RE: BadMail Directory

  • From: "Lee" <swanson@xxxxxxxxxx>
  • To: <exchangelist@xxxxxxxxxxxxx>
  • Date: Mon, 27 Jun 2005 08:54:48 -0500

 
That sounds familiar... I do have a script to clean up the badmail directory
everyday, so that's ok. When I check the badmail, they are all going to
usernames at this company -- just not "real" usernames". This is a new
server -- had migrated the Exchange from an older server.... Have Symantec
9.x and Mail Security 4.6 on the server. Most, but not all, workstations run
MS Antispyware. Will do some scanning and checking w/ some of your
suggestions. Thanks for your help. Appreciate it :-)

Lee

-----Original Message-----
From: steve alcock [mailto:steve.alcock@xxxxxxxxxxxxxx] 
Sent: Monday, June 27, 2005 8:50 AM
To: [ExchangeList]
Subject: [exchangelist] RE: BadMail Directory

http://www.MSExchange.org/

Hi lee,

Having re read your first mail I think you have the sdbot virus ........

I took the server off the internet
Disconnected all clients
Cleared all unknown in the smtp
Deleted all the bad mail ( this will take ages and I do mean ages ) (
windows would not catalogue so I removed files in command mode ) Ran Mcaffe
( anti virus people )stinger, it found sdbot Checked all clients with
stinger Ran spybot an all systems Ran spyhunter on all systems Ran security
task manager on all systems ( all the above found various on all systems )

put the server ONLY back on line and connected to the internet and monitored
for an hour or so to make sure nothing new was being setup / relayed ( in my
case it did and I had to restart the entire server process )

I copied Mcafee from my service, clean, laptop onto a cd and ran a complete
scan in command mode, this appeared to find more than the stinger did off
memory and once I was happy that sdbot had been trashed I re connected the
clients and monitored....... to this day all ok.....

This was on a win2000 server with 6 clients on the network.

I hope this is of some help, if indeed it is a sdbot virus, if I can help
further do not hesitate to mail........

Regards

Steve

    


Calderglen Computers Ltd
Calder House
Spring Lane
Colne
Lancs
BB8 9BD
www.calderglen.net
phone : +44 (0) 1282 871717
 
 
 
 

-----Original Message-----
From: Lee [mailto:swanson@xxxxxxxxxx]
Sent: 27 June 2005 13:15
To: [ExchangeList]
Subject: [exchangelist] RE: BadMail Directory

http://www.MSExchange.org/

 The passwords could be an issue.... Will have everyone change and see what
happens. Thanks.

-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
Sent: Monday, June 27, 2005 2:32 AM
To: [ExchangeList]
Subject: [exchangelist] RE: BadMail Directory

http://www.MSExchange.org/

It sounds like you are relaying, either because of bad configuration or
passwords have been compromised.

John T
eServices For You

> -----Original Message-----
> From: Lee [mailto:swanson@xxxxxxxxxx]
> Sent: Saturday, June 25, 2005 9:48 PM
> To: [ExchangeList]
> Subject: [exchangelist] BadMail Directory
> 
> http://www.MSExchange.org/
> 
> 
> I'm at my wits' end here and not sure what to do....
> 
> Have an Exchange 2000 install w/ SP3 and security rollup installed. I 
> believe relay is configured per MS instructions.
> 
> What's happening is the badmail directory is filling up w/ a few 
> thousand entries everyday. It appears that someone is sending spam to 
> every name in the dictionary attached to @mycompany.com. When I look 
> in the ESM, it
shows
> a couple dozen queues in the SMTP Protocol from domains that are 
> basically "junk." Tried putting these to be filtered out, but they 
> keep coming back
w/
> other domain names.
> 
> Is there anyway of keeping this stuff out or is it something I need to
live
> w/ since this users are not getting this mail.
> 
> Thanks.
> 
> Lee Ann
> Lake Norden, SD
> 
> 
> 
> ------------------------------------------------------
> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading 
> Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network 
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSEXchange.org Discussion List
as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to listadmin@xxxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
swanson@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
steve.alcock@xxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
swanson@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx




Other related posts: