Free Outlook Alternatives
Anyone recommend a good free M$ Outlook alternative (for Windows) that fully integrates with Exchange Server (2003)? Regards, Rab. = Robert Jackson Phone: +44 (0) 141 332 7999 IT Manager Fax: +44 (0) 141 331 2820 Walker Martyn Ltd 1 Park Circus PlaceEmail: r...@walkermartyn.co.uk Glasgow G3 6AH, Scotland Web: http://www.walkermartyn.co.uk = The information in this internet E-mail is confidential and is intended solely for the addressee. Access, copying or re-use of information in it by anyone else is unauthorised. Any views or opinions presented are solely those of the author and do not necessarily represent those of Walker Martyn Ltd or any of its affiliates. If you are not the intended recipient please contact administra...@walkermartyn.co.uk Walker Martyn Ltd, company number SC197533. Company is registered in Scotland and has its registered office at 1 Park Circus Place, Glasgow G3 6AH, UK. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Free Outlook Alternatives
Hi Rab, Evolution has been ported to Windows recently: http://www.dipconsultants.com/evolution/ http://www.dipconsultants.com/evolution/Regards, Andrew On 2 August 2010 16:20, Robert Jackson r...@walkermartyn.co.uk wrote: Anyone recommend a good free M$ Outlook alternative (for Windows) that fully integrates with Exchange Server (2003)? Regards, Rab. = Robert Jackson Phone: +44 (0) 141 332 7999 IT Manager Fax: +44 (0) 141 331 2820 Walker Martyn Ltd 1 Park Circus PlaceEmail: * r...@walkermartyn.co.uk* r...@walkermartyn.co.uk Glasgow G3 6AH, Scotland Web: * http://www.walkermartyn.co.uk* http://www.walkermartyn.co.uk = The information in this internet E-mail is confidential and is intended solely for the addressee. Access, copying or re-use of information in it by anyone else is unauthorised. Any views or opinions presented are solely those of the author and do not necessarily represent those of Walker Martyn Ltd or any of its affiliates. If you are not the intended recipient please contact administra...@walkermartyn.co.uk. Walker Martyn Ltd, company number SC197533. Company is registered in Scotland and has its registered office at 1 Park Circus Place, Glasgow G3 6AH, UK. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Your copy of ?Networking and Security for Dummies
Yep - great for sniffing traffic too when you don't want to bother with a span port ;) a -Original Message- From: Angus Scott-Fleming [mailto:angu...@geoapps.com] Sent: 31 July 2010 05:31 To: NT System Admin Issues Subject: Re: Your copy of ?Networking and Security for Dummies On 30 Jul 2010 at 14:55, richardmccl...@aspca.org wrote: Hubs are still out there! Years ago, some folks did a great job of hiding them, like over ceilings, etc for workgroups. I've heard some motels use them since they're cheaper than switches. Download without form here: http://lto.libredigital.com/?SonicWALL_Dell_GettingStartedwithNetworking andSecurityforDummies Or use any email address @thisisnotmyrealemail.com in the form. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: It's that day!
We're hiding in all sorts of corners .. working in London but from Dublin ;o) a From: James Kerr [mailto:cluster...@gmail.com] Sent: 31 July 2010 13:46 To: NT System Admin Issues Subject: Re: It's that day! Nice, I was born in Temple street and raised in Artane Dublin. But I have more time in the US at this point. Nice to see another Irishman on this list. Good luck with the twins, I have a couple of wee ones myself. Sláinte James On 7/31/2010 5:49 AM, tony patton wrote: Yep, born and bred. Currently in Cavan, but moving back to Tyrone and been offered a new job in Derry. Regards Tony Patton Desktop Support Analyst - Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From:James Kerr cluster...@gmail.com mailto:cluster...@gmail.com To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com mailto:ntsysadmin@lyris.sunbelt-software.com Date:30/07/2010 17:45 Subject:Re: It's that day! Tony, are you an Irishman? - Original Message - From: tony patton mailto:tony.pat...@quinn-insurance.com To: NT System Admin Issues mailto:ntsysadmin@lyris.sunbelt-software.com Sent: Friday, July 30, 2010 11:59 AM Subject: Re: It's that day! Thx folks, hope it rubs off on everyone else that needs/wants it :) Its an advancement career-wise, moving to full-time server support with another company. It's a bit of a pay-cut, but it'll pay off in the long term, the new company will provide a new challenge and the technologies that they are involved in are wide-ranging. A busy schedule ahead of me, finish up here on the 10th September, re-locate, start the new job, and twins on the way Xmas week. Fun times ahead :) Regards Tony Patton Desktop Support Analyst - Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From:Don Kuhlman drkuhl...@yahoo.com mailto:drkuhl...@yahoo.com To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com mailto:ntsysadmin@lyris.sunbelt-software.com Date:30/07/2010 16:50 Subject:Re: It's that day! Congrats Tony! Hopefully some of that good fortune will rub off :) Don K From: tony patton tony.pat...@quinn-insurance.com mailto:tony.pat...@quinn-insurance.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com mailto:ntsysadmin@lyris.sunbelt-software.com Sent: Fri, July 30, 2010 10:26:40 AM Subject: RE: It's that day! I got offered a new job today, so I'm happy :) Regards Tony Patton Desktop Support Analyst - Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From:richardmccl...@aspca.org To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com mailto:ntsysadmin@lyris.sunbelt-software.com Date:30/07/2010 15:22 Subject:RE: It's that day! Anyway, for those of us who feel our career is in the crapper- I had to replace one of those on Sysadmin Appreciation Day a few years back. -- richard Maglinger, Paul pmaglin...@scvl.com mailto:pmaglin...@scvl.com wrote on 07/30/2010 09:11:52 AM: Just got an email from a co-worker. Happy S.A.D. Ironic? From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com mailto:luke.brumba...@butlerschein.com ] Sent: Friday, July 30, 2010 9:03 AM To: NT System Admin Issues Subject: RE: It's that day! So it's worth 25cents? Starbucks is $2 here. I like that miserable stuff from Mickey D's ($1) From: Maglinger, Paul [mailto:pmaglin...@scvl.com mailto:pmaglin...@scvl.com ] Sent: Friday, July 30, 2010 9:47 AM To: NT System Admin Issues Subject: RE: It's that day! This, and $1.75 gets you a cup of coffee at Starbucks. And there was much rejoicing. yea... From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org
RE: Free Outlook Alternatives
Just saw this in a newsletter from Sourceforge this morning: 9. DavMail POP/IMAP/SMTP/Caldav to Exchange https://sourceforge.net/projects/davmail Ever wanted to get rid of Outlook ? DavMail is a POP/IMAP/SMTP/Caldav/LDAP gateway allowing users to use any mail/calendar client with Exchange, even from the internet through Outlook Web Access on any platform, tested on MacOSX, Linux and Windows Never heard of it before, but in case you're interested. From: Robert Jackson [mailto:r...@walkermartyn.co.uk] Sent: Monday, August 02, 2010 3:20 AM To: NT System Admin Issues Subject: Free Outlook Alternatives Anyone recommend a good free M$ Outlook alternative (for Windows) that fully integrates with Exchange Server (2003)? Regards, Rab. = Robert Jackson Phone: +44 (0) 141 332 7999 IT Manager Fax: +44 (0) 141 331 2820 Walker Martyn Ltd 1 Park Circus PlaceEmail: r...@walkermartyn.co.uk mailto:r...@walkermartyn.co.uk Glasgow G3 6AH, Scotland Web: http://www.walkermartyn.co.uk http://www.walkermartyn.co.uk = The information in this internet E-mail is confidential and is intended solely for the addressee. Access, copying or re-use of information in it by anyone else is unauthorised. Any views or opinions presented are solely those of the author and do not necessarily represent those of Walker Martyn Ltd or any of its affiliates. If you are not the intended recipient please contact administra...@walkermartyn.co.uk. Walker Martyn Ltd, company number SC197533. Company is registered in Scotland and has its registered office at 1 Park Circus Place, Glasgow G3 6AH, UK. Confidentiality Notice: -- This communication, including any attachments, may contain confidential inf ormation and is intended only for the individual or entity to whom it is add ressed. Any review, dissemination, or copying of this communication by anyon e other than the intended recipient is strictly prohibited. If you are not t he intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Vipre Rescue issues
Trying to run a scan on my wife's PC at home (XP Pro SP3) using VipreRescue, I get an error something about unable to execute instruction. Sorry, it's a long address string and I didn't write it down. This happens both in regular mode and in safe-mode with command-prompt-only. Any idea what's going on? A MalwareBytes scan didn't find anything (at least in regular mode - have not tried safe mode yet.) The reason I tried this was because the system has been behaving flaky lately.nothing really to put my finger on. My wife almost installed MyWebSearch this weekend, so she could play some old-style arcade games (PacMan, Galaga, etc) but I pointed out to her that she really didn't want that stuff. Anyway, between that near miss and the flakiness of the system, I thought I'd check for malware. I've already checked the C: drive using SMART tools, and although it's an older drive, it appears to have no issues. Guess I ought to run a scandisk, just to be safe. John-AldrichTile-Tools ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpgimage002.jpg
Re: Vipre Rescue issues
1. As you mentioned, run a scandisk 2. Try a new download of VIPRERESCUE. It's possible you got a bad download, or something burped during the install. Good luck! -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA® 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.org The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA ®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. John Aldrich jaldr...@blueridgecarpet.com wrote on 08/02/2010 07:51:16 AM: Trying to run a scan on my wife?s PC at home (XP Pro SP3) using VipreRescue, I get an error something about ?unable to execute instruction?? Sorry, it?s a long address string and I didn?t write it down. This happens both in ?regular? mode and in safe-mode with command-prompt-only. Any idea what?s going on? A MalwareBytes scan didn?t find anything (at least in ?regular? mode ? have not tried ?safe mode? yet.) The reason I tried this was because the system has been behaving ?flaky? lately?nothing really to put my finger on. My wife almost installed MyWebSearch this weekend, so she could play some old-style ?arcade? games (PacMan, Galaga, etc) but I pointed out to her that she really didn?t want that stuff. Anyway, between that ?near miss? and the flakiness of the system, I thought I?d check for malware. I?ve already checked the C: drive using SMART tools, and although it?s an older drive, it appears to have no issues. Guess I ought to run a scandisk, just to be safe. [image removed] [image removed] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: OT: Vipre effectiveness false positives
We used Vipre last year until It couldn't stop conficker from spreading. Installed Symantec Endpoint and haven't had any issues. You have to babysit Vipre way too much. From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Friday, July 30, 2010 11:06 AM To: NT System Admin Issues Subject: RE: OT: Vipre effectiveness false positives I can understand FP's against lesser used applications, but when part of Windows or a commonly installed MS product is tagged, there's no real excuse for that IMHO. Still, I've asked Alex to provide any comparison data he can come up with, and to the extent the evidence is unbiased and convincing, I may put forth Vipre as an alternative. Thanks everybody for all the feedback. Carl From: David Lum [mailto:david@nwea.org] Sent: Friday, July 30, 2010 2:23 AM To: NT System Admin Issues Subject: RE: OT: Vipre effectiveness false positives As I have stated in previous AV threads, I actually use/manage 3 different AV products: Vipre Enterprise (3 clients, ~25 systems, plus my home machines), Trend WorryFree (1 client, 55 systems) and McAfee (%dayjob%, ~500 systems) and Vipre easily has more false positives than the other two: 3 in the last 12 months, vs zero for Trend and McAfee. Twice it ate Outlook.exe, one other time it ate Iexplore.exe. Not enough to make we want to switch from Vipre, just offering a data point. A bit over a year ago Vipre replaced Trend at home (1 server, 3PC's), Symantec at a client of 17, and standalone McAfee at a client of 7, no major issues transitioning any of them. There were enough teething pains (FP's) early on to prevent me from replacing it at the bigger client as well as %dayjob%. I avoided the recent McAfee fiasco because I grab updates ~20 hours after they typcically release, didn't know Trend had one recently. Alternately, none of these sites have had infections requiring a HDD wipe. Dave From: Ralph Smith m...