Let me know if you have any questions - I deal with this stuff several times a week.
Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -----Original Message----- From: Crawford, Scott [mailto:crawfo...@evangel.edu] Sent: Tuesday, August 03, 2010 5:13 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules That's awesome. I look forward to playing with it. -----Original Message----- From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Tuesday, August 03, 2010 3:35 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules Yep it's the same set of cmdlets you use for Exchange (as that's what l...@edu runs on). You can also use the OLSync ILM solution they offer. It's $500 + SQL Std for the ILM licensing but this will do GALSync from your existing AD/Exchange environment in to l...@edu. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -----Original Message----- From: Steven Peck [mailto:sep...@gmail.com] Sent: Tuesday, August 03, 2010 3:30 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Microsoft also has a similar program for EDUs for hosted mail. http://www.microsoft.com/liveatedu/free-hosted-student-email.aspx They have powershell cmdlets that work over the web for administrator so there should be some ways to accomplish automation of a sort. Steven Peck http://www.blkmtn.org On Tue, Aug 3, 2010 at 12:39 PM, Brian Desmond <br...@briandesmond.com> wrote: > Most schools I've worked with either have something that plugs in to the > message bus of their ERP/SIS system for provisioning to outsourced services, > or, more frequently, they have a job which either scans an Oracle table every > so often or a batch job on the ERP side that dumps delta flat files and a > second job that picks them up and provisions to Google/etc. > > Thanks, > Brian Desmond > br...@briandesmond.com > > c - 312.731.3132 > > > -----Original Message----- > From: Glen Johnson [mailto:gjohn...@vhcc.edu] > Sent: Tuesday, August 03, 2010 2:27 PM > To: NT System Admin Issues > Subject: RE: malware that creates Outlook rules > > I'm sure it is, and the Va. CC uses PeopleSoft for our Student Info > System(SIS) and so they worked together to create an automated process in > that, a student applies to the college, registers for classes and the next > day, they have the email account active. > All this is done via the web. > Maybe google would work with your SIS vendor to create something similar. > > -----Original Message----- > From: Crawford, Scott [mailto:crawfo...@evangel.edu] > Sent: Tuesday, August 03, 2010 12:08 PM > To: NT System Admin Issues > Subject: RE: malware that creates Outlook rules > > Hmm, interesting. I like that. Of course, setting it up for all students > automatically might prove to be tricky. > > -----Original Message----- > From: Glen Johnson [mailto:gjohn...@vhcc.edu] > Sent: Tuesday, August 03, 2010 6:44 AM > To: NT System Admin Issues > Subject: RE: malware that creates Outlook rules > > And just after I sent this the light came on, Google Voice should do UM. > I'd let google handle voice mail, email and anything else they want to give > to the students. > > -----Original Message----- > From: Glen Johnson [mailto:gjohn...@vhcc.edu] > Sent: Tuesday, August 03, 2010 7:42 AM > To: NT System Admin Issues > Subject: RE: malware that creates Outlook rules > > Not sure on the UM questions. > Not an issue here as we don't have student housing or provide phones for them. > I'm betting that it is possible though. > > > -----Original Message----- > From: Crawford, Scott [mailto:crawfo...@evangel.edu] > Sent: Monday, August 02, 2010 5:46 PM > To: NT System Admin Issues > Subject: RE: malware that creates Outlook rules > > Yeah, it's on the investigate list. It does happen with staff on occasion > too, but not nearly as much as students. > > The major outstanding question I have is how to do Unified Messaging with > Exchange if the mailbox is outsourced? It's prolly something simple, but I > just haven't looked into it yet. > > -----Original Message----- > From: Glen Johnson [mailto:gjohn...@vhcc.edu] > Sent: Monday, August 02, 2010 3:14 PM > To: NT System Admin Issues > Subject: RE: malware that creates Outlook rules > > Ah ha. > Didn't notice the .edu addy. > In that case, I would seriously investigate outsourcing that to MS or Google. > The entire Va. Community College System went with Google for student email > and so far it has worked really well. > Can't beat the cost too. Zero and the student gets to keep their same email > as long as they want it. No advertisements in their account while they are > students. No backups, spam, outages and all that other support headaches for > me. Great big plus. > > > -----Original Message----- > From: Crawford, Scott [mailto:crawfo...@evangel.edu] > Sent: Monday, August 02, 2010 4:05 PM > To: NT System Admin Issues > Subject: RE: malware that creates Outlook rules > > Yeah, that sounds nice except we have 2000 students with an average of 500 > new ones every year so our major issue isn't repeat offenders. > > -----Original Message----- > From: Glen Johnson [mailto:gjohn...@vhcc.edu] > Sent: Monday, August 02, 2010 2:51 PM > To: NT System Admin Issues > Subject: RE: malware that creates Outlook rules > > When this happened here, we disabled their email account until they completed > our security awareness training, for the second time. > With supervisors complete support. > > -----Original Message----- > From: Osborne, Richard [mailto:richard.osbo...