Re: virus issues
- From: "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom>
- Date: Thu, 16 Jun 2005 09:34:09 -0500
I'm not sure why the ICW adds those settings under the relay restrictions -
that may be better asked in the SBS newsgroups. I know it isn't the default
for regular Exchange (Standard or Enterprise), so it may be specific to SBS.
As far as the authenticated relay, it is indeed on by default. My
recommendation was that if you do not support any IMAP or POP3 clients it
should be disabled (unchecked).
As far as your second question about Anonymous access, you have to leave it
on. That controls how other mail servers are able to connect to you and
send mail to you. If you disable anonymous, you'll find that you stop
receiving e-mail :-) SMTP conversations (unless specifically set up
otherwise) are all anonymous. When you send an e-mail to another domain,
your server does the same thing (establishes an anonymous session).
--
Ben Winzenz
Exchange MVP
MessageOne
"markus" <mark@xxxxxxxxxx> wrote in message
news:eCuV9ffcFHA.3404@xxxxxxxxxxxxxxxxxxxxxxx
> Ok.. but a question..
> I have access to another server running SBS2003 (not at all concerned with
> my issue) but I looked at the setup on it just to see.
> On sbs2003, it is all setup by a wizard, the ICW, and the settings as the
> MS wizard set them up are:
> only the list below is checked and in that list is:
> 192.168.1.75 /255.255.255.0 (the ip of the server) and
> 127.0.0.1
>
> also the check mark for "allow all computers that sucessfully
> authenticate..." is checked.
>
> Doesnt this indicate that this is the setup that MS recommends?
>
> another question.. again in the default SMTP settings under access
> control /authentication..
> 'anonymous access' is checked
>
> Why am I allowing anonymous access? Should I be?
>
>
> "AllenM" <allen.miyake@xxxxxxxxx> wrote in message
> news:uJxWlVdcFHA.4028@xxxxxxxxxxxxxxxxxxxxxxx
>> Great. Thanks again Ben. I hope this helps out Marcus also.
>>
>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom>
>> wrote in message news:O0oozSdcFHA.3808@xxxxxxxxxxxxxxxxxxxxxxx
>>> Right. Unless you have SMTP clients (IMAP/POP3), you don't really need
>>> to allow authenticated relay. Exchange 2003 actually has IMAP and POP3
>>> services disabled by default, so you'd know if you had enabled them.
>>>
>>> --
>>> Ben Winzenz
>>> Exchange MVP
>>> MessageOne
>>>
>>>
>>> "AllenM" <allen.miyake@xxxxxxxxx> wrote in message
>>> news:uOfHBCdcFHA.2840@xxxxxxxxxxxxxxxxxxxxxxx
>>>> This is getting better and better. In my case we are a SBS 2003 and
>>>> Exchange 2003 environment. We host our own SMTP server and use OWA. We
>>>> have remote client who have three alternatives on how they can access
>>>> email at home. 1. OWA. 2. Outlook as a Citrix Published Application and
>>>> 3. Remote connect to our Citrix server desktop and use Oulook from the
>>>> desktop.
>>>> So I should have "Only the listed below" with no servers listed.
>>>> and should not have the "Allow all computers which successfully
>>>> authenticate to relay, regardless of the list above" checked? I do not
>>>> want to have open relay enabled as I do not think I have a need for it.
>>>> Thanks again Ben.
>>>>
>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom>
>>>> wrote in message news:eQkN95ccFHA.228@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> It serves to limit anonymous relay access to "only the list below".
>>>>> If it is blank, then no computers will be able to anonymously relay.
>>>>> Exchange doesn't relay mail off itself, so it doesn't need to be in
>>>>> there. Since you have to make a choice (only the list below, or all
>>>>> except the list below), the best choice is "only the list below".
>>>>>
>>>>> --
>>>>> Ben Winzenz
>>>>> Exchange MVP
>>>>> MessageOne
>>>>>
>>>>>
>>>>> "AllenM" <allen.miyake@xxxxxxxxx> wrote in message
>>>>> news:OiCLS1ccFHA.720@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>> Hey Ben,
>>>>>> I'm glad I found you and you were able to chime in. I guess at this
>>>>>> point this information is more for my interest and knowledge that
>>>>>> Marcus but he did start the thread. I'm a bit confused at what you
>>>>>> just wrote.
>>>>>>
>>>>>> "Unless you have a specific internal app that needs to relay, this
>>>>>> list should be blank. The internal IP of your Exchange server should
>>>>>> NOT be in that list. It should also be set at the default setting of
>>>>>> "Only the list below".
>>>>>>
>>>>>> Your telling me here my exchange servers internal IP should not be
>>>>>> listed, yet you then tell me that I need to set it to "Only the list
>>>>>> below".
>>>>>> My question is if there is nothing in the list what purpose does this
>>>>>> serve?
>>>>>>
>>>>>>
>>>>>>
>>>>>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom>
>>>>>> wrote in message news:uPor3qccFHA.3912@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>> "Select which computers may relay through this VS" sets which
>>>>>>> "other" computers (hostname or IP) can relay (anonymously) e-mail
>>>>>>> through your Exchange server. Unless you have a specific internal
>>>>>>> app that needs to relay, this list should be blank. The internal IP
>>>>>>> of your Exchange server should NOT be in that list. It should also
>>>>>>> be set at the default setting of "Only the list below".
>>>>>>>
>>>>>>> "allow all computers which authenticate" is specifically for clients
>>>>>>> such as IMAP or POP3 users that must send e-mail using your server.
>>>>>>> It further dictates that they MUST authenticate before being allowed
>>>>>>> to relay the messages. This does not deal with anonymous smtp
>>>>>>> sessions (such as mail from other e-mail servers). Outlook clients
>>>>>>> in MAPI mode do not relay messages, so this only needs to be checked
>>>>>>> if you have IMAP or POP3 clients. How clients can authenticate are
>>>>>>> determined by the settings under the authentication section. I
>>>>>>> doubt that a virus would be able to initiate an authenticated SMTP
>>>>>>> session.
>>>>>>>
>>>>>>> As far as where the messages are coming from, you need to look at
>>>>>>> the headers of one of the actual messages. If the headers from that
>>>>>>> message indicate that it is internal, then you likely have an
>>>>>>> infected machine on your network. If they are all destined for
>>>>>>> local addresses (even if they are invalid users), then there is no
>>>>>>> issue with relaying. Relaying would only be an issue if the messages
>>>>>>> are being sent to external addresses.
>>>>>>>
>>>>>>> Hope this helps.
>>>>>>>
>>>>>>> --
>>>>>>> Ben Winzenz
>>>>>>> Exchange MVP
>>>>>>> MessageOne
>>>>>>>
>>>>>>>
>>>>>>> "AllenM" <allen.miyake@xxxxxxxxx> wrote in message
>>>>>>> news:%23NC5MxbcFHA.1384@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>> This may be a bit above and beyond as to how well I can explain it
>>>>>>>> so do not write this in stone. Here's my interpetation.
>>>>>>>> "Select which computer may relay through this virtual server" By
>>>>>>>> selecting this we are saying that only email that passes through
>>>>>>>> this email server may send outside.
>>>>>>>> "Allow all computers which successfully authenticate to relay,
>>>>>>>> regardless of the list above". What this is saying is that anyone
>>>>>>>> can go through this SMTP relay without passing through the server
>>>>>>>> above. Which means they can send an email from another mail server.
>>>>>>>> So we only want email from our mail server to pass through our SMTP
>>>>>>>> virtual server. SPAMMERS who use the SMTP virtual server do not
>>>>>>>> send email from our Exchange server. Hope that makes sense and my
>>>>>>>> interetaion is also correct. I do think it is because I was also
>>>>>>>> getting those type of password confirmations like you are and since
>>>>>>>> I closed the open relay it has not happened since. Maybe we can get
>>>>>>>> someone else or na MVP to chime in and clarify this. If you do find
>>>>>>>> it to be incorrect or find a better explaination I'd like to hear
>>>>>>>> about it. Good luck.
>>>>>>>>
>>>>>>>> "markus" <mark@xxxxxxxxxx> wrote in message
>>>>>>>> news:e4YKFKVcFHA.2936@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>>> OK, I've unchecked "'Allow all computers which sucessfully
>>>>>>>>> authenticate to
>>>>>>>>> relay', and put in the IP address of the server only...
>>>>>>>>> but a question..... outside users would not be 'authenticated'
>>>>>>>>> users would they? By authenticated, they mean logged onto the
>>>>>>>>> network?
>>>>>>>>> Why not allow authenticated users to relay if they are all
>>>>>>>>> inhouse anyway....
>>>>>>>>> or............
