Here's one for you. Maybe you can help me stop from banging my head against the wall on this one...
First my network stats: NT4 domain with Windows 2000 and a few remaining NT workstations using Outlook 2000 for e-mail. No XP or 9x clients. We are a geographically separated military unit with our own subnet. I have one Exchange 5.5 server that replicates all inbound/outbound mail traffic to our main base which serves as the SMTP gateway. One NT4 BDC. We use McAfee VSE 7.0 on the workstations, McAfee GroupShield 4.5 (I believe) for Exchange on the mail server and EPO to manage it all. We're all patched up to DOD specs as well.
Now, I had one user send an e-mail out to a distribution list one time. The e-mail did not have an attachment, but did have a bit of PGP "code" at the bottom of the message. I don't know enough about PGP to determine of this is my problem. But anyway, now the message seems to be bouncing back and forth between two users in that distribution list and sending out to the group. But the users claim not to be sending the e-mail. As a matter of fact it doesn't even show in their mailboxes. They aren't using a forwarder of any kind either. But my Exchange server and GroupShield is picking it up as being infected with a virus with an attachment (infected.msg). But it doesn't say what virus it is infected with, deletes the message and sticks the attachment in the quarantine. I've scanned and overly scanned everyone on that distribution list's workstations with the latest defs, Stinger worm removal/scanner tool, and checked for the files and registry entries the latest worms have been creating. Nothing at all unusual found. I did a sniff with our Fluke appliance on the originator of the message and a few others in the list for any SMTP (port 25 or 110) traffic and there is none. I'm still getting these hits though from GroupShield, about 5-10 an hour. I don't think that Outlook/Exchange is sending these messages.
Anyone have any other ideas that I might have missed?
Thanks in advance
Jake
First my network stats: NT4 domain with Windows 2000 and a few remaining NT workstations using Outlook 2000 for e-mail. No XP or 9x clients. We are a geographically separated military unit with our own subnet. I have one Exchange 5.5 server that replicates all inbound/outbound mail traffic to our main base which serves as the SMTP gateway. One NT4 BDC. We use McAfee VSE 7.0 on the workstations, McAfee GroupShield 4.5 (I believe) for Exchange on the mail server and EPO to manage it all. We're all patched up to DOD specs as well.
Now, I had one user send an e-mail out to a distribution list one time. The e-mail did not have an attachment, but did have a bit of PGP "code" at the bottom of the message. I don't know enough about PGP to determine of this is my problem. But anyway, now the message seems to be bouncing back and forth between two users in that distribution list and sending out to the group. But the users claim not to be sending the e-mail. As a matter of fact it doesn't even show in their mailboxes. They aren't using a forwarder of any kind either. But my Exchange server and GroupShield is picking it up as being infected with a virus with an attachment (infected.msg). But it doesn't say what virus it is infected with, deletes the message and sticks the attachment in the quarantine. I've scanned and overly scanned everyone on that distribution list's workstations with the latest defs, Stinger worm removal/scanner tool, and checked for the files and registry entries the latest worms have been creating. Nothing at all unusual found. I did a sniff with our Fluke appliance on the originator of the message and a few others in the list for any SMTP (port 25 or 110) traffic and there is none. I'm still getting these hits though from GroupShield, about 5-10 an hour. I don't think that Outlook/Exchange is sending these messages.
Anyone have any other ideas that I might have missed?
Thanks in advance
Jake
