Skip to main content

Excessive messages with virus

More
20 years 5 months ago #4452 by SABS9993
Let me just say this site is terrific for knowledge on networking and security. Now my problem.

I manage a Exchange server for about 150 users. We use Scanmail from Trend Micro scan for viruses and filter unfriendly attachments. Every day in the logs I get about 200-300 entries stating that it has picked up and blocked emails with the BAGLE.GEN-1 or Netsky.P virus. Most of these emails come from obviously spoofed email addresses like postmaster@mydomain.com and unknownuser@mydomain.com. All clients have antivirus software on them and for the most part they are clean. I am wondering why I am getting so many viruses directed at my mail server. These messages seem to be directed at some users more than others. I am almost sure no one in my network has been infected. We have always got these messages but now the volume seems very high. I am just looking for some theories on why this is happening.

Thanks
:?
More
20 years 5 months ago #4453 by jhun
hi

well you're not alone in this one..i manage an exchange email server too. well since viruses today are very smat and well-engineered, they have the capability to "seek out and destroy". this means that since your email server has all the addresses and contacts within your network, once a virus attached as an email manages to find your domain and scans the whole directory of your email server, then it will have the ability to recreate itself enclosed within emails and then send them to your recipients.

this happens since your recipients as well have contact outside your domain/network that they send and receive email with almost everyday and you do not know if the ones they are sending/receiving email to are clean of viruses. some viruses uses legitimate email addresses and some uses spoof.

also, you may know it, but other viruses are very well crafted and that they sometimes make use of your own email server as a means to spread using the email addresses located within your server.

you may not be aware of it but other networks that are receiving email from your domain might have as well been sent with attachments containing viruses too.

the best practice to do is to always an updated AV in your server and clients as well. Also regular updates to MS since you are using Exchange.

there is also another way to prevent viruses coming into your network via emails is by using a mail relay server which is a server that handles email traffic externally. in this way you could filter out legitimate emails from the infected ones.

i believe that there is a tutorial with regards to this one and it is located at www.msexchange.org

there are also lots of tutorials within this site on how to secure your exchange server.

hope that this may have help you in some ways.
More
20 years 5 months ago #4475 by SABS9993
Thanks for the advice Jhun. We currently use a hosting company to filter our emails before sending them to our mail server and we scan them again when they get to our server. This seems to be working out ok. However I am seeing many massages being spoofed from address within my domain to internal users. This has me a little worried. Maybe someone in my network is infected and generating these emails? So far I have not tracked them down.
Time to create page: 0.135 seconds