>>>>>>>>> could it be that a remote user, logging on thru terminal server,
>>>>>>>>> is actually doing the relaying... if he had for instance, mydoom,
>>>>>>>>> which adds an SMTP server, infecting his remote PC... and then
>>>>>>>>> logged onto the network thru TS... could that be then relaying
>>>>>>>>> thru exchange...?
>>>>>>>>> ..sounds logical to me.. what you think?
>>>>>>>>>
>>>>>>>>> "AllenM" <allen.miyake@xxxxxxxxx> wrote in message
>>>>>>>>> news:%235pkqbTcFHA.796@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>>>> you need to uncheck "'Allow all computers which sucessfully
>>>>>>>>>> authenticate to relay,
>>>>>>>>>> regardless of the list above" This is what is allowing outside
>>>>>>>>>> users to to use your SMTP relay.
>>>>>>>>>> Otherwise the listed server above does no good. We want "Only the
>>>>>>>>>> listed below" which should be the internal IP of your Exchange
>>>>>>>>>> server. Give it a try and of course monitor it overthe next day
>>>>>>>>>> or so.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "markus" <mark@xxxxxxxxxx> wrote in message
>>>>>>>>>> news:OBShuTTcFHA.3488@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>>>>> Could you elaborate a bit please...
>>>>>>>>>>> In the default SMTP virtual server properties / relay ....
>>>>>>>>>>> i have the box: 'Only the list below' (and nothing in the
>>>>>>>>>>> list) checked and
>>>>>>>>>>> checked - 'Allow all computers which sucessfully authenticate to
>>>>>>>>>>> relay, regardless of the list above'
>>>>>>>>>>>
>>>>>>>>>>> is this not right??
>>>>>>>>>>> There is a terminal server on this network... could that be
>>>>>>>>>>> involved in this relay someway?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> "AllenM" <allen.miyake@xxxxxxxxx> wrote in message
>>>>>>>>>>> news:%23BqJDpScFHA.132@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>>>>>> Looks like someone is using your SMTP virtual server for
>>>>>>>>>>>> relaying. You need to turn that off unless you have a specific
>>>>>>>>>>>> reason to have it on. You should only "allow" the internal IP
>>>>>>>>>>>> address of your mail server to use relay on this server.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "markus" <mark@xxxxxxxxxx> wrote in message
>>>>>>>>>>>> news:%23ajIQhScFHA.1148@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>>>>>>> Ok...
>>>>>>>>>>>>>
>>>>>>>>>>>>> this is what I'm not understanding. There are basically 2
>>>>>>>>>>>>> types of email that concern me.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Is the users box (outlook 2003) he will have a bunch of email
>>>>>>>>>>>>> to:
>>>>>>>>>>>>>
>>>>>>>>>>>>> from: System Administrator subject:
>>>>>>>>>>>>> undeliverable: You have sucessfully updated your password.
>>>>>>>>>>>>>
>>>>>>>>>>>>> *******This is the header from one of those
>>>>>>>>>>>>>
>>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> From: postmaster@xxxxxxxxxxxx
>>>>>>>>>>>>>
>>>>>>>>>>>>> To: user@xxxxxxxxxxxx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>
>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: multipart/report; report-type=delivery-status;
>>>>>>>>>>>>>
>>>>>>>>>>>>> boundary="9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.domain."
