn't need to troll through the entire wizard. Try this instead: Setting Relay Restrictions

  12. #12
    arthur231283's Avatar
    Join Date
    Sep 2008
    Location
    Dartford
    Posts
    164
    Thank Post
    34
    Thanked 37 Times in 23 Posts
    Rep Power
    18
    Quote Originally Posted by timzim View Post
    Sorry, my link was too vague - you shouldn't need to troll through the entire wizard. Try this instead: Setting Relay Restrictions
    I have checked the server and the relay restrictions are set to the default settings as shown on that web page

  13. #13

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    What firewall do you use?

  14. #14
    arthur231283's Avatar
    Join Date
    Sep 2008
    Location
    Dartford
    Posts
    164
    Thank Post
    34
    Thanked 37 Times in 23 Posts
    Rep Power
    18
    Quote Originally Posted by timzim View Post
    What firewall do you use?
    We are on the LGFL network and they provide an external firewall

  15. #15
    arthur231283's Avatar
    Join Date
    Sep 2008
    Location
    Dartford
    Posts
    164
    Thank Post
    34
    Thanked 37 Times in 23 Posts
    Rep Power
    18
    It did it again last night. The users mail box did not have any e-mails in the sent box but has received 170 unable to send emails.

    The contents of the e-mail is:


    "I'm afraid I had problems forwarding your message. Full details follow:

    Subject: 'Mailbox Alert!?'
    Date: 'Thu, 17 Mar 2011 18:28:46 -0000'

    I was unable to deliver to the following recipient:

    cazzoli@ciam.unibo.it
    Reason: I have been attempting to forward the mail for 1.09 days and I have given up.
    I have also attached the mail's original headers."

    Here is the contents of the attachment that has the headers in:

    "Received: from 10.218.164.8 ([10.218.164.8])
    by elc-ecc-mail-01.equinoxit.net with emfmta (version 4.3.0.72.1.rd-3.2.3-libc2.3.2) vanilla id 4680026148
    for carole.bone@sussexdowns.ac.uk; Thu, 17 Mar 2011 18:28:35 +0000
    Content-class: urn:content-classes:message
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----_=_NextPart_001_01CBE4D1.26ED8125"
    X-MimeOLE: Produced By Microsoft Exchange V6.5
    Subject: Mailbox Alert!?
    Date: Thu, 17 Mar 2011 18:28:46 -0000
    Message-ID: <6F15FB44613EFE4A939167C8E3F273280C82BF@STC-EX-001.BRIGHTON.internal>
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    Thread-Topic: Mailbox Alert!?
    Thread-Index: Acvk0SWiAzVeWyxPQf+JZ+xMfcWRhw==
    From: "MHS" <MHS@st-columbas.bexley.sch.uk>
    To: <li@li.com>"

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. New Virus??
    By tommccann in forum Windows
    Replies: 14
    Last Post: 29th June 2010, 11:08 AM
  2. Virus
    By mhussain in forum Windows
    Replies: 10
    Last Post: 24th May 2010, 09:53 AM
  3. Virus Help
    By gibbo_ap in forum General Chat
    Replies: 3
    Last Post: 22nd May 2010, 11:55 AM
  4. Virus or No Virus?
    By gmiller in forum Mac
    Replies: 8
    Last Post: 24th September 2009, 08:29 AM
  5. New Virus?
    By apeo in forum Windows
    Replies: 8
    Last Post: 10th October 2008, 01:12 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •