HELP! Trojan mailer going mad!!

[Allen]

Hi guys,

I know it's a bit cheeky to ask, but one of our servers is throwing a mental and Google really isn't being much help at the moment. We have a server (SBS 2003 & Exchange 2007) that is running a small group of PC's and we have recently been having problems getting blocked on spam blacklists. I believe that there is a trojan mailer on one of our PC's which is causing this problems as one of the exchange queues (yahoo.com.tw) has 97,000+ outgoing emails sitting in the queue from the past few days alone. I have frozen the queue, however there are still other queues with hundreds of outgoing emails in which I know won't be real emails.

The problem lies in identifying the computer on the network that is casuing this. They all run Kaspersky AV and we have scanned all machines and found nothing. We have also run Malware Bytes and MS Malicious Software Removal Tool (something I heard was good at picking up these trojans) but still found nothing.

I have already blocked port 25 on the firewall for everything on the network apart from the exchange server, but this is a real problem now. What's the best way to locate and remove these trojans?

Thanks in advance,

Allen

[Phage]

I assume that that all the AV apps are up to date ?
I'd run a hijackthis report and submit the result to their forums.
I've also heard good things about the Prevx solutions.

[Zak33]

Can you ask each user to run an online Antivirus check tonight after work, and threaten them with death if they forget or don't repiort the result at the end ?

http://housecall.trendmicro.com/uk/

[Flash477]

It may sound like a silly question, but do the servers have AV, and have they been scanned?

[Allen]

I assume that that all the AV apps are up to date ?
I'd run a hijackthis report and submit the result to their forums.
I've also heard good things about the Prevx solutions.

All AV systems are up to date. I may well run hijackthis and check out the reports to see if i can narrow down which pc is doing this. You can post the results on their forums can you? Didn't know that. Will check it out thanks.

Never heard of Prevx tbh, but we have already paid up for a years worth of Kaspersky which is pretty good (although not great in this case I must admit).

[Allen]

Can you ask each user to run an online Antivirus check tonight after work, and threaten them with death if they forget or don't repiort the result at the end ?

http://housecall.trendmicro.com/uk/

I'll give that a go, cheers.

[Allen]

It may sound like a silly question, but do the servers have AV, and have they been scanned?

Yes mate, it's running the same version (6 I believe) as all others, comes as a package. They are all up to date, have all had scans run on them including Kaspersky, Malware Bytes and MSRT.

[Flash477]

Are you sure that the emails are coming from an internal source and that someone is not using your server as a relay? or would anyone be working from home and using that mail server?

[Jay]

are you 100% sure you are not an open relay?

Is it coming from the server or a PC on the network?

What are the headers like, do they show you any info?

I would wait until late on when the server is quiet and try and narrow it down

[Jiff Lemon]

Open exchange system manager, expand the server, then protocols, properties of SMTP. Check the relay tab - What IP ranges are allowed to relay, and have you got the "allowed any authenticated user to relay" button ticked?

[smargh]

Small group of PCs? When everyone has left for the day, look at the network switch to see which LED is blinking the most.

When you see some suspicious blinking, on the PC concerned use a simple sniffer like http://www.nirsoft.net/utils/smsniff.html on the PC to view the background network traffic.

Or, out of hours, run netstat or tcpview.exe (sysinternals) on the Exchange server(s) to identify which PC has thousands of active or old connectins.

Or do the same on the client PC(s). Then use standard malware tools or nuke the PCs.

[Allen]

Are you sure that the emails are coming from an internal source and that someone is not using your server as a relay? or would anyone be working from home and using that mail server?

are you 100% sure you are not an open relay?

Open exchange system manager, expand the server, then protocols, properties of SMTP. Check the relay tab - What IP ranges are allowed to relay, and have you got the "allowed any authenticated user to relay" button ticked?

I checked this and although it was limited to only sending messages from authenticated accounts, I now added the limit to only send from within the internal network.

Along with all the other work I did last night, things appear to be a lot better today. Will keep monitoring it.

Thanks everyone for your help!

[Jay]

glad to see you got it sorted, now the hard work of getting of the blacklist starts! AOL's blacklists are the worst for this IMO.

[Allen]

It's only on 3 blacklists from what I can see, and 2 of those are with UCEPROTECT who I believe are a pain to be removed from (as it costs you money).

However, both L2 and L3 reports from UCEPROTECT advise that the IP is in a "spammy neighbourhood" and that our IP hasn't done anything wrong. So that's a good sign.