@gatewayindustries.org Sent: Thursday, July 29, 2010 8:49 PM To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: RE: Vipre effectiveness false positives I don't disagree, but when you are presented with information you have to evaluate the validity of the data, and hopefully get clarification from those involved when it implies that there may be a problem. Virus Bulletin actually warned in the explanation of the chart that it was just one result and that conclusions shouldn't be jumped to until there was more data. And sometimes, a horse is just a horse, of course. From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Thursday, July 29, 2010 4:39 PM To: NT System Admin Issues Subject: RE: Vipre effectiveness false positives My point was really that all AV vendors have experience FPs, not just Vipre. I agree that statistics can be a valuable tool, it's just that which ones you choose and how you present them can be misleading. For example, in a horse race between the US and Russia, the US horse won. In the American papers, it was reported that the US was took first place. In the Russian papers, it was reported that the US was next to last and that Russia was second place. The statistics reported in both cases were true, but the picture they gave of the race was very different. From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, July 29, 2010 3:08 PM To: NT System Admin Issues Subject: RE: Vipre effectiveness false positives True, but there were people on the VIPRE forum that were hit just as hard by a couple of the FPs that VIPRE had. I'm not knocking VIPRE at all - I like it a lot and would purchase it again with no hesitation. However, when a well known organization like Virus Bulletin publishes test results, it makes sense to look at the data and try to understand what it means and how it may impact your organization. I personally feel confident with Sunbelt, but I would be interested to understand how they interpret the chart and what they feel the implications are for their product. By the way, some lies may be statistics, but not all statistics are lies. Information, including statistical, is the basis for sound decision making. From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Thursday, July 29, 2010 2:28 PM To: NT System Admin Issues Subject: RE: Vipre effectiveness false positives How about a little perspective on false positives? http://news.cnet.com/8301-1009_3-20003074-83.html and a reminder about statistics from Mark Twain: there's 3 kinds of lies: lies, damned lies, and statistics From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, July 29, 2010 1:20 PM To: NT System Admin Issues Subject: RE: Vipre effectiveness false positives I've had VIPRE for a couple of years now, and was fortunately not hit hard with the
RE: Wireless Machine Authentication
If you set the XP SP3 802.1x authentication mode back to its default, you should get what you want. The default authentication mode allows a computer to authenticate with PEAP under its computer account credentials. When a user logs in to the computer, the auth process is repeated, this time with the user's credentials. -Malcolm From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Friday, July 30, 2010 09:36 To: NT System Admin Issues Subject: FW: Wireless Machine Authentication All Cisco LWAP access points using a 5508 wireless controller. We have PEAP set up so users can authenticate on the wireless network using their AD login.peachy. BUT.we have some machines that need to authenticate on the wireless before the user logs on (so they get can group policies and such). I thought we could just provide a generic credential and it would work but no such luck. How the heck do you make this work? The workstations are XP SP3 with intel wireless cards. Thanks all! * John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 2 : 814.375.4005 *:mailto:jckel...@drmc.org jckel...@drmc.org * This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: OT: Apologies
Thanks for the info From: Rob Bonfiglio [mailto:robbonfig...@gmail.com] Posted At: Sunday, August 01, 2010 12:42 PM Posted To: itli...@imcu.com Conversation: OT: Apologies Subject: Re: OT: Apologies It looks like it was some variant Antivirus Pro 2009. The odd part is that I never clicked on anything to prompt it's install. It looks like it changed my IE and FF proxy settings and performed a man in the middle, either that or it just harvested while I was logged into gmail. I've checked my Sent items in gmail and did not see the actual sent messages in there. But my proxy settings were definitely changed (although no IP addresses were listed as the proxy in either of them.) In any case, I've gone to another machine and changed my password and I am flattening my laptop and rebuilding it. It was time for that to happen anyway. On Sun, Aug 1, 2010 at 11:54 AM, James Kerr cluster...@gmail.com wrote: What visus is this? I seen similar things happen with peoples yahoo and aol mail accounts.Did it get your account password? On 8/1/2010 11:00 AM, Rob Bonfiglio wrote: Sorry for the spam that looks like went to the list from my account. I got hit with a virus and it spammed everyone in my gmail address book. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: 2008 DC being offline
I stand corrected, maybe it was 66 days. As a general rule I don't change defaults unless I have a compelling reason to do so, and I can't think of one here. -Original Message- From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, July 30, 2010 4:07 PM To: NT System Admin Issues Subject: RE: 2008 DC being offline 30 days not unless you tinkered with some tombstone lifetime settings which I don't know why you would lower it... Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Wednesday, July 28, 2010 2:55 PM To: NT System Admin Issues Subject: RE: 2008 DC being offline Past 30 days offline it will complain - at least 2003 servers do, but I think it's also related to some AD archive or backup time settingI ran into something about 30 days when I restored a DC from a backup that was 36 days old. Minor in the scheme of things, just something to keep in mind. ...Then again, maybe that was of no help... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -Original Message- From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] Sent: Wednesday, July 28, 2010 11:56 AM To: NT System Admin Issues Subject: 2008 DC being offline Hello, A 2008 DC (lets call it Server-F) we have at another site has been offline for 6 weeks. We powered it down because the building was undergoing construction, and the building was effectively CLOSED for those 6 weeks. Construction is done and I'm ready to bring the server back online. Is there a problem with just turning Server-F on and letting it re-sync with active directory even though its been offline for 6 weeks? or... would I be better off bringing Server-F up WITHOUT a network cable connected, run dcpromo /forceremoval on it... then remove any references to the Server-F from my other DCs, and eventually re-promote server F back as a DC? Thoughts? mail2web.com - Microsoft(r) Exchange solutions from a leading provider - http://link.mail2web.com/Business/Exchange ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Wireless Machine Authentication
You can either use machine certs or machine credentials (against AD, if the machines have credentials in AD...) Cheers Ken From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Friday, 30 July 2010 10:36 PM To: NT System Admin Issues Subject: FW: Wireless Machine Authentication All Cisco LWAP access points using a 5508 wireless controller. We have PEAP set up so users can authenticate on the wireless network using their AD login...peachy. BUT...we have some machines that need to authenticate on the wireless before the user logs on (so they get can group policies and such). I thought we could just provide a generic credential and it would work but no such luck. How the heck do you make this work? The workstations are XP SP3 with intel wireless cards. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Wireless Machine Authentication
We used the machine AD credentials, as that is the path of least resistance. It is a pretty simple GPO configuration to set it all up, too. -Malcolm From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Monday, August 02, 2010 10:03 To: NT System Admin Issues Subject: RE: Wireless Machine Authentication You can either use machine certs or machine credentials (against AD, if the machines have credentials in AD.) Cheers Ken From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Friday, 30 July 2010 10:36 PM To: NT System Admin Issues Subject: FW: Wireless Machine Authentication All Cisco LWAP access points using a 5508 wireless controller. We have PEAP set up so users can authenticate on the wireless network using their AD login.peachy. BUT.we have some machines that need to authenticate on the wireless before the user logs on (so they get can group policies and such). I thought we could just provide a generic credential and it would work but no such luck. How the heck do you make this work? The workstations are XP SP3 with intel wireless cards. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Your copy of ?Networking and Security for Dummies
Not if you want to capture data at modern speeds. On Mon, Aug 2, 2010 at 01:32, Alan Davies adav...@cls-services.com wrote: Yep - great for sniffing traffic too when you don't want to bother with a span port ;) a -Original Message- From: Angus Scott-Fleming [mailto:angu...@geoapps.com] Sent: 31 July 2010 05:31 To: NT System Admin Issues Subject: Re: Your copy of ?Networking and Security for Dummies On 30 Jul 2010 at 14:55, richardmccl...@aspca.org wrote: Hubs are still out there! Years ago, some folks did a great job of hiding them, like over ceilings, etc for workgroups. I've heard some motels use them since they're cheaper than switches. Download without form here: http://lto.libredigital.com/?SonicWALL_Dell_GettingStartedwithNetworking andSecurityforDummies Or use any email address @thisisnotmyrealemail.com in the form. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
eventcreate with carriage returns
Anyone got any idea whether it's possible to use eventcreate to create an event log entry that contains carriage returns in the description? If so, how? Is there another tool I can use to achieve this? Olly [cid:personal24823.jpg] [cid:g2supportsmall_250x58border18be.png] Network Support Online Backups Server Management Tel: 0845 307 3443 Email: oliver.marsh...@g2support.com Web: http://www.g2support.comhttp://www.g2support.com/ Twitter: g2supporthttp://twitter.com/home?stat...@g2support Newsletter: http://www.g2support.com/newsletter Mail: 2 Roundhill Road, Brighton, Sussex, BN2 3RF Find out more about our referral gift scheme at www.g2support.com/referralhttp://www.g2support.com/referral G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE BN3 7LE. Our registered company number is OC316341. Disclaimer added by CodeTwo Exchange Rules 2007 www.codetwo.comhttp://www.codetwo.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~inline: personal24823.jpginline: g2supportsmall_250x58border18be.png
Fwd: Upcoming Out of Band update
I sent this earlier, but it looks like it may not have made it to the list since I had been unsubscribed from my little episode this weekend: We got this from our TAM this morning. No real details, other than that there will be an out of band update and details will be released later: http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Fwd: Upcoming Out of Band update
They think they have a patch for the .LNK vulnerability. They have also found a really nasty virus (SALITY) which has been transmitted by this vulnerability. They feel it is enough of an emergency to release it on a Monday (rather than on the second Tuesday). This information is elsewhere, including the Sunbelt blog and The Register. Thanks! -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA® Rob Bonfiglio robbonfig...@gmail.com wrote on 08/02/2010 11:16:00 AM: I sent this earlier, but it looks like it may not have made it to the list since I had been unsubscribed from my little episode this weekend: We got this from our TAM this morning. No real details, other than that there will be an out of band update and details will be released later: http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Fwd: Upcoming Out of Band update
http://news.cnet.com/8301-1009_3-20012270-83.html?tag=nl.e757 From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] Sent: Monday, August 02, 2010 11:23 AM To: NT System Admin Issues Subject: Re: Fwd: Upcoming Out of Band update They think they have a patch for the .LNK vulnerability. They have also found a really nasty virus (SALITY) which has been transmitted by this vulnerability. They feel it is enough of an emergency to release it on a Monday (rather than on the second Tuesday). This information is elsewhere, including the Sunbelt blog and The Register. Thanks! -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA(r) Rob Bonfiglio robbonfig...@gmail.com wrote on 08/02/2010 11:16:00 AM: I sent this earlier, but it looks like it may not have made it to the list since I had been unsubscribed from my little episode this weekend: We got this from our TAM this morning. No real details, other than that there will be an out of band update and details will be released later: http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: It's that day!
