Unknown users w/virus sending mail to 5.5 server - sender unknown

I am having a problem where I think I have a virus (novarg) loose within my network and some user/computer that has an account on my Exchange 5.5 server is bombarding virus attachments to my Exchange 5.5 server. Even thought my Norton AV for Exchange 2.1 is finding and blocking them I still want to know who is sending them. The problem is the "sender" and the "recipient" are listed as UNKNOWN for most. Some emails do have a name in the "sender" and  "recipient" but I am afraid the "To" and "From" are being spoofed by the virus. Most of the the emails header (option) information is empty. I am unsure of the true sender or recipient. 

Is this a limitation of Exchange 5.5's logging? Why(could someone explain)? Would I have that "UNKNOWN" sender problem with Exchange 2000 or 2003? Does 2003 do a better job at diagnostics and logging? 

I am hoping to sell my company on upgrading to 2003 based on the vast security improvements on 2003. But is this the case?

p.s. I saw the post about the [ IMS Diagnostic Logging tab, turn on SMTP Protocol logging ]  I will use this to trace down my offender(s) for the time being.
0
anonymous (74725)
2/7/2004 9:56:05 AM
exchange.admin 57650 articles. 1 followers. Follow

2 Replies
186 Views

Similar Articles

[PageSpeed] 50

You could stop the IMC and see if the AV stops alerting and if so the mail
isn't from an internal infected MAPI client.

Make sure MAPI/VAPI combination mode mode is enabled and not just VAPI.

Norton AntiVirus 2.12 for Microsoft Exchange                README.TXT

Limitations due to VAPI technology
----------------------------------
VAPI does not offer a great level of detail when it comes to
determining the source of an attachment with an infection.  The only
information that will be reported is the attachment name.  There
will be no information about the sender, recipient, message subject,
or message location.  These limitations prevent NAVMSE from sending
notifications to the sender and recipients.

-- 
Hope that helps,
Dan Townsend

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email to this address, post a reply to this newsgroup.

Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"KenS" <anonymous@discussions.microsoft.com> wrote in message
news:22092AA3-C216-4D36-BA04-B567674A0283@microsoft.com...
> I am having a problem where I think I have a virus (novarg) loose within
my network and some user/computer that has an account on my Exchange 5.5
server is bombarding virus attachments to my Exchange 5.5 server. Even
thought my Norton AV for Exchange 2.1 is finding and blocking them I still
want to know who is sending them. The problem is the "sender" and the
"recipient" are listed as UNKNOWN for most. Some emails do have a name in
the "sender" and  "recipient" but I am afraid the "To" and "From" are being
spoofed by the virus. Most of the the emails header (option) information is
empty. I am unsure of the true sender or recipient.
>
> Is this a limitation of Exchange 5.5's logging? Why(could someone
explain)? Would I have that "UNKNOWN" sender problem with Exchange 2000 or
2003? Does 2003 do a better job at diagnostics and logging?
>
> I am hoping to sell my company on upgrading to 2003 based on the vast
security improvements on 2003. But is this the case?
>
> p.s. I saw the post about the [ IMS Diagnostic Logging tab, turn on SMTP
Protocol logging ]  I will use this to trace down my offender(s) for the
time being.


0
dtown (976)
2/7/2004 10:18:42 AM
"KenS" <anonymous@discussions.microsoft.com> wrote:

>I am having a problem where I think I have a virus (novarg) loose within my network and some user/computer that has an account on my Exchange 5.5 server is bombarding virus attachments to my Exchange 5.5 server. Even thought my Norton AV for Exchange 2.1 is finding and blocking them I still want to know who is sending them. The problem is the "sender" and the "recipient" are listed as UNKNOWN for most. Some emails do have a name in the "sender" and  "recipient" but I am afraid the "To" and "From" are being spoofed by the virus. Most of the the emails header (option) information is empty. I am unsure of the true sender or recipient. 
>
>Is this a limitation of Exchange 5.5's logging? 

No, the SMTP Protocol Logs would should you from which machine the
connection originated. Trying to figure out the origin of a SMTp
message by looking at the easy-to-forge MAIL FROM and "From:" headers
is just plain silly.

>Why(could someone explain)? Would I have that "UNKNOWN" sender problem with Exchange 2000 or 2003? Does 2003 do a better job at diagnostics and logging? 

Blame SMTP for the problem. Blame Exchange for being a poor SMTP
gateway choice (no matter what release you use). Exchange 5.5 is using
stuff that was concieved in 1996/7 to fight spamming techniques in
2004. Exchange 2000 made some steps in the right direction (as did
Exchange 2003), but when the answer to everything is "you can create
an event/protocol sink" or "you can buy 3rd-party software to do
that", it's pretty obvious that Exchange (or the plain IIS SMTP
service) was NOT designed to operate while exposed to the Internet.

