Possible virus?

[usuallyconfused]

At just the same time that the MyDoom virus first came out a couple of weeks ago, we started getting more and more failed messages into the Administrators account and at its peak, we were getting over 30,000 a day. We are still getting 4-5,000 and I have run every bit of anti-virus software I can find and checked for mail relaying, but it does not seem to be internal.

The messages are of two forms, with either:

>Subject: Notification: Inbound Message Failure

>The following recipients did not receive the attached mail. Reasons are
> listed with each recipient:
>
> <bslombabslomba@CIS.NET> bslombabslomba@CIS.NET
> MSEXCH:IMS:APW:WEYBRIDGE:SERVER 3550 (000B099C) 550 5.1.1
> <bslombabslomba@CIS.NET> User unknown; rejecting
>
> The message that caused this notification was:
>
> <<bslomba: CIA`LIS is taken ab0ut half an hour bef0re any sexua1l a
> ctlv1ty begins!>>

or

>Notification: Outbound Message Failure

>A mail message was not sent because the maximum time for delivery has
> expired. The message was not delivered to the following addresses:
>
> The message that caused this notification was:
>
>
> To: <death101death101@KX100.NET>
> From: <>
> Subject: Undeliverable: death101: GV-P|romax ls Cheap1y
> V1gr|a,gener1c brand ls 60% cheaper
>

Can anyone tell me for certain if we are generating them and what is going on? Thanks.

 

[Marcs41]

Just check the original header for Ip address, if it is not yours, it does not come from you.
The virus used mail-spoofing, so you will get all the returns.
It is very annoying, but besides filtering there is not much you can do about it.

If they come as an NDR to a non-existing user, intervept those NDR's and redirect them.
but, also turn OFF your NDR's to the internet, or it will never stop!

If they come to an existing user, you may need to change that user's address to make it stop, how annoying it may be, it's the only way.

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC![/sub]
How Do I Get Great Answers To my Tek-Tips Questions? See faq219-2884

 

[usuallyconfused]

Thanks marcs41.

It certainly appears that they do not come from us. I will ensure that NDR are turned off and see how we go.

 

[Valier]

Hi

I have the same problem, and I guess I´m not the only one. How do I turn off the NDR´s?

Valier
Stockholm, Sweden

 

[usuallyconfused]

If you open Exchange Admin and select Configuration - Connections on the left hand side and then double-click on Internet Mail Service on the right hand side, you can set the Notifications on the Internet Mail tab.

However, if your system is infected and sending out emails, then unless you have the notifications on, you will never know until you are cut off by your ISP - as did eventually happen to us.

We did eventually sort it, although I cannot say 100% that we know what the problem was. We decided that it must have been some kind of relaying, so we checked all the settings - search in Google on NT relaying and you will find lots of stuff - but also made sure we cleared the outgoing queue - also in the dialog box mentioned above. It took some time to clear and did not appear to delete entries when you asked it too, but a bit of stopping , starting and rebooting eventually did it.