One user Spamming?

[SeanAIX430]

I usually take a look at my queues to see if things are getting hung up and showing an impending crash. Recently I've noticed that one user account is sending emails out to non-existant strange email addresses. These aren't NDR's, but when I checked that users outlook the messages weren't in the sent items folder. In searching on this forum I saw that it might be the Sober Virus, so I used the symantec removal tool on that machine but it wasn't found. So I'm still at a loss. I have checked before and I don't have an open relay, plus it's just one valid user unknowingly sending the emails. Any ideas? Thanks

 

[Zelandakh]

Is that user allowed to relay?
Is that user infected on their client?

 

[markdmac]

Sober isn't the only SPAM generating virus, so I would try doing an online scan using Trend Micro.

As Zelandakh suggested, verify that the user can not relay and turn that off if they can.

At this point you need to look at testing with a different AV as your Symantec may not be able to detect whatever is on hte box.

I would also recommend that in addition to checking the AV you should also download and install the beta for Microsoft Anti-Spyware to make sure there is nothing else you need to worry about.

I hope you find this post helpful.

Regards,

Mark

 

[SeanAIX430]

I will go ahead and scan her PC for infections, but she is a limited user account as are all my users. Which is great by the way! So I don't know how to check to see if her account is relay enabled. Thanks

Another item: I see that postmaster@mydomain.com is sending NDR's out even though I went through ESM and unchecked the send NDR's?

I have GFI setup too and am wondering why it checks outgoing emails and if I can turn that off?
Thanks

 

[markdmac]

You need to look on the Relay Permissions on the SMTP server. Normally you will have it checked to allow all workstations that authenticate to relay. Uncheck that.

I hope you find this post helpful.

Regards,

Mark