Hah, awesome! - Original Message - From: Alan Davies To: NT System Admin Issues Sent: Monday, August 02, 2010 4:37 AM Subject: RE: It's that day! We're hiding in all sorts of corners .. working in London but from Dublin ;o) a -- From: James Kerr [mailto:cluster...@gmail.com] Sent: 31 July 2010 13:46 To: NT System Admin Issues Subject: Re: It's that day! Nice, I was born in Temple street and raised in Artane Dublin. But I have more time in the US at this point. Nice to see another Irishman on this list. Good luck with the twins, I have a couple of wee ones myself. Sláinte James On 7/31/2010 5:49 AM, tony patton wrote: Yep, born and bred. Currently in Cavan, but moving back to Tyrone and been offered a new job in Derry. Regards Tony Patton Desktop Support Analyst - Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From:James Kerr cluster...@gmail.com To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date:30/07/2010 17:45 Subject:Re: It's that day! Tony, are you an Irishman? - Original Message - From: tony patton To: NT System Admin Issues Sent: Friday, July 30, 2010 11:59 AM Subject: Re: It's that day! Thx folks, hope it rubs off on everyone else that needs/wants it :) Its an advancement career-wise, moving to full-time server support with another company. It's a bit of a pay-cut, but it'll pay off in the long term, the new company will provide a new challenge and the technologies that they are involved in are wide-ranging. A busy schedule ahead of me, finish up here on the 10th September, re-locate, start the new job, and twins on the way Xmas week. Fun times ahead :) Regards Tony Patton Desktop Support Analyst - Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From:Don Kuhlman drkuhl...@yahoo.com To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date:30/07/2010 16:50 Subject:Re: It's that day! Congrats Tony! Hopefully some of that good fortune will rub off :) Don K From: tony patton tony.pat...@quinn-insurance.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Fri, July 30, 2010 10:26:40 AM Subject: RE: It's that day! I got offered a new job today, so I'm happy :) Regards Tony Patton Desktop Support Analyst - Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From:richardmccl...@aspca.org To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date:30/07/2010 15:22 Subject:RE: It's that day! Anyway, for those of us who feel our career is in the crapper- I had to replace one of those on Sysadmin Appreciation Day a few years back. -- richard Maglinger, Paul pmaglin...@scvl.com wrote on 07/30/2010 09:11:52 AM: Just got an email from a co-worker. Happy S.A.D. Ironic? From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] Sent: Friday, July 30, 2010 9:03 AM To: NT System Admin Issues Subject: RE: It's that day! So it's worth 25cents? Starbucks is $2 here. I like that miserable stuff from Mickey D's ($1) From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, July 30, 2010 9:47 AM To: NT System Admin Issues Subject: RE: It's that day! This, and $1.75 gets you a cup of coffee at Starbucks. And there was much rejoicing. yea... From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] Sent: Friday, July 30, 2010 8:10 AM To: NT System Admin Issues Subject: It's that day! http://www.sysadminday.com/ And my Help Desk guy got the day off! -- Richard ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended
malware that creates Outlook rules
Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange server also. I am not seeing anything in Exchange User Monitor or Windows Security logs and our network guys say they don't see any unusual traffic to our Exchange server. Google finds a couple of people reporting the same thing but no resolution. Windows XP SP2 clients with Outlook 2002 2003; Exchange Server 2003 SP2 on Server 2003 SP1. Thanks for any ideas. Richard Osborne Information Systems Jackson-Madison County General Hospital NOTICE: (1) The foregoing is not intended to be a legally binding or legally effective electronic signature. (2) This message may contain legally privileged or confidential information. If you are not the intended recipient of this message, please so notify me, disregard the foregoing message, and delete the message immediately. I apologize for any inconvenience this may have caused. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Upcoming Out of Band update
On 2 Aug 2010 at 12:16, Rob Bonfiglio wrote: I sent this earlier, but it looks like it may not have made it to the list since I had been unsubscribed from my little episode this weekend: We got this from our TAM this morning. No real details, other than that there will be an out of band update and details will be released later: http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx Microsoft Security Bulletin MS10-046 - Critical: Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: malware that creates Outlook rules
Have you had the users change their passwords yet? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard richard.osbo...@wth.org wrote: Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange server also. I am not seeing anything in Exchange User Monitor or Windows Security logs and our network guys say they don't see any unusual traffic to our Exchange server. Google finds a couple of people reporting the same thing but no resolution. Windows XP SP2 clients with Outlook 2002 2003; Exchange Server 2003 SP2 on Server 2003 SP1. Thanks for any ideas. Richard Osborne Information Systems Jackson-Madison County General Hospital NOTICE: (1) The foregoing is not intended to be a legally binding or legally effective electronic signature. (2) This message may contain legally privileged or confidential information. If you are not the intended recipient of this message, please so notify me, disregard the foregoing message, and delete the message immediately. I apologize for any inconvenience this may have caused. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Upcoming Out of Band update
Out of curiosity, how long can we expect it to take to download once we've synchronized? I wouldn't think it would take very long to show up waiting for approval, but it has been 20 minutes, even though I can see the various patches were listed in the synchronization report. On Mon, Aug 2, 2010 at 1:51 PM, Angus Scott-Fleming angu...@geoapps.comwrote: On 2 Aug 2010 at 12:16, Rob Bonfiglio wrote: I sent this earlier, but it looks like it may not have made it to the list since I had been unsubscribed from my little episode this weekend: We got this from our TAM this morning. No real details, other than that there will be an out of band update and details will be released later: http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx Microsoft Security Bulletin MS10-046 - Critical: Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: malware that creates Outlook rules
I disabled their accounts and it didn't help. -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 1:09 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Have you had the users change their passwords yet? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard richard.osbo...@wth.org wrote: Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange server also. I am not seeing anything in Exchange User Monitor or Windows Security logs and our network guys say they don't see any unusual traffic to our Exchange server. Google finds a couple of people reporting the same thing but no resolution. Windows XP SP2 clients with Outlook 2002 2003; Exchange Server 2003 SP2 on Server 2003 SP1. Thanks for any ideas. Richard Osborne Information Systems Jackson-Madison County General Hospital NOTICE: (1) The foregoing is not intended to be a legally binding or legally effective electronic signature. (2) This message may contain legally privileged or confidential information. If you are not the intended recipient of this message, please so notify me, disregard the foregoing message, and delete the message immediately. I apologize for any inconvenience this may have caused. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: 2008 DC being offline
60 is the default for 2000 and 2003 R2 forests, 180 for 2003, 2008, 2008 R2 forests. Note this is the original OS version of the first DC not the current FFL. There are scenarios you'd change this but they're fairly vertical. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Monday, August 02, 2010 9:30 AM To: NT System Admin Issues Subject: RE: 2008 DC being offline I stand corrected, maybe it was 66 days. As a general rule I don't change defaults unless I have a compelling reason to do so, and I can't think of one here. -Original Message- From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, July 30, 2010 4:07 PM To: NT System Admin Issues Subject: RE: 2008 DC being offline 30 days not unless you tinkered with some tombstone lifetime settings which I don't know why you would lower it... Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Wednesday, July 28, 2010 2:55 PM To: NT System Admin Issues Subject: RE: 2008 DC being offline Past 30 days offline it will complain - at least 2003 servers do, but I think it's also related to some AD archive or backup time settingI ran into something about 30 days when I restored a DC from a backup that was 36 days old. Minor in the scheme of things, just something to keep in mind. ...Then again, maybe that was of no help... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -Original Message- From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] Sent: Wednesday, July 28, 2010 11:56 AM To: NT System Admin Issues Subject: 2008 DC being offline Hello, A 2008 DC (lets call it Server-F) we have at another site has been offline for 6 weeks. We powered it down because the building was undergoing construction, and the building was effectively CLOSED for those 6 weeks. Construction is done and I'm ready to bring the server back online. Is there a problem with just turning Server-F on and letting it re-sync with active directory even though its been offline for 6 weeks? or... would I be better off bringing Server-F up WITHOUT a network cable connected, run dcpromo /forceremoval on it... then remove any references to the Server-F from my other DCs, and eventually re-promote server F back as a DC? Thoughts? mail2web.com - Microsoft(r) Exchange solutions from a leading provider - http://link.mail2web.com/Business/Exchange ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: malware that creates Outlook rules
you turned off the computers and it is still happening? I'd check OWA. you disabled the accounts, and the spam is still being sent? Google.com Learn it. Live it. Love it. On Mon, Aug 2, 2010 at 11:21, Osborne, Richard richard.osbo...@wth.org wrote: I disabled their accounts and it didn't help. -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 1:09 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Have you had the users change their passwords yet? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard richard.osbo...@wth.org wrote: Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange server also. I am not seeing anything in Exchange User Monitor or Windows Security logs and our network guys say they don't see any unusual traffic to our Exchange server. Google finds a couple of people reporting the same thing but no resolution. Windows XP SP2 clients with Outlook 2002 2003; Exchange Server 2003 SP2 on Server 2003 SP1. Thanks for any ideas. Richard Osborne Information Systems Jackson-Madison County General Hospital NOTICE: (1) The foregoing is not intended to be a legally binding or legally effective electronic signature. (2) This message may contain legally privileged or confidential information. If you are not the intended recipient of this message, please so notify me, disregard the foregoing message, and delete the message immediately. I apologize for any inconvenience this may have caused. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: 2008 DC being offline
Wow.. Why did it shift downward from 2003 to 2003R2? -ASB: http://XeeSM.com/AndrewBaker On Mon, Aug 2, 2010 at 2:24 PM, Brian Desmond br...@briandesmond.comwrote: 60 is the default for 2000 and 2003 R2 forests, 180 for 2003, 2008, 2008 R2 forests. Note this is the original OS version of the first DC not the current FFL. There are scenarios you'd change this but they're fairly vertical. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Monday, August 02, 2010 9:30 AM To: NT System Admin Issues Subject: RE: 2008 DC being offline I stand corrected, maybe it was 66 days. As a general rule I don't change defaults unless I have a compelling reason to do so, and I can't think of one here. -Original Message- From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Friday, July 30, 2010 4:07 PM To: NT System Admin Issues Subject: RE: 2008 DC being offline 30 days not unless you tinkered with some tombstone lifetime settings which I don't know why you would lower it... Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Wednesday, July 28, 2010 2:55 PM To: NT System Admin Issues Subject: RE: 2008 DC being offline Past 30 days offline it will complain - at least 2003 servers do, but I think it's also related to some AD archive or backup time settingI ran into something about 30 days when I restored a DC from a backup that was 36 days old. Minor in the scheme of things, just something to keep in mind. ...Then again, maybe that was of no help... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -Original Message- From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] Sent: Wednesday, July 28, 2010 11:56 AM To: NT System Admin Issues Subject: 2008 DC being offline Hello, A 2008 DC (lets call it Server-F) we have at another site has been offline for 6 weeks. We powered it down because the building was undergoing construction, and the building was effectively CLOSED for those 6 weeks. Construction is done and I'm ready to bring the server back online. Is there a problem with just turning Server-F on and letting it re-sync with active directory even though its been offline for 6 weeks? or... would I be better off bringing Server-F up WITHOUT a network cable connected, run dcpromo /forceremoval on it... then remove any references to the Server-F from my other DCs, and eventually re-promote server F back as a DC? Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: 2008 DC being offline
