And just after I sent this the light came on, Google Voice should do UM.
I'd let google handle voice mail, email and anything else they want to give to 
the students.

-----Original Message-----
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Tuesday, August 03, 2010 7:42 AM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Not sure on the UM questions.
Not an issue here as we don't have student housing or provide phones for them.
I'm betting that it is possible though.


-----Original Message-----
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 5:46 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-----Original Message-----
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-----Original Message-----
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-----Original Message-----
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-----Original Message-----
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-----Original Message-----
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-----Original Message-----
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-----Original Message-----
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 800000000
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM:<jev...@wise.k12.va.us> SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:<fox2...@naseej.com>
 Out: 250 2.1.5 Ok
 In:  RCPT TO:<khale...@naseej.com>
 Out: 250 2.1.5 Ok
 In:  RCPT TO:<aboshw...@naseej.com>
 Out: 250 2.1.5 Ok
 In:  RCPT TO:<abdul...@naseej.com>
 Out: 250 2.1.5 Ok
 In:  RCPT TO:<bm...@naseej.com>
 Out: 250 2.1.5 Ok
 In:  RCPT TO:<saltm...@naseej.com>
 Out: 250 2.1.5 Ok
 In:  RCPT TO:<aarr1...@naseej.com>
 Out: 250 2.1.5 Ok
 In:  RCPT TO:<se...@naseej.com>
 Out: 250 2.1.5 Ok
 In:  RCPT TO:<sanad1...@naseej.com>
 Out: 250 2.1.5 Ok
 In:  RCPT TO:<kham1...@naseej.com>
 Out: 250 2.1.5 Ok
 In:  RCPT TO:<adi...@naseej.com>
 Out: 250 2.1.5 Ok

Shane


-----Original Message-----
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your Exchange 
server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard <richard.osbo...@wth.org> 
wrote:
> I disabled their accounts and it didn't help.
>
>
> -----Original Message-----
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard 
> <richard.osbo...@wth.org> wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all 
>> new mail to Deleted Items and then sends out a bunch of spam?  I have 
>> a few users that have been hit with something I can't find.  I 
>> scanned the PCs with VIPRE, MalwareBytes, & Symantec's online scanner 
>> and didn't find anything.  Then I turned off the PCs and something is 
>> still accessing their mailboxes.  I scanned the Exchange server also.
>> I am not seeing anything in Exchange User Monitor or Windows Security 
>> logs and our network guys say they don't see any unusual traffic to 
>> our Exchange server.
>>
>> Google finds a couple of people reporting the same thing but no 
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospital
>>
>> NOTICE:  (1) The foregoing is not intended to be a legally binding or 
>> legally effective electronic signature. (2) This message may contain 
>> legally privileged or confidential information.  If you are not the 
>> intended recipient of this message, please so notify me, disregard 
>> the foregoing message, and delete the message immediately.  I 
>> apologize for any inconvenience this may have caused.
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to