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
>>>>>>>>>>>>>
>>>>>>>>>>>>> Message-ID: <5paz2uJ9H00000378@xxxxxxxxxxxxxxxxxxxxx>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Subject: Delivery Status Notification (Failure)
>>>>>>>>>>>>>
>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: text/plain; charset=unicode-1-1-utf-7
>>>>>>>>>>>>>
>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: message/delivery-status
>>>>>>>>>>>>>
>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.barbas.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: message/rfc822
>>>>>>>>>>>>>
>>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x] ((***this is the legit
>>>>>>>>>>>>> IP address of my server))) by EXCHANGE.mydomain.local with
>>>>>>>>>>>>> Microsoft SMTPSVC(6.0.3790.1830);
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>
>>>>>>>>>>>>> From: info@xxxxxxxxxxxx ***** THIS USER (INFO) DOES NOT
>>>>>>>>>>>>> EXIST.************************
>>>>>>>>>>>>>
>>>>>>>>>>>>> To: josh@xxxxxxxxxxxx *******THIS USER DOES NOT EXIST
>>>>>>>>>>>>> EITHER*******
>>>>>>>>>>>>>
>>>>>>>>>>>>> ****Ok, the mail was undeliverable because josh does not
>>>>>>>>>>>>> exist... but where is the sender (info@xxxxxxxxxxxx) coming
>>>>>>>>>>>>> from?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>>
>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 16:52:54 -0400
>>>>>>>>>>>>>
>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>>
>>>>>>>>>>>>> boundary="----=_NextPart_000_0008_9AC13455.6335A418"
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>>
>>>>>>>>>>>>> Return-Path: info@xxxxxxxxxxxx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Message-ID:
>>>>>>>>>>>>> <EXCHANGEX00lfepHjon00000675@xxxxxxxxxxxxxxxxxxxxxxx>
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 20:52:54.0732 (UTC)
>>>>>>>>>>>>> FILETIME=[098348C0:01C57123]
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>>
>>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>>
>>>>>>>>>>>>> name="email-password.zip"
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>>
>>>>>>>>>>>>> filename="email-password.zip"
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0008_9AC13455.6335A418--
>>>>>>>>>>>>>
>>>>>>>>>>>>> --9B095B5ADSN=_01C56FD10DADFC2200000A49EXCHANGE.mydomain.--
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ?????? if he is getting this mail returned to him, does it not
>>>>>>>>>>>>> mean that he is sending it?... but he's not. Does that mean
>>>>>>>>>>>>> that the virus is on his PC?? But I've scanned for it several
>>>>>>>>>>>>> times and not found it at all, ever...
>>>>>>>>>>>>>
>>>>>>>>>>>>> Where are these mails coming from? Is the server sending them
>>>>>>>>>>>>> out somehow? is his PC sending them out somehow? I don't know
>>>>>>>>>>>>> where to begin to figure this out......
>>>>>>>>>>>>>
>>>>>>>>>>>>> ********************************************************************************
>>>>>>>>>>>>>
>>>>>>>>>>>>> The other type pof email he will receive is from, for
>>>>>>>>>>>>> instance,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Administrator@xxxxxxxxxxxx Subject; You have sucessfully
>>>>>>>>>>>>> updated your password
>>>>>>>>>>>>>
>>>>>>>>>>>>> Here is the header info from one of those:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Microsoft Mail Internet Headers Version 2.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> Received: from mydomain.com ([x.x.x.x]) by
>>>>>>>>>>>>> EXCHANGE.mydomain.local with Microsoft SMTPSVC(6.0.3790.1830);
>>>>>>>>>>>>> ****where x.x.x. is the legit IP address of the server
>>>>>>>>>>>>> here...*****************8
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>>
>>>>>>>>>>>>> From: administrator@xxxxxxxxxxxx
>>>>>>>>>>>>>
>>>>>>>>>>>>> To: real user@xxxxxxxxxxxx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Subject: You have successfully updated your password
>>>>>>>>>>>>>
>>>>>>>>>>>>> Date: Tue, 14 Jun 2005 09:07:59 -0400
>>>>>>>>>>>>>
>>>>>>>>>>>>> MIME-Version: 1.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: multipart/mixed;
>>>>>>>>>>>>>
>>>>>>>>>>>>> boundary="----=_NextPart_000_0001_4FC13ACF.85304567"
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-Priority: 3
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-MSMail-Priority: Normal
>>>>>>>>>>>>>
>>>>>>>>>>>>> Return-Path: administrator@xxxxxxxxxxxx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Message-ID:
>>>>>>>>>>>>> <EXCHANGE5B76WE7P5IE000004cf@xxxxxxxxxxxxxxxxxxxxxxx>
>>>>>>>>>>>>>
>>>>>>>>>>>>> X-OriginalArrivalTime: 14 Jun 2005 13:07:59.0276 (UTC)
>>>>>>>>>>>>> FILETIME=[16867EC0:01C570E2]
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: text/html;
>>>>>>>>>>>>>
>>>>>>>>>>>>> charset="ISO-8859-1"
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Transfer-Encoding: 7bit
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Type: application/octet-stream;
>>>>>>>>>>>>>
>>>>>>>>>>>>> name="new-password.zip"
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Transfer-Encoding: base64
>>>>>>>>>>>>>
>>>>>>>>>>>>> Content-Disposition: attachment;
>>>>>>>>>>>>>
>>>>>>>>>>>>> filename="new-password.zip"
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------=_NextPart_000_0001_4FC13ACF.85304567--
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> So... block what address?? it says the email is coming from my
>>>>>>>>>>>>> own server...?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Plus, what about the system administrator returned email?
>>>>>>>>>>>>> where is that coming from... Im so confused......