Can you say bug? :-P Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, August 02, 2010 2:33 PM To: NT System Admin Issues Subject: Re: 2008 DC being offline Wow.. Why did it shift downward from 2003 to 2003R2? -ASB: http://XeeSM.com/AndrewBaker On Mon, Aug 2, 2010 at 2:24 PM, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com wrote: 60 is the default for 2000 and 2003 R2 forests, 180 for 2003, 2008, 2008 R2 forests. Note this is the original OS version of the first DC not the current FFL. There are scenarios you'd change this but they're fairly vertical. Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com c - 312.731.3132 -Original Message- From: David Lum [mailto:david@nwea.orgmailto:david@nwea.org] Sent: Monday, August 02, 2010 9:30 AM To: NT System Admin Issues Subject: RE: 2008 DC being offline I stand corrected, maybe it was 66 days. As a general rule I don't change defaults unless I have a compelling reason to do so, and I can't think of one here. -Original Message- From: Brian Desmond [mailto:br...@briandesmond.commailto:br...@briandesmond.com] Sent: Friday, July 30, 2010 4:07 PM To: NT System Admin Issues Subject: RE: 2008 DC being offline 30 days not unless you tinkered with some tombstone lifetime settings which I don't know why you would lower it... Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com c - 312.731.3132 -Original Message- From: David Lum [mailto:david@nwea.orgmailto:david@nwea.org] Sent: Wednesday, July 28, 2010 2:55 PM To: NT System Admin Issues Subject: RE: 2008 DC being offline Past 30 days offline it will complain - at least 2003 servers do, but I think it's also related to some AD archive or backup time settingI ran into something about 30 days when I restored a DC from a backup that was 36 days old. Minor in the scheme of things, just something to keep in mind. ...Then again, maybe that was of no help... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -Original Message- From: jesse-r...@wi.rr.commailto:jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.commailto:jesse-r...@wi.rr.com] Sent: Wednesday, July 28, 2010 11:56 AM To: NT System Admin Issues Subject: 2008 DC being offline Hello, A 2008 DC (lets call it Server-F) we have at another site has been offline for 6 weeks. We powered it down because the building was undergoing construction, and the building was effectively CLOSED for those 6 weeks. Construction is done and I'm ready to bring the server back online. Is there a problem with just turning Server-F on and letting it re-sync with active directory even though its been offline for 6 weeks? or... would I be better off bringing Server-F up WITHOUT a network cable connected, run dcpromo /forceremoval on it... then remove any references to the Server-F from my other DCs, and eventually re-promote server F back as a DC? Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: malware that creates Outlook rules
Is your firewall set to only allow SMTP (port 25) traffic from your Exchange server? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard richard.osbo...@wth.org wrote: I disabled their accounts and it didn't help. -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 1:09 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Have you had the users change their passwords yet? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard richard.osbo...@wth.org wrote: Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange server also. I am not seeing anything in Exchange User Monitor or Windows Security logs and our network guys say they don't see any unusual traffic to our Exchange server. Google finds a couple of people reporting the same thing but no resolution. Windows XP SP2 clients with Outlook 2002 2003; Exchange Server 2003 SP2 on Server 2003 SP1. Thanks for any ideas. Richard Osborne Information Systems Jackson-Madison County General Hospital NOTICE: (1) The foregoing is not intended to be a legally binding or legally effective electronic signature. (2) This message may contain legally privileged or confidential information. If you are not the intended recipient of this message, please so notify me, disregard the foregoing message, and delete the message immediately. I apologize for any inconvenience this may have caused. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Upcoming Out of Band update
And, it looks as if they're being strict about it too... I don't see a patch for either Win2k or WinXP SP2 - they both EOL'ed in July. Kurt On Mon, Aug 2, 2010 at 09:16, Rob Bonfiglio robbonfig...@gmail.com wrote: I sent this earlier, but it looks like it may not have made it to the list since I had been unsubscribed from my little episode this weekend: We got this from our TAM this morning. No real details, other than that there will be an out of band update and details will be released later: http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: malware that creates Outlook rules
We are having a similar issue. We changed the users password, and since that user is in a meeting, we turned his machine off. Looks like it has to be coming from OWA. Here is some info from an error message our external MTA sent to me (our Exchange guys are looking into the matter): Transcript of session follows. Out: 220 mail3.wise.k12.va.us ESMTP In: EHLO mail.wise.k12.va.us Out: 250-mail3.wise.k12.va.us Out: 250-PIPELINING Out: 250-SIZE 8 Out: 250-VRFY Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:jev...@wise.k12.va.us SIZE=1163 Out: 250 2.1.0 Ok In: RCPT TO:fox2...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:khale...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aboshw...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:abdul...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:bm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:saltm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aarr1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:se...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:sanad1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:kham1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:adi...@naseej.com Out: 250 2.1.5 Ok Shane -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Is your firewall set to only allow SMTP (port 25) traffic from your Exchange server? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard richard.osbo...@wth.org wrote: I disabled their accounts and it didn't help. -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 1:09 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Have you had the users change their passwords yet? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard richard.osbo...@wth.org wrote: Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange server also. I am not seeing anything in Exchange User Monitor or Windows Security logs and our network guys say they don't see any unusual traffic to our Exchange server. Google finds a couple of people reporting the same thing but no resolution. Windows XP SP2 clients with Outlook 2002 2003; Exchange Server 2003 SP2 on Server 2003 SP1. Thanks for any ideas. Richard Osborne Information Systems Jackson-Madison County General Hospital NOTICE: (1) The foregoing is not intended to be a legally binding or legally effective electronic signature. (2) This message may contain legally privileged or confidential information. If you are not the intended recipient of this message, please so notify me, disregard the foregoing message, and delete the message immediately. I apologize for any inconvenience this may have caused. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: backing up too much data
Little late, but.Funny you say this. At a previous job, we kept our monthly/quarterly/yearly backups at a local branch. Dailies went to IM for 2-week rotation. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, July 28, 2010 1:10 PM To: NT System Admin Issues Subject: Re: backing up too much data I assume for the moment (further data might invalidate this assumption) that Iron Moutain and the like are not within budget. Having made that assumption, Ben has uttered Magic Words there: Bank Vault OP's org almost certainly has a bank account with a local branch. I'd bet in a place like DC either that branch, or another bank nearby, has safe deposit boxes for rent, relatively inexpensively. Makes for a nice lunch hour detour, I think. Kurt On Wed, Jul 28, 2010 at 09:57, Ben Scott mailvor...@gmail.com wrote: On Wed, Jul 28, 2010 at 9:54 AM, Erik Goldoff egold...@gmail.com wrote: Seems that a wise investment would be a quality fire-resistant safe big enough to hold a fire resistant lock box Fire safes aren't what most people think they are. Many of them are rated for paper only, not machine media. Most of the ones which are rated for machine media give you an hour, maybe two. Unless it's a bank vault, assume a serious structure fire is going to kill whatever you've got in your fire safe. Depending the specifics of the organization and the people and the data, I'd worry more about a local disaster than about the VP going rogue and taking the data with him. Stolen/misplaced media can be addressed by encryption. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: malware that creates Outlook rules
Check the sent items folder to see if the user replied to a phishing email. You might have 1000's of emails to go through to find but it might be there, unless they gave the user id and password to a web site. We've seen very similar things here. Massive spam in the sent folder but just before all the spam was a reply with user id and password. Also check for auto reply rules. Saw those on one account. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 1:47 PM To: NT System Admin Issues Subject: malware that creates Outlook rules Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange server also. I am not seeing anything in Exchange User Monitor or Windows Security logs and our network guys say they don't see any unusual traffic to our Exchange server. Google finds a couple of people reporting the same thing but no resolution. Windows XP SP2 clients with Outlook 2002 2003; Exchange Server 2003 SP2 on Server 2003 SP1. Thanks for any ideas. Richard Osborne Information Systems Jackson-Madison County General Hospital NOTICE: (1) The foregoing is not intended to be a legally binding or legally effective electronic signature. (2) This message may contain legally privileged or confidential information. If you are not the intended recipient of this message, please so notify me, disregard the foregoing message, and delete the message immediately. I apologize for any inconvenience this may have caused. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: malware that creates Outlook rules
I'm glad I'm not the only sufferer! I'll try and answer the other questions that were asked: 1) yes, the spam continued even with the user's account disabled and their PC powered off 2) yes, only our Exchange server can send SMTP to the Internet 3) my OWA servers are clean according to VIPRE MalwareBytes So far this has hit 3 users (out of ~5000). I have not seen any spam sent in the last 5 hours but I don't have any confidence that I have found the source. Maybe there's a PC with a high-privileged account that has been compromised and is sending out spam runs on a schedule? Currently I am getting up-to-date on patches on all my Exchange boxes. -Original Message- From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] Sent: Monday, August 02, 2010 2:17 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules We are having a similar issue. We changed the users password, and since that user is in a meeting, we turned his machine off. Looks like it has to be coming from OWA. Here is some info from an error message our external MTA sent to me (our Exchange guys are looking into the matter): Transcript of session follows. Out: 220 mail3.wise.k12.va.us ESMTP In: EHLO mail.wise.k12.va.us Out: 250-mail3.wise.k12.va.us Out: 250-PIPELINING Out: 250-SIZE 8 Out: 250-VRFY Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:jev...@wise.k12.va.us SIZE=1163 Out: 250 2.1.0 Ok In: RCPT TO:fox2...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:khale...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aboshw...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:abdul...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:bm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:saltm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aarr1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:se...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:sanad1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:kham1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:adi...@naseej.com Out: 250 2.1.5 Ok Shane -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Is your firewall set to only allow SMTP (port 25) traffic from your Exchange server? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard richard.osbo...@wth.org wrote: I disabled their accounts and it didn't help. -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 1:09 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Have you had the users change their passwords yet? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard richard.osbo...@wth.org wrote: Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange server also. I am not seeing anything in Exchange User Monitor or Windows Security logs and our network guys say they don't see any unusual traffic to our Exchange server. Google finds a couple of people reporting the same thing but no resolution. Windows XP SP2 clients with Outlook 2002 2003; Exchange Server 2003 SP2 on Server 2003 SP1. Thanks for any ideas. Richard Osborne Information Systems Jackson-Madison County General Hospital NOTICE: (1) The foregoing is not intended to be a legally binding or legally effective electronic signature. (2) This message may contain legally privileged or confidential information. If you are not the intended recipient of this message, please so notify me, disregard the foregoing message, and delete the message immediately. I apologize for any inconvenience this may have caused. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: malware that creates Outlook rules
