Question

Locked

Return of the Viruses

By benjamin.egas ·
Hello All,

I am once again coming to you for help. I have a recurring issue on my network. Here it is ...

During my re-imaging of @ 30 systems, I found in particular that was receiving NDRs for email items he did not send. Obviously this points to malicious activity ... so I went ahead and backed up the data and reloaded. The users data did not survive and never again saw our network.

... Now I am seeing the EXACT same symptoms on the office manager's system. This is one of 3 systems I have not yet reloaded with a good image.

I would like to ask if anyone can offer up any advice at all. I have checked the system with 2 AV scanners and Ad-aware all to no avial. I would like to not have re-image this system as there is a TON of company data on it.

Thank you all in advance for your support.

Benjamin Egas

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Might not be a virus.

by Kenone In reply to Return of the Viruses

If some spammer has gotten a hold of his/her e-mail address and is using it as a phony return. Then that person will recieve all the NDRs and rejection notices. I don't know of any way to stop it other than changing his/her e-mail address and not forwarding to it. Sad.

Collapse -

Read more here...

http://www.computerperformance.co.uk/exchange2003/exchange2003_NDR.htm

Please post back if you have any more problems or questions.

Collapse -

Still facing issues

by benjamin.egas In reply to Read more here...

Hello All,

Once again with the same issues. This is driving me mad.

Multiple systems are showing symptoms yet they do not have viruses or ad/mal/spy-ware. I have scanned them with numerous utilites and scanners all have come back clean.

We have server running GFI Anti-spam utilites and an Exchange server with a connector to the GFI box. I am no Exchange guru, but from what I can see I can not find any faults with the setup.

Thoughts, ideas ... help?!

Thank you,

Benjamin Egas

Collapse -

It probably is not your systems doing it.... Welcome to the REAL world!

by ThumbsUp2 In reply to Still facing issues

More than likely, as previously stated, a spammer has gotten ahold of your email addresses and is spoofing your addresses (pretending to be one or more of your people) to send their spam out. When one of these spams gets bounced by the intended recipient, it gets returned back to your people because that is the email address the spammer put into his return email address when the spam was sent.

So, get over it. Just delete them when you receive them. We all get them each and every day. Aside from joining an anti-spam movement, there's nothing you can do except to change the email addresses of everyone in your company. Besides the obvious problems with that approach, it will only slow down the bounced emails until the spammers figure out your new addresses.

Collapse -

It's possible that his email address is being spoofed.

by robo_dev In reply to Return of the Viruses

So it's possible that his machine is not infected at all.

Two online scanners that are pretty good:
TrendMicro Housecall or Panda
http://housecall.trendmicro.com/
www.pandasecurity.com

Is the email name a pretty simple one? Maybe a spammer is just spoofing his address?

Sometimes if the user sent email to somebody else who is infected, then their address was harvested from there.

Forum article below>> "One exchange user is getting spammed with NDR messages"
http://forums.techarena.in/showthread.php?t=943091

Collapse -

Confidence Check - Some Tools

by IC-IT In reply to Return of the Viruses

There are a few very good tools that will allow you to determine startup items (and more).
Use Spybot Search and Destroy (Free, beware of imitators) in advanced mode. Also check BHO's and ActiveX (Tools Tab).
Autoruns and or Process explorer.

Collapse -

This might be of help towards your e-mail issue...

http://searchexchange.techtarget.com/tip/0,289483,sid43_gci1114103,00.html

Please post back if you have any more problems or questions.

Back to Software Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums