Possible Email Virus - Qued emails to foreign countries
We recently were a victim of what I thought to be a single incident of a compromised system spewing spam. While we did have a system that was blatantly infected, and which we removed off the network completely and wiped out, I am noticing in our Exchange
2003 Que that there are quite a few (11 right now) email in the retry state.
What is strange is that the domain names listed is that they are all to foreign countries like Russia, Austrailia etc. When I do a Find Message and choose Messages in Retry Mode, the Exchange search reveals nothing.
How am I to determine where these emails are coming from, such as the sender? I am not that good with the more advanced features of Exchange and trying to eliminate this problem has been pretty tough.
Thank you!
June 30th, 2010 10:02pm
They are likely NDRs to messages with forged headers. I don't believe you will find anything useful in them, but you are welcome to look in the queue file locations and find the .eml files and look at the headers.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
.
"venom66" wrote in message
news:65d297bc-fc7a-4736-905b-f976ea8c5418...
We recently were a victim of what I thought to be a single incident of a compromised system spewing spam. While we did have a system that was blatantly infected, and which we removed off the network completely and wiped out, I am noticing in our Exchange
2003 Que that there are quite a few (11 right now) email in the retry state.
What is strange is that the domain names listed is that they are all to foreign countries like Russia, Austrailia etc. When I do a Find Message and choose Messages in Retry Mode, the Exchange search reveals nothing.
How am I to determine where these emails are coming from, such as the sender? I am not that good with the more advanced features of Exchange and trying to eliminate this problem has been pretty tough.
Thank you!
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2010 2:36am
Hello,
Are there mails NDR?
I suggest you create a recipient filter to prevent Exchange Server from accepting messages that are sent to recipients who do not exist. I suggest you check the following KB for more information:
In Exchange Server 2003 or in Exchange 2000 Server, the Exchange Server queues are filled with many non-delivery reports from the postmaster account because of a
reverse non-delivery report attack
http://support.microsoft.com/kb/909005
You also could check your SMTP log to get more clues about this. Thanks,
Elvis
July 2nd, 2010 11:40am