Also check those exchange smtp queues. If it is compromised accounts the spammers can send spam via you owa faster than your exchange server can process so it will get backed up so disabling accounts or changing passwords wont stop it until the queues are emptied. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 3:32 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules I'm glad I'm not the only sufferer! I'll try and answer the other questions that were asked: 1) yes, the spam continued even with the user's account disabled and their PC powered off 2) yes, only our Exchange server can send SMTP to the Internet 3) my OWA servers are clean according to VIPRE MalwareBytes So far this has hit 3 users (out of ~5000). I have not seen any spam sent in the last 5 hours but I don't have any confidence that I have found the source. Maybe there's a PC with a high-privileged account that has been compromised and is sending out spam runs on a schedule? Currently I am getting up-to-date on patches on all my Exchange boxes. -Original Message- From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] Sent: Monday, August 02, 2010 2:17 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules We are having a similar issue. We changed the users password, and since that user is in a meeting, we turned his machine off. Looks like it has to be coming from OWA. Here is some info from an error message our external MTA sent to me (our Exchange guys are looking into the matter): Transcript of session follows. Out: 220 mail3.wise.k12.va.us ESMTP In: EHLO mail.wise.k12.va.us Out: 250-mail3.wise.k12.va.us Out: 250-PIPELINING Out: 250-SIZE 8 Out: 250-VRFY Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:jev...@wise.k12.va.us SIZE=1163 Out: 250 2.1.0 Ok In: RCPT TO:fox2...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:khale...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aboshw...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:abdul...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:bm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:saltm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aarr1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:se...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:sanad1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:kham1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:adi...@naseej.com Out: 250 2.1.5 Ok Shane -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Is your firewall set to only allow SMTP (port 25) traffic from your Exchange server? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard richard.osbo...@wth.org wrote: I disabled their accounts and it didn't help. -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 1:09 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Have you had the users change their passwords yet? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard richard.osbo...@wth.org wrote: Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange server also. I am not seeing anything in Exchange User Monitor or Windows Security logs and our network guys say they don't see any unusual traffic to our Exchange server. Google finds a couple of people reporting the same thing but no resolution. Windows XP SP2 clients with Outlook 2002 2003; Exchange Server 2003 SP2 on Server 2003 SP1. Thanks for any ideas. Richard Osborne Information Systems Jackson-Madison County General Hospital NOTICE: (1) The foregoing is not intended to be a legally binding or legally effective electronic signature. (2) This message may contain legally privileged or confidential information. If you are not the intended recipient of this message, please so notify me, disregard the foregoing message, and delete the message immediately. I apologize for any inconvenience this may have caused. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
RE: malware that creates Outlook rules
It's very likely a phished account. This happens to us on a regular basis and there's really nothing that can be done to fix it short of educating the users, which is...difficult. The fact that spam was continuing even after the account is disabled could be chalked up to mail still in the queues. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 2:32 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules I'm glad I'm not the only sufferer! I'll try and answer the other questions that were asked: 1) yes, the spam continued even with the user's account disabled and their PC powered off 2) yes, only our Exchange server can send SMTP to the Internet 3) my OWA servers are clean according to VIPRE MalwareBytes So far this has hit 3 users (out of ~5000). I have not seen any spam sent in the last 5 hours but I don't have any confidence that I have found the source. Maybe there's a PC with a high-privileged account that has been compromised and is sending out spam runs on a schedule? Currently I am getting up-to-date on patches on all my Exchange boxes. -Original Message- From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] Sent: Monday, August 02, 2010 2:17 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules We are having a similar issue. We changed the users password, and since that user is in a meeting, we turned his machine off. Looks like it has to be coming from OWA. Here is some info from an error message our external MTA sent to me (our Exchange guys are looking into the matter): Transcript of session follows. Out: 220 mail3.wise.k12.va.us ESMTP In: EHLO mail.wise.k12.va.us Out: 250-mail3.wise.k12.va.us Out: 250-PIPELINING Out: 250-SIZE 8 Out: 250-VRFY Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:jev...@wise.k12.va.us SIZE=1163 Out: 250 2.1.0 Ok In: RCPT TO:fox2...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:khale...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aboshw...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:abdul...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:bm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:saltm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aarr1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:se...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:sanad1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:kham1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:adi...@naseej.com Out: 250 2.1.5 Ok Shane -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Is your firewall set to only allow SMTP (port 25) traffic from your Exchange server? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard richard.osbo...@wth.org wrote: I disabled their accounts and it didn't help. -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 1:09 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Have you had the users change their passwords yet? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard richard.osbo...@wth.org wrote: Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange server also. I am not seeing anything in Exchange User Monitor or Windows Security logs and our network guys say they don't see any unusual traffic to our Exchange server. Google finds a couple of people reporting the same thing but no resolution. Windows XP SP2 clients with Outlook 2002 2003; Exchange Server 2003 SP2 on Server 2003 SP1. Thanks for any ideas. Richard Osborne Information Systems Jackson-Madison County General Hospital NOTICE: (1) The foregoing is not intended to be a legally binding or legally effective electronic signature. (2) This message may contain legally privileged or confidential information. If you are not the intended recipient of this message, please so notify me, disregard the foregoing message, and delete the message immediately. I apologize for any inconvenience this may have caused. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
Re: malware that creates Outlook rules
You need to go through the OWA logs for that users access history to verify if it is through OWA. It won't infect your OWA servers. On Mon, Aug 2, 2010 at 12:35 PM, Crawford, Scott crawfo...@evangel.edu wrote: It's very likely a phished account. This happens to us on a regular basis and there's really nothing that can be done to fix it short of educating the users, which is...difficult. The fact that spam was continuing even after the account is disabled could be chalked up to mail still in the queues. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 2:32 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules I'm glad I'm not the only sufferer! I'll try and answer the other questions that were asked: 1) yes, the spam continued even with the user's account disabled and their PC powered off 2) yes, only our Exchange server can send SMTP to the Internet 3) my OWA servers are clean according to VIPRE MalwareBytes So far this has hit 3 users (out of ~5000). I have not seen any spam sent in the last 5 hours but I don't have any confidence that I have found the source. Maybe there's a PC with a high-privileged account that has been compromised and is sending out spam runs on a schedule? Currently I am getting up-to-date on patches on all my Exchange boxes. -Original Message- From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] Sent: Monday, August 02, 2010 2:17 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules We are having a similar issue. We changed the users password, and since that user is in a meeting, we turned his machine off. Looks like it has to be coming from OWA. Here is some info from an error message our external MTA sent to me (our Exchange guys are looking into the matter): Transcript of session follows. Out: 220 mail3.wise.k12.va.us ESMTP In: EHLO mail.wise.k12.va.us Out: 250-mail3.wise.k12.va.us Out: 250-PIPELINING Out: 250-SIZE 8 Out: 250-VRFY Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:jev...@wise.k12.va.us SIZE=1163 Out: 250 2.1.0 Ok In: RCPT TO:fox2...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:khale...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aboshw...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:abdul...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:bm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:saltm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aarr1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:se...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:sanad1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:kham1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:adi...@naseej.com Out: 250 2.1.5 Ok Shane -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Is your firewall set to only allow SMTP (port 25) traffic from your Exchange server? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard richard.osbo...@wth.org wrote: I disabled their accounts and it didn't help. -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 1:09 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Have you had the users change their passwords yet? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard richard.osbo...@wth.org wrote: Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange server also. I am not seeing anything in Exchange User Monitor or Windows Security logs and our network guys say they don't see any unusual traffic to our Exchange server. Google finds a couple of people reporting the same thing but no resolution. Windows XP SP2 clients with Outlook 2002 2003; Exchange Server 2003 SP2 on Server 2003 SP1. Thanks for any ideas. Richard Osborne Information Systems Jackson-Madison County General Hospital NOTICE: (1) The foregoing is not intended to be a legally binding or legally effective electronic signature. (2) This message may contain legally privileged or confidential information. If you are not the intended recipient of this message, please so notify me, disregard the foregoing message, and delete the message immediately. I apologize for any inconvenience this may have caused. ~ Finally, powerful endpoint security that ISN'T a resource
RE: malware that creates Outlook rules