If you're truely serious about doing something about junk mail, stand
up an old machine and install Linux/FreeBSD/NetBSD and postfix. Even
with that, and little else, you can make a significant dent in the
amount of junk mail flowing into your organization, and do it at
little cost, and no there's no programming required. If you want more
protection you can add other filters (SpamAssassin, MIMEDefang, etc.)
at no cost. While software like SpamAssassin is free, keep in mind
that it's free for the spammers to use, too. They can craft a message
and run it through the same filters you do, and they can change it
until it passes those filters. But it's still better than what's
available in an out-of-the-box Exchange installation.

>I am hoping to sell my company on upgrading to 2003 based on the vast security improvements on 2003. But is this the case?

By all means, move to Exchange 2003. Whether you can justify that cost
or not is up to you. Doing so means moving away from NT4's PDC/BDC/SAM
stuff and upgrading to Active Directory. You may find that easy to do,
or not. But the AD is a whole lot better than NT4's SAM databases, and
not having two directories to manage (NT4 and Exchange 5.5) can make a
big difference in your admin costs. If Exchange 5.5 is woring for you
now though, you may have a hard tme convincing the folks that control
the purse-strings to spend the money. It's not hard to cost-justify
the move, but it means spending money to save money.

>p.s. I saw the post about the [ IMS Diagnostic Logging tab, turn on SMTP Protocol logging ]  I will use this to trace down my offender(s) for the time being.

That's exactly where you want to be doing this sort of investigation.
:)

-- 
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
0
richnews (7316)
2/7/2004 4:35:25 PM
Reply:

Similar Artilces:

can't resolve user names
i've just added exchange 2003 to a small business server 2003 network. The users were already apart of the domain. My problem is that i want to add them to the exchange server and i can not get them connected because when i hit check name it never checks out correctly. am i missing something. This is a fresh first install of exchange and i can get the administrator account to get email. I just can't get it to work on any users. In news:OGRukk%23QGHA.4608@tk2msftngp13.phx.gbl, Andrew Mallette <Andrewm270@aol.com> typed: > i've just added exchange 2003 to a small bu...

Help with sending emails
I just started with windows mail and I am having some trouble getting started. I put my email as a yahoo account and it is not allowing my email to actually go through....any help is appreciated. On Wed, 6 Jan 2010 21:07:00 -0500, "Kristina Maiorani" <krissy32984@yahoo.com> wrote: >I just started with windows mail and I am having some trouble getting >started. I put my email as a yahoo account and it is not allowing my email >to actually go through....any help is appreciated. You're asking in the wrong place, Kristina. The Microsoft webpage can...

Please help a neophyte w/ connecting Outlook #2
I recently received a Dell Inspiron 5100 laptop. Since I only have a dial-up connection and I want to use this in a room where there is no telephone jack, I needed a long phone cord to connect the laptop to the phone jack. I attached the 50' cord to the laptop last week and all went fine connecting to the Internet. However, I cannot seem to make the connection again. I enter the password and it dials (pulse!), and the box says "connected to remote computer", then "verifying name and password", then finally "unable to establish a connection". I th...

'The messaging interface has returned an unknown error-if the problem persists, restart Outlook'
Hi - I am running Outlook 2002, SP-2, under Windows XP Home edition, SP-1. I use MS Word as my message editor. For the past few months, I get the following error message in a dialog from Outlook: 'The messaging interface has returned an unknown error-if the problem persists, restart Outlook' This occurs when I either create a new message or note or edit an existing message or note and then leave it open for more than just a minute or two, rather than closing or saving and closing it. I have run the "Detect and Repair" menu option in Outlook several times, but that has n...

Integration Project Server Share Point Server
Hi all, How could I integrate project server tasks with Project Task list in share point sites? I have PS 2007 (accessing with pwa) and MOSS 2007 (with Share Point services 3) and I have correctly assigned a shre point site to the pwa workspace. thanks, Luca Luca: You would need tor write custom code to do this. If you want to pursue this, ask follow-up questions in the developers group. -- Gary L. Chefetz, MVP, MCT, MCTIP Business: http://www.msprojectexperts.com FAQs: http://www.projectserverexperts.com BLOG: http://www.projectserverhelp.com "Luca" &l...