>>>>>>>>>>>>>
>>>>>>>>>>>>> "AllenM" <allen.miyake@xxxxxxxxx> wrote in message
>>>>>>>>>>>>> news:%233Pcw1PcFHA.3560@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>>>>>>>> You can view the originator through the Message Header. Open
>>>>>>>>>>>>>> the email and click on View/Options. You can block the IP and
>>>>>>>>>>>>>> originating domain which may or may not do you any good as
>>>>>>>>>>>>>> spammers are always constantly changing them. However I've
>>>>>>>>>>>>>> had good results blocking the ISP IP which is usually foreign
>>>>>>>>>>>>>> and does not affect legitimate emails. Also you may want to
>>>>>>>>>>>>>> turn off Relay in case they are relaying through your SMTP.
>>>>>>>>>>>>>> Do you use the IMF Companion? You may want to turn on
>>>>>>>>>>>>>> Performance Counters for IMF so you can determine the correct
>>>>>>>>>>>>>> SCL level you need to apply. Also using RBL's is a good thing
>>>>>>>>>>>>>> to do also.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "markus" <mark@xxxxxxxxxx> wrote in message
>>>>>>>>>>>>>> news:eBG4ztOcFHA.3840@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>>>>>>>>>I am running Norton Small Business V7.5 antivirus and the IMF
>>>>>>>>>>>>>>>filter so am sorta limited..
>>>>>>>>>>>>>>> But I'm really not understanding what is going on.. where
>>>>>>>>>>>>>>> are these emails coming from?
>>>>>>>>>>>>>>> Is a system in my network sending them?
>>>>>>>>>>>>>>> many are for users that do not exist in the network
>>>>>>>>>>>>>>> ......these are the 'undeliverable' ones... but many go to
>>>>>>>>>>>>>>> legit users too..
>>>>>>>>>>>>>>> I'm really trying to understand just what is going
>>>>>>>>>>>>>>> on...........who or shat is sending these mails. Is it
>>>>>>>>>>>>>>> internal or external?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> thanks
>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>> "markus" <mark@xxxxxxxxxx> wrote in message
>>>>>>>>>>>>>>> news:%23ds5rhOcFHA.2936@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>>>>>>>>>> We are using exchange 2003.
>>>>>>>>>>>>>>>> Apparently we have been hit by a virus. All the users are
>>>>>>>>>>>>>>>> being constantly hit with emails that are from either:
>>>>>>>>>>>>>>>> system administrator undeliverable: bla bla bal
>>>>>>>>>>>>>>>> (password has been updated or account suspended..which is
>>>>>>>>>>>>>>>> the virus package I think)
>>>>>>>>>>>>>>>> or from
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> administrator@xxxxxxxxxxxx : you have successfully
>>>>>>>>>>>>>>>> updated your password (this is the virus package)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I have antivirus software running on all systems, including
>>>>>>>>>>>>>>>> the server.
>>>>>>>>>>>>>>>> I have run the FXmydoom.exe package from symantec on all
>>>>>>>>>>>>>>>> the servers and many (not all) of the workstations..
>>>>>>>>>>>>>>>> ..I did a google on 'your password has been updated" that
>>>>>>>>>>>>>>>> led me to MyDoom......
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> but still everyone gets these emails...
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> What can I do? where do I go from here?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> thanks for the help ;)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
.
- Follow-Ups:
- Re: virus issues
- From: AllenM
- Re: virus issues
- References:
- virus issues
- From: markus
- Re: virus issues
- From: markus
- Re: virus issues
- From: AllenM
- Re: virus issues
- From: markus
- Re: virus issues
- From: AllenM
- Re: virus issues
- From: markus
- Re: virus issues
- From: AllenM
- Re: virus issues
- From: markus
- Re: virus issues
- From: AllenM
- Re: virus issues
- From: Ben Winzenz [Exchange MVP]
- Re: virus issues
- From: AllenM
- Re: virus issues
- From: Ben Winzenz [Exchange MVP]
- Re: virus issues
- From: AllenM
- Re: virus issues
- From: Ben Winzenz [Exchange MVP]
- Re: virus issues
- From: AllenM
- Re: virus issues
- From: markus
- virus issues
- Prev by Date: Re: SPAM Filter / Safe Sender's List Not Working??
- Next by Date: RE: Do I need DSClient to run Exchange 5.5 on an NT4.0 box in Windows
- Previous by thread: Re: virus issues
- Next by thread: Re: virus issues
- Index(es):
Relevant Pages
|