I have been monitoring the Exchange queues. It's the only way I can tell when it is happening. I found the aqadmcli.exe utility and have been using it to clean the queues (aqadmcli delmsg flags=SENDER,sender=bob.sm...@wth.org. I'll check the OWA logs ASAP. Assuming I have had three users reply to phishing e-mails, is there anything to fix besides changing their passwords? Thanks everyone for the suggestions. -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules Also check those exchange smtp queues. If it is compromised accounts the spammers can send spam via you owa faster than your exchange server can process so it will get backed up so disabling accounts or changing passwords wont stop it until the queues are emptied. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 3:32 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules I'm glad I'm not the only sufferer! I'll try and answer the other questions that were asked: 1) yes, the spam continued even with the user's account disabled and their PC powered off 2) yes, only our Exchange server can send SMTP to the Internet 3) my OWA servers are clean according to VIPRE MalwareBytes So far this has hit 3 users (out of ~5000). I have not seen any spam sent in the last 5 hours but I don't have any confidence that I have found the source. Maybe there's a PC with a high-privileged account that has been compromised and is sending out spam runs on a schedule? Currently I am getting up-to-date on patches on all my Exchange boxes. -Original Message- From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] Sent: Monday, August 02, 2010 2:17 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules We are having a similar issue. We changed the users password, and since that user is in a meeting, we turned his machine off. Looks like it has to be coming from OWA. Here is some info from an error message our external MTA sent to me (our Exchange guys are looking into the matter): Transcript of session follows. Out: 220 mail3.wise.k12.va.us ESMTP In: EHLO mail.wise.k12.va.us Out: 250-mail3.wise.k12.va.us Out: 250-PIPELINING Out: 250-SIZE 8 Out: 250-VRFY Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:jev...@wise.k12.va.us SIZE=1163 Out: 250 2.1.0 Ok In: RCPT TO:fox2...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:khale...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aboshw...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:abdul...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:bm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:saltm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aarr1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:se...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:sanad1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:kham1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:adi...@naseej.com Out: 250 2.1.5 Ok Shane -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Is your firewall set to only allow SMTP (port 25) traffic from your Exchange server? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard richard.osbo...@wth.org wrote: I disabled their accounts and it didn't help. -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 1:09 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Have you had the users change their passwords yet? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard richard.osbo...@wth.org wrote: Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange server also. I am not seeing anything in Exchange User Monitor or Windows Security logs and our network guys say they don't see any unusual traffic to our Exchange server. Google finds a couple of people reporting the same thing but no resolution. Windows XP SP2 clients with Outlook 2002 2003; Exchange Server 2003 SP2 on Server 2003 SP1. Thanks for any ideas. Richard Osborne Information Systems Jackson-Madison County General Hospital NOTICE: (1) The foregoing is not intended to be a legally binding or legally effective electronic signature. (2) This message may contain legally privileged
RE: malware that creates Outlook rules
We're a Lotus Notes shop using Postini as a relay, if it makes any difference... We had one desktop system here, and a few in NYC, where spam as being spewed out. This actually had nothing at all to do with Domino/Lotus but rather a rogue SMTP server which got snuck onto some workstations. We were able to track this down by monitoring SMTP traffic through our firewall. All SMTP traffic was to be comming from only one IP at each location, and it was all supposed to be directed to our Postini host. At least yours does not seem to be happening on a weekend... -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA® 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.org The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA ®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. Osborne, Richard richard.osbo...@wth.org wrote on 08/02/2010 02:40:09 PM: I have been monitoring the Exchange queues. It's the only way I can tell when it is happening. I found the aqadmcli.exe utility and have been using it to clean the queues (aqadmcli delmsg flags=SENDER,sender=bob.sm...@wth.org. I'll check the OWA logs ASAP. Assuming I have had three users reply to phishing e-mails, is there anything to fix besides changing their passwords? Thanks everyone for the suggestions. -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules Also check those exchange smtp queues. If it is compromised accounts the spammers can send spam via you owa faster than your exchange server can process so it will get backed up so disabling accounts or changing passwords wont stop it until the queues are emptied. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 3:32 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules I'm glad I'm not the only sufferer! I'll try and answer the other questions that were asked: 1) yes, the spam continued even with the user's account disabled and their PC powered off 2) yes, only our Exchange server can send SMTP to the Internet 3) my OWA servers are clean according to VIPRE MalwareBytes So far this has hit 3 users (out of ~5000). I have not seen any spam sent in the last 5 hours but I don't have any confidence that I have found the source. Maybe there's a PC with a high-privileged account that has been compromised and is sending out spam runs on a schedule? Currently I am getting up-to-date on patches on all my Exchange boxes. -Original Message- From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] Sent: Monday, August 02, 2010 2:17 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules We are having a similar issue. We changed the users password, and since that user is in a meeting, we turned his machine off. Looks like it has to be coming from OWA. Here is some info from an error message our external MTA sent to me (our Exchange guys are looking into the matter): Transcript of session follows. Out: 220 mail3.wise.k12.va.us ESMTP In: EHLO mail.wise.k12.va.us Out: 250-mail3.wise.k12.va.us Out: 250-PIPELINING Out: 250-SIZE 8 Out: 250-VRFY Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:jev...@wise.k12.va.us SIZE=1163 Out: 250 2.1.0 Ok In: RCPT TO:fox2...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:khale...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aboshw...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:abdul...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:bm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:saltm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aarr1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:se...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:sanad1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:kham1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:adi...@naseej.com Out: 250 2.1.5 Ok Shane -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Is
RE: malware that creates Outlook rules
This actually looks promising. We just recently got off 2003 so I'll be investigating this heavily. http://technet.microsoft.com/en-us/library/dd298094.aspx The problem we have is that we keep getting on spam lists and then blocked from sending email to hotmail, gmail, etc. Hopefully a ThrottlePolicy of say 2 or 3 per minute, will be enough to let us catch it before we get blocked. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 2:40 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules I have been monitoring the Exchange queues. It's the only way I can tell when it is happening. I found the aqadmcli.exe utility and have been using it to clean the queues (aqadmcli delmsg flags=SENDER,sender=bob.sm...@wth.org. I'll check the OWA logs ASAP. Assuming I have had three users reply to phishing e-mails, is there anything to fix besides changing their passwords? Thanks everyone for the suggestions. -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules Also check those exchange smtp queues. If it is compromised accounts the spammers can send spam via you owa faster than your exchange server can process so it will get backed up so disabling accounts or changing passwords wont stop it until the queues are emptied. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 3:32 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules I'm glad I'm not the only sufferer! I'll try and answer the other questions that were asked: 1) yes, the spam continued even with the user's account disabled and their PC powered off 2) yes, only our Exchange server can send SMTP to the Internet 3) my OWA servers are clean according to VIPRE MalwareBytes So far this has hit 3 users (out of ~5000). I have not seen any spam sent in the last 5 hours but I don't have any confidence that I have found the source. Maybe there's a PC with a high-privileged account that has been compromised and is sending out spam runs on a schedule? Currently I am getting up-to-date on patches on all my Exchange boxes. -Original Message- From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] Sent: Monday, August 02, 2010 2:17 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules We are having a similar issue. We changed the users password, and since that user is in a meeting, we turned his machine off. Looks like it has to be coming from OWA. Here is some info from an error message our external MTA sent to me (our Exchange guys are looking into the matter): Transcript of session follows. Out: 220 mail3.wise.k12.va.us ESMTP In: EHLO mail.wise.k12.va.us Out: 250-mail3.wise.k12.va.us Out: 250-PIPELINING Out: 250-SIZE 8 Out: 250-VRFY Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:jev...@wise.k12.va.us SIZE=1163 Out: 250 2.1.0 Ok In: RCPT TO:fox2...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:khale...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aboshw...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:abdul...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:bm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:saltm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aarr1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:se...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:sanad1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:kham1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:adi...@naseej.com Out: 250 2.1.5 Ok Shane -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Is your firewall set to only allow SMTP (port 25) traffic from your Exchange server? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard richard.osbo...@wth.org wrote: I disabled their accounts and it didn't help. -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 1:09 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Have you had the users change their passwords yet? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard richard.osbo...@wth.org wrote: Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange server also. I am not seeing
RE: malware that creates Outlook rules
Yeah, that sounds nice except we have 2000 students with an average of 500 new ones every year so our major issue isn't repeat offenders. -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Monday, August 02, 2010 2:51 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules When this happened here, we disabled their email account until they completed our security awareness training, for the second time. With supervisors complete support. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 3:40 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules I have been monitoring the Exchange queues. It's the only way I can tell when it is happening. I found the aqadmcli.exe utility and have been using it to clean the queues (aqadmcli delmsg flags=SENDER,sender=bob.sm...@wth.org. I'll check the OWA logs ASAP. Assuming I have had three users reply to phishing e-mails, is there anything to fix besides changing their passwords? Thanks everyone for the suggestions. -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules Also check those exchange smtp queues. If it is compromised accounts the spammers can send spam via you owa faster than your exchange server can process so it will get backed up so disabling accounts or changing passwords wont stop it until the queues are emptied. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 3:32 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules I'm glad I'm not the only sufferer! I'll try and answer the other questions that were asked: 1) yes, the spam continued even with the user's account disabled and their PC powered off 2) yes, only our Exchange server can send SMTP to the Internet 3) my OWA servers are clean according to VIPRE MalwareBytes So far this has hit 3 users (out of ~5000). I have not seen any spam sent in the last 5 hours but I don't have any confidence that I have found the source. Maybe there's a PC with a high-privileged account that has been compromised and is sending out spam runs on a schedule? Currently I am getting up-to-date on patches on all my Exchange boxes. -Original Message- From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] Sent: Monday, August 02, 2010 2:17 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules We are having a similar issue. We changed the users password, and since that user is in a meeting, we turned his machine off. Looks like it has to be coming from OWA. Here is some info from an error message our external MTA sent to me (our Exchange guys are looking into the matter): Transcript of session follows. Out: 220 mail3.wise.k12.va.us ESMTP In: EHLO mail.wise.k12.va.us Out: 250-mail3.wise.k12.va.us Out: 250-PIPELINING Out: 250-SIZE 8 Out: 250-VRFY Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:jev...@wise.k12.va.us SIZE=1163 Out: 250 2.1.0 Ok In: RCPT TO:fox2...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:khale...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aboshw...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:abdul...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:bm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:saltm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aarr1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:se...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:sanad1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:kham1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:adi...@naseej.com Out: 250 2.1.5 Ok Shane -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Is your firewall set to only allow SMTP (port 25) traffic from your Exchange server? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard richard.osbo...@wth.org wrote: I disabled their accounts and it didn't help. -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 1:09 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Have you had the users change their passwords yet? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard richard.osbo...@wth.org wrote: Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and
