That sounds familiar... I do have a script to clean up the badmail directory everyday, so that's ok. When I check the badmail, they are all going to usernames at this company -- just not "real" usernames". This is a new server -- had migrated the Exchange from an older server.... Have Symantec 9.x and Mail Security 4.6 on the server. Most, but not all, workstations run MS Antispyware. Will do some scanning and checking w/ some of your suggestions. Thanks for your help. Appreciate it :-) Lee -----Original Message----- From: steve alcock [mailto:steve.alcock@xxxxxxxxxxxxxx] Sent: Monday, June 27, 2005 8:50 AM To: [ExchangeList] Subject: [exchangelist] RE: BadMail Directory http://www.MSExchange.org/ Hi lee, Having re read your first mail I think you have the sdbot virus ........ I took the server off the internet Disconnected all clients Cleared all unknown in the smtp Deleted all the bad mail ( this will take ages and I do mean ages ) ( windows would not catalogue so I removed files in command mode ) Ran Mcaffe ( anti virus people )stinger, it found sdbot Checked all clients with stinger Ran spybot an all systems Ran spyhunter on all systems Ran security task manager on all systems ( all the above found various on all systems ) put the server ONLY back on line and connected to the internet and monitored for an hour or so to make sure nothing new was being setup / relayed ( in my case it did and I had to restart the entire server process ) I copied Mcafee from my service, clean, laptop onto a cd and ran a complete scan in command mode, this appeared to find more than the stinger did off memory and once I was happy that sdbot had been trashed I re connected the clients and monitored....... to this day all ok..... This was on a win2000 server with 6 clients on the network. I hope this is of some help, if indeed it is a sdbot virus, if I can help further do not hesitate to mail........ Regards Steve Calderglen Computers Ltd Calder House Spring Lane Colne Lancs BB8 9BD www.calderglen.net phone : +44 (0) 1282 871717 -----Original Message----- From: Lee [mailto:swanson@xxxxxxxxxx] Sent: 27 June 2005 13:15 To: [ExchangeList] Subject: [exchangelist] RE: BadMail Directory http://www.MSExchange.org/ The passwords could be an issue.... Will have everyone change and see what happens. Thanks. -----Original Message----- From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Monday, June 27, 2005 2:32 AM To: [ExchangeList] Subject: [exchangelist] RE: BadMail Directory http://www.MSExchange.org/ It sounds like you are relaying, either because of bad configuration or passwords have been compromised. John T eServices For You > -----Original Message----- > From: Lee [mailto:swanson@xxxxxxxxxx] > Sent: Saturday, June 25, 2005 9:48 PM > To: [ExchangeList] > Subject: [exchangelist] BadMail Directory > > http://www.MSExchange.org/ > > > I'm at my wits' end here and not sure what to do.... > > Have an Exchange 2000 install w/ SP3 and security rollup installed. I > believe relay is configured per MS instructions. > > What's happening is the badmail directory is filling up w/ a few > thousand entries everyday. It appears that someone is sending spam to > every name in the dictionary attached to @mycompany.com. When I look > in the ESM, it shows > a couple dozen queues in the SMTP Protocol from domains that are > basically "junk." Tried putting these to be filtered out, but they > keep coming back w/ > other domain names. > > Is there anyway of keeping this stuff out or is it something I need to live > w/ since this users are not getting this mail. > > Thanks. > > Lee Ann > Lake Norden, SD > > > > ------------------------------------------------------ > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp > Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com Leading > Network Software Directory: http://www.serverfiles.com > No.1 ISA Server Resource Site: http://www.isaserver.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this MSEXchange.org Discussion List as: > johnlist@xxxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Report abuse to listadmin@xxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: swanson@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: steve.alcock@xxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: swanson@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx