[RESOLVED] Might have a trojan, need help asap

[musicman7722]

I have a SBS server 2000. I have NAV corp.10 which indicated I'm fine, and am behind a sonic wall firewall. Everying seems to be ok but when I go into exchange and drill down into smtp/default smtp/queues I find a couple of dozen obvious smtp mailer programs going to really bizarre websights. There is a modest history for each one showing what appears to be e-mail they have sent out. I'm running a beagl e scan right now from Symantec. I have tried the free AV scan from trend but it doesn't seem to work. I've also checked my registry for the tell tail add in that symantec says should be there. Can anybody help me or point me in the right direction? I really need this job...Chris

[minos]

post me your computer process snapshot.....and my little suggest not to use NORTON anymore....and if you wish I may send you a new fire wall by email.

[emr]

Are you sure that this isn't Exchange trying to send NDR's to emails it has received to non-existant users?

As you probably know, spammers will send mail to a domain with every name and combination possible. If you have Exchange configured to send NDR's to failed inbound messages then this could be what you are seeing in the queues.

If you check the mails in the queue are they coming from your admin / postmaster account? That is a sure sign they are NDR's.

emr

[musicman7722]

Thanks for the reply
Not sure about the ndr stuff. This is new to me and I'm truly walking on thin ice. After a long night of researhing and scanning I don't think its a virus and the "ndr" you noted is coming up in the files. I'm not sure what else to say here except if you could point me in the right direction to find some information on what you are referring to "ndr". Chris

[musicman7722]

Are you sure that this isn't Exchange trying to send NDR's to emails it has received to non-existant users?

As you probably know, spammers will send mail to a domain with every name and combination possible. If you have Exchange configured to send NDR's to failed inbound messages then this could be what you are seeing in the queues.

If you check the mails in the queue are they coming from your admin / postmaster account? That is a sure sign they are NDR's.

emr

I assume NDR stands for non-deliverable ? I'm looking at my exchange system manager consul right now and have the queues folder open. Inside a re a number of folders. Some with green check marks and the rest to bad looing websites. I froze them all those last night and there are a few new ones with a blue swirl arrow on them. Anyway your comment on Exchange trying to sne dNDR's to spammers woke me yp. Where can IU find the exchange settings for this and to shut it off. Chris

[musicman7722]

post me your computer process snapshot.....and my little suggest not to use NORTON anymore....and if you wish I may send you a new fire wall by email.

Minos I agree about Norton but I have to use it unitl it runs out. It is a pretty exp. program and the company just paid for another year. I will post aimage Thursday of my process task manager window. What firewall do you have in mind? Chris

[emr]

Here you go. http://support.microsoft.com/?kbid=886208

Much more eloquently put than I could ever manage!

You need to enable recipient filtering to reject non-existant users; Exchange doesn't generate NDR for these types of failures; the sending server does instead.

I believe there is a way to disable NDR entirely; I'll have a look and see what I come up with.

Good luck and post back if you still have problems.

emr

[emr]

Here is how to disable NDR entirely.

Open Exchange Manager | Global Settings | double-click Internet Message Format then right-click the Default format, select Properties then Advanced tab.

You have a list in there, one of which is the allowing of NDR.

You do need to consider carefully whether you want to disable them entirely. This means that a genuine expediteur who mistypes an email address doesn't receive a response to say so when the mail is bounced by your server.

For example, a client sends a mail to [email protected] it will get bounced but they won't receive a failed delivery report. Not always good from a customer care point of view.

I generally enable recipient filtering which cuts out a lot of the crap and live with the fact that a good volume of NDR produced will be from spam. It's a trade off in the end.

This is a fairly important part of the Exchange Manager if you want to allow out of office and various other features that are useful to the end-user.

As always with MS it's tucked away nicely out of sight!

emr

Edit: I just realised you're running Exchange 2k; the steps detailed in the MS KB and what I mentioned above may be slightly different. I don't have a 2k box to check out at the moment.

From memory they should be pretty much the same.

[minos]

zonealerm.....so far as i know best firewall....but i like its early vision...because it can track who is attacking you now and show the attacker's localtion...now you should pay for that founction....

[emr]

zonealerm.....so far as i know best firewall....but i like its early vision...because it can track who is attacking you now and show the attacker's localtion...now you should pay for that founction....

ZoneAlarm is fine for a stand-alone pc however installing it on a server is unadvisable. Your server should be behind a hardware router which connects to the ISP and be sufficiently locked down through GPO.

ZA won't do any of that for you.

emr

[musicman7722]

Here is how to disable NDR entirely.

Open Exchange Manager | Global Settings | double-click Internet Message Format then right-click the Default format, select Properties then Advanced tab.

You have a list in there, one of which is the allowing of NDR.

You do need to consider carefully whether you want to disable them entirely. This means that a genuine expediteur who mistypes an email address doesn't receive a response to say so when the mail is bounced by your server.

For example, a client sends a mail to [email protected] it will get bounced but they won't receive a failed delivery report. Not always good from a customer care point of view.

I generally enable recipient filtering which cuts out a lot of the crap and live with the fact that a good volume of NDR produced will be from spam. It's a trade off in the end.

This is a fairly important part of the Exchange Manager if you want to allow out of office and various other features that are useful to the end-user.

As always with MS it's tucked away nicely out of sight!

emr

Edit: I just realised you're running Exchange 2k; the steps detailed in the MS KB and what I mentioned above may be slightly different. I don't have a 2k box to check out at the moment.

From memory they should be pretty much the same.

Thank you your were dead on about the 2k. 2003 is quite a different interface. All is well in the world and I'm still employed AND I've learned something. many thanks...Chris

[musicman7722]

ZoneAlarm is fine for a stand-alone pc however installing it on a server is unadvisable. Your server should be behind a hardware router which connects to the ISP and be sufficiently locked down through GPO.

ZA won't do any of that for you.

emr

Quite right, very good product but will not work on aserver. I have a hardware firelwall.

[emr]

Thank you your were dead on about the 2k. 2003 is quite a different interface. All is well in the world and I'm still employed AND I've learned something. many thanks...Chris

Glad to help out. Exchange is a bit of a favourite of mine. Can be a complete bastard to configure but once you get a bit of knowledge under your belt it can be a very sweet mail system to administer.

Don't hesitate if you have any other questions.

emr