Lotus Approach Files
We have an old database that is being used by a company we now own. They are using an old version of smart suite to use the Approach database. Is there a new version of this software that I can buy or some kind of software that will work because the install files for the program are not complete so I cant install it on any PCs anymore. James ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Lotus Approach Files
http://preview.tinyurl.com/39p336p Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 4:08 PM, James Kerr cluster...@gmail.com wrote: We have an old database that is being used by a company we now own. They are using an old version of smart suite to use the Approach database. Is there a new version of this software that I can buy or some kind of software that will work because the install files for the program are not complete so I cant install it on any PCs anymore. James ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: OT: WHAT Was She Thinking?!?
Ya, I saw that the other night when News 10 broadcast it. What that article doesn't say is that she watched the tech download the pictures once he found them. Then, along with shipping that laptop, the tech also charged a new computer and printer to this lady's Dell account, and shipped it to his girlfriend somewhere back east. Only when he contacted Tara, apologizing for charging her account, and that he'd pay her back, please don't tell his bosses, he didn't want to lose his job, etc., did she finally go to the media to try to get some help with the issue... Roger Wright rhw...@gmail.com 8/2/2010 11:33 AM http://news.cnet.com/8301-17852_3-20012250-71.html Die dulci fruere! Roger Wright ___ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: malware that creates Outlook rules
Ah ha. Didn't notice the .edu addy. In that case, I would seriously investigate outsourcing that to MS or Google. The entire Va. Community College System went with Google for student email and so far it has worked really well. Can't beat the cost too. Zero and the student gets to keep their same email as long as they want it. No advertisements in their account while they are students. No backups, spam, outages and all that other support headaches for me. Great big plus. -Original Message- From: Crawford, Scott [mailto:crawfo...@evangel.edu] Sent: Monday, August 02, 2010 4:05 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules Yeah, that sounds nice except we have 2000 students with an average of 500 new ones every year so our major issue isn't repeat offenders. -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Monday, August 02, 2010 2:51 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules When this happened here, we disabled their email account until they completed our security awareness training, for the second time. With supervisors complete support. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 3:40 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules I have been monitoring the Exchange queues. It's the only way I can tell when it is happening. I found the aqadmcli.exe utility and have been using it to clean the queues (aqadmcli delmsg flags=SENDER,sender=bob.sm...@wth.org. I'll check the OWA logs ASAP. Assuming I have had three users reply to phishing e-mails, is there anything to fix besides changing their passwords? Thanks everyone for the suggestions. -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules Also check those exchange smtp queues. If it is compromised accounts the spammers can send spam via you owa faster than your exchange server can process so it will get backed up so disabling accounts or changing passwords wont stop it until the queues are emptied. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 3:32 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules I'm glad I'm not the only sufferer! I'll try and answer the other questions that were asked: 1) yes, the spam continued even with the user's account disabled and their PC powered off 2) yes, only our Exchange server can send SMTP to the Internet 3) my OWA servers are clean according to VIPRE MalwareBytes So far this has hit 3 users (out of ~5000). I have not seen any spam sent in the last 5 hours but I don't have any confidence that I have found the source. Maybe there's a PC with a high-privileged account that has been compromised and is sending out spam runs on a schedule? Currently I am getting up-to-date on patches on all my Exchange boxes. -Original Message- From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] Sent: Monday, August 02, 2010 2:17 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules We are having a similar issue. We changed the users password, and since that user is in a meeting, we turned his machine off. Looks like it has to be coming from OWA. Here is some info from an error message our external MTA sent to me (our Exchange guys are looking into the matter): Transcript of session follows. Out: 220 mail3.wise.k12.va.us ESMTP In: EHLO mail.wise.k12.va.us Out: 250-mail3.wise.k12.va.us Out: 250-PIPELINING Out: 250-SIZE 8 Out: 250-VRFY Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:jev...@wise.k12.va.us SIZE=1163 Out: 250 2.1.0 Ok In: RCPT TO:fox2...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:khale...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aboshw...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:abdul...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:bm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:saltm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aarr1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:se...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:sanad1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:kham1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:adi...@naseej.com Out: 250 2.1.5 Ok Shane -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Is your firewall set to only allow SMTP (port 25) traffic from your Exchange server? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard richard.osbo...@wth.org wrote: I disabled their accounts and it didn't help. -Original Message-
RE: malware that creates Outlook rules
We haven't had any of those problems since switching to opendns and Vipre for exchange. -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Monday, August 02, 2010 2:51 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules When this happened here, we disabled their email account until they completed our security awareness training, for the second time. With supervisors complete support. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 3:40 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules I have been monitoring the Exchange queues. It's the only way I can tell when it is happening. I found the aqadmcli.exe utility and have been using it to clean the queues (aqadmcli delmsg flags=SENDER,sender=bob.sm...@wth.org. I'll check the OWA logs ASAP. Assuming I have had three users reply to phishing e-mails, is there anything to fix besides changing their passwords? Thanks everyone for the suggestions. -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules Also check those exchange smtp queues. If it is compromised accounts the spammers can send spam via you owa faster than your exchange server can process so it will get backed up so disabling accounts or changing passwords wont stop it until the queues are emptied. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 3:32 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules I'm glad I'm not the only sufferer! I'll try and answer the other questions that were asked: 1) yes, the spam continued even with the user's account disabled and their PC powered off 2) yes, only our Exchange server can send SMTP to the Internet 3) my OWA servers are clean according to VIPRE MalwareBytes So far this has hit 3 users (out of ~5000). I have not seen any spam sent in the last 5 hours but I don't have any confidence that I have found the source. Maybe there's a PC with a high-privileged account that has been compromised and is sending out spam runs on a schedule? Currently I am getting up-to-date on patches on all my Exchange boxes. -Original Message- From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] Sent: Monday, August 02, 2010 2:17 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules We are having a similar issue. We changed the users password, and since that user is in a meeting, we turned his machine off. Looks like it has to be coming from OWA. Here is some info from an error message our external MTA sent to me (our Exchange guys are looking into the matter): Transcript of session follows. Out: 220 mail3.wise.k12.va.us ESMTP In: EHLO mail.wise.k12.va.us Out: 250-mail3.wise.k12.va.us Out: 250-PIPELINING Out: 250-SIZE 8 Out: 250-VRFY Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:jev...@wise.k12.va.us SIZE=1163 Out: 250 2.1.0 Ok In: RCPT TO:fox2...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:khale...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aboshw...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:abdul...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:bm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:saltm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aarr1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:se...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:sanad1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:kham1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:adi...@naseej.com Out: 250 2.1.5 Ok Shane -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Is your firewall set to only allow SMTP (port 25) traffic from your Exchange server? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard richard.osbo...@wth.org wrote: I disabled their accounts and it didn't help. -Original Message- From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, August 02, 2010 1:09 PM To: NT System Admin Issues Subject: Re: malware that creates Outlook rules Have you had the users change their passwords yet? Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard richard.osbo...@wth.org wrote: Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange
Re: malware that creates Outlook rules
Ideas: Patch your machines - XP SP2 is no longer supported. Get to SP3, and get all the patches after that, including today's emergency patch. Patch your Wind2k3 server, too. Current is SP2, and you're not there, so you're *WAY* behind. Get UBCD4WIN, and boot any suspect machines with it and see what VIPRE Rescue and Malwarebytes find when run that way. Block port 25 outbound at your firewall (and probably port 587 - submission) for all machines except your Exchange server, then record which machines are bouncing off of the firewall from the inside after that. Oh heck, block everything outbound at your firewall for your workstations except ports 80 and 443, and anything that you have an actual business case for opening up. That will tell you oodles about your environment. Kurt On Mon, Aug 2, 2010 at 10:46, Osborne, Richard richard.osbo...@wth.org wrote: Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange server also. I am not seeing anything in Exchange User Monitor or Windows Security logs and our network guys say they don't see any unusual traffic to our Exchange server. Google finds a couple of people reporting the same thing but no resolution. Windows XP SP2 clients with Outlook 2002 2003; Exchange Server 2003 SP2 on Server 2003 SP1. Thanks for any ideas. Richard Osborne Information Systems Jackson-Madison County General Hospital NOTICE: (1) The foregoing is not intended to be a legally binding or legally effective electronic signature. (2) This message may contain legally privileged or confidential information. If you are not the intended recipient of this message, please so notify me, disregard the foregoing message, and delete the message immediately. I apologize for any inconvenience this may have caused. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: OT: WHAT Was She Thinking?!?
