Re: Help me understand something........

"markus" <mark@xxxxxxxxxx> wrote:

>Say you had a network and an exchange 2003 system /outlook 2003..
>
>Then say that somehow a virus got onto the network, on one or more unknown
>systems.. and say that virus was one that put in place an SMTP server on
>the infected systems
>
>how does this interact with exchange? Does the smtp server on th infected
>system then send emails to the exchange server...

That would depend on the writer of the exploit. It's easy enough to do
a port scan to find SMTP servers, and easy enough to probe those
servers to see if they'll act as SMTP relays. But a lot of the worms
just try sending directly to the target server, just like a real SMTP
server would.

[ snip ]

>In my network, I know I've had the mytob virus.. and not totally sure its
>totally eradicated.................
>all the users get a barrage of emails that are like from
>admin@xxxxxxxxxxxx, webmaster@xxxxxxxxxxxx, and other official looking
>emails that all contain mytob.....................

And when you look at the "Received:" headers in those messages, where
did they originate?

>When I look at these emails, it looks to me (but I'm not totally sure) that
>they are coming from inside the network.... Thats what I see in the headers
>at least.. and using the track message tool...

If the "Received:" header inserted by your Exchange server says the
message came from your network then you know the IP address of the
infected machine. Go take it off the network and clean it up (or
fdisk, reformat, and reinstall it).

>If they are coming from inside the network... how can I figure out from
>what machine?...............

The "Received:" header, if it's sent with SMTP.

>Should that info be in the header and maybe Im
>just not seeing it? how can I find this out?

Where have you looked? With the message open, use Outlook's "View |
Options" menu,


--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
.

Relevant Pages

  • Re: Cant send email from Exchange account at home
    ... > setup and it works fine when I am using it on my institution's network. ... It might be a limitation the Net admin enforced on your server. ... What I did to workaround this is that I created a POP account witht he ... > specified my credentials for the SMTP server, ...
    (microsoft.public.mac.office.entourage)
  • Re: cant send some mail through the firewall
    ... > IP addresses as well as our private network. ... the SMTP server in the private network? ... entries that points to the private IP of the SMTP server. ...
    (comp.security.firewalls)
  • Re: 554 : Recipient address rejected: Relay acces
    ... What I expect is that telus will only, by default, let people use their SMTP server to relay email when they are connecting via the telus network on a telus IP address ...
    (microsoft.public.exchange.admin)
  • Re: Private Address Spaces
    ... > I can't quite get the difference between Address spaces, private address ... Private = a resource (e.g. a network, network address, or even telephone) ... file & print server in the bowels of the Accounting department], ... Adding a header with the original poster's address was a way to ...
    (alt.computer.security)
  • Re: Weird issue with SMTP
    ... I know that you can connect to Exchange Server at ... internal network and, but cannot do the same thing when using GPRS. ... The problem is caused by the GPRS connection, ... I also cannot connect to my SMTP server from my server in london ...
    (microsoft.public.windows.server.sbs)
Quantcast