Active / Dynamic Filtered List (changes w/ change in cell value)
I'd like to be able to have a filtered list change AUTOMATICALLY based on a criteria value (entered in a cell outside the filtered data range). What is the simplest way to do this? Autofilter is close, but it will not update the results dynamically. You can use programming to update the filter if a cell on the worksheet is changed. There are examples here: http://www.contextures.com/excelfiles.html Under Filters, look for 'Product List by Week Number' and 'Filter Rows for Text String' trippknightly@hotmail.com wrote: > I'd like to be able to have a filt...

Outlook 6.0 as the default mail client
I am using Publisher 2007 to make an email merge. When I try to select my list from outlook contacts it tells me that I do not have a default mail client. It then tells me to run outlook express and make it my default mail. when I go to outlook it is already marked as default. Anybody know what I need to do or check next? "Meatman" <Meatman@discussions.microsoft.com> schreef in bericht news:16F0FE91-54A6-489E-8A58-553E34F7A4AC@microsoft.com... >I am using Publisher 2007 to make an email merge. When I try to select my > list from outlook contacts it tells me that I d...

1.5% on your investment every day 365 day`s a year!
For a short information, click: www.sap36@freeautobot.com ...

New user does not show in global address book
But another user created at the same time does. I can find no difference in their configurations. Exchange 2003 (Mixed mode) with IMC running on a (soon to vanish) Exchange 5.5 server. I have tried recreating the user but he still did not show up. The "hide from lists" checkbox is not checked. Help! Thanks. Are you Using Outlook 2003 in cache mode? If not, how long have you waited? On Wed, 27 Oct 2004 15:25:24 -0500, "Don Williams" <Don.Williams@NOcMoreMedicalSPAM.com> wrote: >But another user created at the same time does. I can find no difference in ...

HTTP mail option not available
I am using Outlook 2002 and when I try to set up an HTTP mail account, the option for HTTP is greyed out. Why is the HTTP mail account type not available? ...

switching users
(Running XP Pro sp3 on Gateway Laptop, 64bit AMD processor, 32 bit windows.) Having trouble switching user accounts (logging off goes somewhat smoother but has intermittent problems. So I go into User Accounts->Change the way users Log on or off and I check the Allow fast switching and also check Use Welcome screen, since they are not checked. However I then get a msg that says Automation Server Can't Create and the previous checks do not hold. Obviously I must not have something loaded ? Appreciate any help. "RB" <NoMail@NoSpam> wrote in message news:O...

Unknown Error
I find it incredible that Microsoft will allow crappy software to pervade their software regime. I am helping my son with his exemail email to do the simple task of deleting his "Deleted Items" folder that contains over 3000 items. Some items can be deleted one at a time but after a few successful deletions the "Unknown Error" appears and one must jump to a new item on the list to see if it can be deleted. selecting several items to be deleted at once nearly always results in "Unknown Error". The task of deleting is so time consuming and frustratin...

CRM 3.0 on Small Business Server 2003
Right now we have one server with Windows 2003 Server that has active directory on it. The machine also has SQL 2005 and IIS. We have another machine with Small Business Server 2003 and we want to put CRM 3.0 on this machine. Will this machine need SQL on it as well? Will it need active directory? Basically, will this setup work having one server with Active Directory, IIS, SQL 2005... and the other server with only CRM 3.0 Thanks for any help Regards Avery On Thu, 5 Jul 2007 12:02:01 -0700, Avery <Avery@discussions.microsoft.com> wrote: >Right now we have one server with Win...

user / mailbox sessions
Does anybody know how to force a session-logon to end between the client and the Exchange 2003 server ? I have a problem that when i go to "logons" folder for a particular database, 1 user is logged on 30 times and the exchange server will not allow him to connect again. Any ideas? Chris ...

New Mail icon gone
Hi, wheneven new email arrives, I use to have a small yellow envelope icon at the bottom of my Task Bar. Recently, I am not having it. How do I reset this function. Note that I am NOT referring to Display notification message when new mail arrives. Thanks in advance! Please reply to eguana2001@yahoo.com ...

how to use bat file to open serveral html files wiht one instance of ie8
when I tried on ie8 with bat file like "<<i8dir>>iexplore" h1.html "<<i8dir>>iexplore" h2.html "<<i8dir>>iexplore" h3.html they all opened in one single tab not in multiple tabs what is the correct way to do this. I am getting tired of manually opening a number of test html files for my app development and test Developer-specific resources include: MSDN IE Development Forum (post such questions here instead) http://social.msdn.microsoft.com/Forums/en-US/iewebdevelopment/threads Tip: When posting in Develo...

