Actually this was happening all weekend. I was chasing my tail so hard I didn't think to e-mail this list until Monday. Lesson learned.
Just to wrap up: thanks to Glen, Scott, Thomas, and anyone else who suggested the spam was coming from OWA via phished accounts. I looked at the IIS logs on the OWA server and found entries like this: ... GET /exchange/bob.smith/Drafts/ Cmd=new 443 bsmith x.x.x.x Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+InfoPath.2;+Crazy+Browser+3.0.3)... Which I suppose shows new e-mails being created in the Drafts folder. Any advice regarding interpreting these logs would be welcome. After changing the affected user's passwords I think we are in the clear. Exchange queues are quiet since yesterday. We publish OWA via ISA Server, so the OWA logs only the address of the ISA Server. We checked our firewall logs and found quite a bit of traffic to OWA from Nigeria & India. We're in Tennessee, so we are able to block those addresses as we won't have any legitimate traffic from them. Based on the agent string above, I told URLScan to block Crazy Browser (http://www.crazybrowser.com/). I wonder how many other browsers there are I've never even heard of. Now I need to consider some kind of outbound anti-spam, figure out some scripting to notify me if the queues get out of hand, and get off all the blacklists I'm on. ------------------------------------------ From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] Sent: Monday, August 02, 2010 2:50 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules We're a Lotus Notes shop using Postini as a relay, if it makes any difference... We had one desktop system here, and a few in NYC, where spam as being spewed out. This actually had nothing at all to do with Domino/Lotus but rather a rogue SMTP server which got snuck onto some workstations. We were able to track this down by monitoring SMTP traffic through our firewall. All SMTP traffic was to be comming from only one IP at each location, and it was all supposed to be directed to our Postini host. At least yours does not seem to be happening on a weekend... -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA® 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.org The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. "Osborne, Richard" <richard.osbo...@wth.org> wrote on 08/02/2010 02:40:09 PM: > I have been monitoring the Exchange queues. It's the only way I can > tell when it is happening. I found the aqadmcli.exe utility and > have been using it to clean the queues (aqadmcli "delmsg > flags=SENDER,sender=bob.sm...@wth.org". > > I'll check the OWA logs ASAP. > > Assuming I have had three users reply to phishing e-mails, is there > anything to fix besides changing their passwords? > > Thanks everyone for the suggestions. > > -----Original Message----- > From: Glen Johnson [mailto:gjohn...@vhcc.edu] > Sent: Monday, August 02, 2010 2:35 PM > To: NT System Admin Issues > Subject: RE: malware that creates Outlook rules > > Also check those exchange smtp queues. > If it is compromised accounts the spammers can send spam via you owa > faster than your exchange server can process so it will get backed > up so disabling accounts or changing passwords wont stop it until > the queues are emptied. > > > -----Original Message----- > From: Osborne, Richard [mailto:richard.osbo...@wth.org] > Sent: Monday, August 02, 2010 3:32 PM > To: NT System Admin Issues > Subject: RE: malware that creates Outlook rules > > I'm glad I'm not the only sufferer! > > I'll try and answer the other questions that were asked: > > 1) yes, the spam continued even with the user's account disabled and > their PC powered off > 2) yes, only our Exchange server can send SMTP to the Internet > 3) my OWA servers are clean according to VIPRE & MalwareBytes > > So far this has hit 3 users (out of ~5000). I have not seen any > spam sent in the last 5 hours but I don't have any confidence that I > have found the source. Maybe there's a PC with a high-privileged > account that has been compromised and is sending out spam runs on a > schedule? Currently I am getting up-to-date on patches on all my > Exchange boxes. > > -----Original Message----- > From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] > Sent: Monday, August 02, 2010 2:17 PM > To: NT System Admin Issues > Subject: RE: malware that creates Outlook rules > > We are having a similar issue. We changed the users password, and > since that user is in a meeting, we turned his machine off. Looks > like it has to be coming from OWA. Here is some info from an error > message our external MTA sent to me (our Exchange guys are looking > into the matter): > > Transcript of session follows. > > Out: 220 mail3.wise.k12.va.us ESMTP > In: EHLO mail.wise.k12.va.us > Out: 250-mail3.wise.k12.va.us > Out: 250-PIPELINING > Out: 250-SIZE 800000000 > Out: 250-VRFY > Out: 250-ETRN > Out: 250-ENHANCEDSTATUSCODES > Out: 250-8BITMIME > Out: 250 DSN > In: MAIL FROM:<jev...@wise.k12.va.us> SIZE=1163 > Out: 250 2.1.0 Ok > In: RCPT TO:<fox2...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<khale...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<aboshw...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<abdul...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<bm...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<saltm...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<aarr1...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<se...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<sanad1...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<kham1...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<adi...@naseej.com> > Out: 250 2.1.5 Ok > > Shane > > > -----Original Message----- > From: Roger Wright [mailto:rhw...@gmail.com] > Sent: Monday, August 02, 2010 2:35 PM > To: NT System Admin Issues > Subject: Re: malware that creates Outlook rules > > Is your firewall set to only allow SMTP (port 25) traffic from your > Exchange server? > > > Die dulci fruere! > > Roger Wright > ___ > > > > > On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard <Richard. > osbo...@wth.org> wrote: > > I disabled their accounts and it didn't help. > > > > > > -----Original Message----- > > From: Roger Wright [mailto:rhw...@gmail.com] > > Sent: Monday, August 02, 2010 1:09 PM > > To: NT System Admin Issues > > Subject: Re: malware that creates Outlook rules > > > > Have you had the users change their passwords yet? > > > > > > Die dulci fruere! > > > > Roger Wright > > ___ > > > > > > > > > > On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard > > <richard.osbo...@wth.org> wrote: > >> Has anyone seen malware that creates an Outlook rule that moves all > >> new mail to Deleted Items and then sends out a bunch of spam? I have > >> a few users that have been hit with something I can't find. I > >> scanned the PCs with VIPRE, MalwareBytes, & Symantec's online scanner > >> and didn't find anything. Then I turned off the PCs and something is > >> still accessing their mailboxes. I scanned the Exchange server also. > >> I am not seeing anything in Exchange User Monitor or Windows Security > >> logs and our network guys say they don't see any unusual traffic to > >> our Exchange server. > >> > >> Google finds a couple of people reporting the same thing but no > >> resolution. > >> > >> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003 > >> SP2 on Server 2003 SP1. > >> > >> Thanks for any ideas. > >> > >> > >> > >> Richard Osborne > >> Information Systems > >> Jackson-Madison County General Hospital > >> > >> NOTICE: (1) The foregoing is not intended to be a legally binding or > >> legally effective electronic signature. (2) This message may contain > >> legally privileged or confidential information. If you are not the > >> intended recipient of this message, please so notify me, disregard > >> the foregoing message, and delete the message immediately. I > >> apologize for any inconvenience this may have caused. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~