@wth.org] > Sent: Monday, August 02, 2010 3:40 PM > To: NT System Admin Issues > Subject: RE: malware that creates Outlook rules > > I have been monitoring the Exchange queues. It's the only way I can tell > when it is happening. I found the aqadmcli.exe utility and have been using > it to clean the queues (aqadmcli "delmsg > flags=SENDER,sender=bob.sm...@wth.org". > > I'll check the OWA logs ASAP. > > Assuming I have had three users reply to phishing e-mails, is there anything > to fix besides changing their passwords? > > Thanks everyone for the suggestions. > > -----Original Message----- > From: Glen Johnson [mailto:gjohn...@vhcc.edu] > Sent: Monday, August 02, 2010 2:35 PM > To: NT System Admin Issues > Subject: RE: malware that creates Outlook rules > > Also check those exchange smtp queues. > If it is compromised accounts the spammers can send spam via you owa faster > than your exchange server can process so it will get backed up so disabling > accounts or changing passwords wont stop it until the queues are emptied. > > > -----Original Message----- > From: Osborne, Richard [mailto:richard.osbo...@wth.org] > Sent: Monday, August 02, 2010 3:32 PM > To: NT System Admin Issues > Subject: RE: malware that creates Outlook rules > > I'm glad I'm not the only sufferer! > > I'll try and answer the other questions that were asked: > > 1) yes, the spam continued even with the user's account disabled and > their PC powered off > 2) yes, only our Exchange server can send SMTP to the Internet > 3) my OWA servers are clean according to VIPRE & MalwareBytes > > So far this has hit 3 users (out of ~5000). I have not seen any spam sent in > the last 5 hours but I don't have any confidence that I have found the > source. Maybe there's a PC with a high-privileged account that has been > compromised and is sending out spam runs on a schedule? Currently I am > getting up-to-date on patches on all my Exchange boxes. > > -----Original Message----- > From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] > Sent: Monday, August 02, 2010 2:17 PM > To: NT System Admin Issues > Subject: RE: malware that creates Outlook rules > > We are having a similar issue. We changed the users password, and since that > user is in a meeting, we turned his machine off. Looks like it has to be > coming from OWA. Here is some info from an error message our external MTA > sent to me (our Exchange guys are looking into the matter): > > Transcript of session follows. > > Out: 220 mail3.wise.k12.va.us ESMTP > In: EHLO mail.wise.k12.va.us > Out: 250-mail3.wise.k12.va.us > Out: 250-PIPELINING > Out: 250-SIZE 800000000 > Out: 250-VRFY > Out: 250-ETRN > Out: 250-ENHANCEDSTATUSCODES > Out: 250-8BITMIME > Out: 250 DSN > In: MAIL FROM:<jev...@wise.k12.va.us> SIZE=1163 > Out: 250 2.1.0 Ok > In: RCPT TO:<fox2...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<khale...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<aboshw...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<abdul...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<bm...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<saltm...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<aarr1...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<se...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<sanad1...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<kham1...@naseej.com> > Out: 250 2.1.5 Ok > In: RCPT TO:<adi...@naseej.com> > Out: 250 2.1.5 Ok > > Shane > > > -----Original Message----- > From: Roger Wright [mailto:rhw...@gmail.com] > Sent: Monday, August 02, 2010 2:35 PM > To: NT System Admin Issues > Subject: Re: malware that creates Outlook rules > > Is your firewall set to only allow SMTP (port 25) traffic from your Exchange > server? > > > Die dulci fruere! > > Roger Wright > ___ > > > > > On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard <richard.osbo...@wth.org> > wrote: >> I disabled their accounts and it didn't help. >> >> >> -----Original Message----- >> From: Roger Wright [mailto:rhw...@gmail.com] >> Sent: Monday, August 02, 2010 1:09 PM >> To: NT System Admin Issues >> Subject: Re: malware that creates Outlook rules >> >> Have you had the users change their passwords yet? >> >> >> Die dulci fruere! >> >> Roger Wright >> ___ >> >> >> >> >> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard >> <richard.osbo...@wth.org> wrote: >>> Has anyone seen malware that creates an Outlook rule that moves all >>> new mail to Deleted Items and then sends out a bunch of spam? I >>> have a few users that have been hit with something I can't find. I >>> scanned the PCs with VIPRE, MalwareBytes, & Symantec's online >>> scanner and didn't find anything. Then I turned off the PCs and >>> something is still accessing their mailboxes. I scanned the Exchange >>> server also. >>> I am not seeing anything in Exchange User Monitor or Windows >>> Security logs and our network guys say they don't see any unusual >>> traffic to our Exchange server. >>> >>> Google finds a couple of people reporting the same thing but no >>> resolution. >>> >>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server >>> 2003 >>> SP2 on Server 2003 SP1. >>> >>> Thanks for any ideas. >>> >>> >>> >>> Richard Osborne >>> Information Systems >>> Jackson-Madison County General Hospital >>> >>> NOTICE: (1) The foregoing is not intended to be a legally binding >>> or legally effective electronic signature. (2) This message may >>> contain legally privileged or confidential information. If you are >>> not the intended recipient of this message, please so notify me, >>> disregard the foregoing message, and delete the message immediately. >>> I apologize for any inconvenience this may have caused. >>> >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