Send / Receive Does Not Always Finish
I have Verizon FiOS and use Outlook 2003 for email. Often times, send/receive won't finish and not all messages are received. Doing a subsequent send/receive works fine, but I now have the same messages twice (or sometimes three times because it may take more than two send/receive). This is not a major inconvenience, but I would like to resolve it. Four possible causes come to mind: * The FiOS connection times out. I had the same problem with DSL, but it seems to happen more now with FiOS. * A problem with the antivirus (AVG Free Edition). I think this is the most likely cause, althou...

How to ask user to criteria
I have the following query sql statement (it works fine) SELECT tbl_cngu_fire.cngu_no, Max(tbl_cngu_fire.fire_date) AS fireDate, DateAdd("yyyy",1,[fireDate]) AS Due, DateDiff("d",Date(),DateAdd("yyyy",1,[fireDate])) AS [No Days Till Due] FROM tbl_lst_sites RIGHT JOIN tbl_cngu_fire ON tbl_lst_sites.site_id = tbl_cngu_fire.fire_site GROUP BY tbl_cngu_fire.cngu_no ORDER BY tbl_cngu_fire.cngu_no; Now however, I wish to allow the user to specify the boundary (no days - the [No Days Till Due] field) to limit the query to. I tried simply adding [Plea...

Pressing send multiple times
Everytime I try to send an email, I have to push send 3 to 6 times in order for it to be sent. I've downloaded service packs to try and fix the problem, but nothing has fixed it. I've contatced my isp and they checked my internet settings and they're all correct. Can anyone help me fix this???? ...

Unknown error 0x80040201 #2
Having trouble with some users, they keep getting the below mentioned error while sending and receiving e-mails. All POP3 settings are correct and mail does get received but while sending the message comes up. Funny thing is that e-mails still go out. Only happens while sending... Error msg: Unknown error 0x80040201 Al <Al@discussions.microsoft.com> wrote: > Having trouble with some users, they keep getting the below mentioned > error while sending and receiving e-mails. All POP3 settings are > correct and mail does get received but while sending the message > com...

mail merge #5
I've gone through the mail merge wizard and entered my address list. When I get to the end and push print preview, all it shows is a complete page with the same address on all the labels. How can I get all my addresses on a label sheet? It will always show the same information in print preview. There is an option on the print page that will allow you to print a sample. Use a plain piece of paper and use this option. -- Mary Sauer MS MVP http://office.microsoft.com/clipart/ http://www.mvps.org/msauer/getting_started.htm For better access to Microsoft Newsgroups http://www.microsoft...

cannot recieve mail, Error message.
Please help Cannot send or recieve messages.this message pops up: Account: 'Windows Mail', Server: 'pop.charter.net', Protocol: POP3, Server Response: '-ERR An authentication mechanism MUST be entered', Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800CCC18 http://support.microsoft.com/kb/198704 You receive error 0x800ccc90 or error 0x800ccc18 when you try to log on to Exchange Server by using Secure Password Authentication -=- "Michelle E." wrote: > Please help Cannot send or recieve messages.this message p...

Outlook 2003 mail rules #2
Is it possible to change a rule so that the connection between conditions is OR rather than AND? I'd like to apply the same rule to mail that goes *to* someone or comes *from* them (move it to their folder) This looks fundamentally impossible, as you have to chose upfront whether your rule will handle incoming or outgoing mail, and those choices are mutually exclusive. -- Steve Swift http://www.swiftys.org.uk/swifty.html http://www.ringers.org.uk Create two rules to move the mail to the same folder - one that acts on outgoing and one that acts on incoming. -- Bill R MVP "S...

Migrating Mailboxes from Exhange 2003 to new Exchange 2003 Server
The current scenario is we have one server with exchange 2003 which currently has all the services, mailboxes, etc on it. We want to move all the services and mailboxes to the new server we just built and get rid of the old one. We are following the "How to remove the first exchange 2003 server computer from the administrative group". My question is, can we do all of the replication steps during the day while users are working and using their mailboxes? And then move mailboxes at night? Or do we need to do replication and move mailboxes when the server is offline? You can do ...

Email Send/Open/Send again..italics..why?
Hi, I just upgraded to Outlook 2002. I setup my Internet email (POP3/SMTP) account. I connect through my phone line, so I chose the appropriate option. This email account works. I am able to both send and receive email for this account in Outlook. I just have one headache... Normally, I am not connected to the Internet. If I want to send an email, I start Outlook offline. I type the email and click "Send" to put it in the outbox. Under Outlook 2000, if I looked at it in the Outbox it would be displayed in italics. When I wanted to actually send the email, I would ...