How DARE you accuse that woman of thinking or using any cognitive functions in any way, shape or form! -ASB: http://XeeSM.com/AndrewBaker On Mon, Aug 2, 2010 at 2:33 PM, Roger Wright rhw...@gmail.com wrote: http://news.cnet.com/8301-17852_3-20012250-71.html Die dulci fruere! Roger Wright ___ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Lotus Approach Files
Symphony: free, opens a lot of file types and if you can't find the type you need, there's always the plugins: http://symphony.lotus.com/ On Mon, Aug 2, 2010 at 5:08 PM, James Kerr cluster...@gmail.com wrote: We have an old database that is being used by a company we now own. They are using an old version of smart suite to use the Approach database. Is there a new version of this software that I can buy or some kind of software that will work because the install files for the program are not complete so I cant install it on any PCs anymore. James ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: OT: WHAT Was She Thinking?!?
Note: he's no longer handling Dell calls. So, he's now doing HP support? On Mon, Aug 2, 2010 at 4:24 PM, Andrew S. Baker asbz...@gmail.com wrote: How DARE you accuse that woman of thinking or using any cognitive functions in any way, shape or form! -ASB: http://XeeSM.com/AndrewBaker http://xeesm.com/AndrewBaker On Mon, Aug 2, 2010 at 2:33 PM, Roger Wright rhw...@gmail.com wrote: http://news.cnet.com/8301-17852_3-20012250-71.html Die dulci fruere! Roger Wright ___ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: OT: WHAT Was She Thinking?!?
Nah, he doing Photoshop support now. From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Monday, August 02, 2010 3:30 PM To: NT System Admin Issues Subject: Re: OT: WHAT Was She Thinking?!? Note: he's no longer handling Dell calls. So, he's now doing HP support? On Mon, Aug 2, 2010 at 4:24 PM, Andrew S. Baker asbz...@gmail.com wrote: How DARE you accuse that woman of thinking or using any cognitive functions in any way, shape or form! -ASB: http://XeeSM.com/AndrewBaker On Mon, Aug 2, 2010 at 2:33 PM, Roger Wright rhw...@gmail.com wrote: http://news.cnet.com/8301-17852_3-20012250-71.html Die dulci fruere! Roger Wright ___ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Lotus Approach Files
Excellent I didn't even think of ebay. I'm not familiar with the Lotus stuff at all. - Original Message - From: Roger Wright rhw...@gmail.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Monday, August 02, 2010 4:12 PM Subject: Re: Lotus Approach Files http://preview.tinyurl.com/39p336p Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 4:08 PM, James Kerr cluster...@gmail.com wrote: We have an old database that is being used by a company we now own. They are using an old version of smart suite to use the Approach database. Is there a new version of this software that I can buy or some kind of software that will work because the install files for the program are not complete so I cant install it on any PCs anymore. James ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: OT: WHAT Was She Thinking?!?
I saw that as well. It is a deeply unsatisfying description of Mr. Shaikh's current status. On Mon, Aug 2, 2010 at 4:29 PM, Jonathan Link jonathan.l...@gmail.comwrote: Note: he's no longer handling Dell calls. So, he's now doing HP support? On Mon, Aug 2, 2010 at 4:24 PM, Andrew S. Baker asbz...@gmail.com wrote: How DARE you accuse that woman of thinking or using any cognitive functions in any way, shape or form! -ASB: http://XeeSM.com/AndrewBaker http://xeesm.com/AndrewBaker On Mon, Aug 2, 2010 at 2:33 PM, Roger Wright rhw...@gmail.com wrote: http://news.cnet.com/8301-17852_3-20012250-71.html Die dulci fruere! Roger Wright ___ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Lotus Approach Files
Doh! I already bought a copy of smart suite on ebay! - Original Message - From: Rubens Almeida rubensalme...@gmail.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Monday, August 02, 2010 4:25 PM Subject: Re: Lotus Approach Files Symphony: free, opens a lot of file types and if you can't find the type you need, there's always the plugins: http://symphony.lotus.com/ On Mon, Aug 2, 2010 at 5:08 PM, James Kerr cluster...@gmail.com wrote: We have an old database that is being used by a company we now own. They are using an old version of smart suite to use the Approach database. Is there a new version of this software that I can buy or some kind of software that will work because the install files for the program are not complete so I cant install it on any PCs anymore. James ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: OT: WHAT Was She Thinking?!?
Reminds me of a movie we just watched a few days ago: Outsourced - http://www.outsourcedthemovie.com/ Die dulci fruere! Roger Wright ___ On Mon, Aug 2, 2010 at 4:29 PM, Jonathan Link jonathan.l...@gmail.com wrote: Note: he's no longer handling Dell calls. So, he's now doing HP support? On Mon, Aug 2, 2010 at 4:24 PM, Andrew S. Baker asbz...@gmail.com wrote: How DARE you accuse that woman of thinking or using any cognitive functions in any way, shape or form! -ASB: http://XeeSM.com/AndrewBaker On Mon, Aug 2, 2010 at 2:33 PM, Roger Wright rhw...@gmail.com wrote: http://news.cnet.com/8301-17852_3-20012250-71.html Die dulci fruere! Roger Wright ___ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Lotus Approach Files
Approach uses dBase format database file. Any program that can access a dBase file can access an Approach database. If you want the Approach front end (ie Forms, Reports, Views) you would need the Approach program. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com _ From: James Kerr [mailto:cluster...@gmail.com] To: NT System Admin Issues [mailto:ntsysad...@lyris.sunbelt-software.com] Sent: Mon, 02 Aug 2010 15:08:40 -0500 Subject: Lotus Approach Files We have an old database that is being used by a company we now own. They are using an old version of smart suite to use the Approach database. Is there a new version of this software that I can buy or some kind of software that will work because the install files for the program are not complete so I cant install it on any PCs anymore. James ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: malware that creates Outlook rules
Yeah, it's on the investigate list. It does happen with staff on occasion too, but not nearly as much as students. The major outstanding question I have is how to do Unified Messaging with Exchange if the mailbox is outsourced? It's prolly something simple, but I just haven't looked into it yet. -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Monday, August 02, 2010 3:14 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules Ah ha. Didn't notice the .edu addy. In that case, I would seriously investigate outsourcing that to MS or Google. The entire Va. Community College System went with Google for student email and so far it has worked really well. Can't beat the cost too. Zero and the student gets to keep their same email as long as they want it. No advertisements in their account while they are students. No backups, spam, outages and all that other support headaches for me. Great big plus. -Original Message- From: Crawford, Scott [mailto:crawfo...@evangel.edu] Sent: Monday, August 02, 2010 4:05 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules Yeah, that sounds nice except we have 2000 students with an average of 500 new ones every year so our major issue isn't repeat offenders. -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Monday, August 02, 2010 2:51 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules When this happened here, we disabled their email account until they completed our security awareness training, for the second time. With supervisors complete support. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 3:40 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules I have been monitoring the Exchange queues. It's the only way I can tell when it is happening. I found the aqadmcli.exe utility and have been using it to clean the queues (aqadmcli delmsg flags=SENDER,sender=bob.sm...@wth.org. I'll check the OWA logs ASAP. Assuming I have had three users reply to phishing e-mails, is there anything to fix besides changing their passwords? Thanks everyone for the suggestions. -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Monday, August 02, 2010 2:35 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules Also check those exchange smtp queues. If it is compromised accounts the spammers can send spam via you owa faster than your exchange server can process so it will get backed up so disabling accounts or changing passwords wont stop it until the queues are emptied. -Original Message- From: Osborne, Richard [mailto:richard.osbo...@wth.org] Sent: Monday, August 02, 2010 3:32 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules I'm glad I'm not the only sufferer! I'll try and answer the other questions that were asked: 1) yes, the spam continued even with the user's account disabled and their PC powered off 2) yes, only our Exchange server can send SMTP to the Internet 3) my OWA servers are clean according to VIPRE MalwareBytes So far this has hit 3 users (out of ~5000). I have not seen any spam sent in the last 5 hours but I don't have any confidence that I have found the source. Maybe there's a PC with a high-privileged account that has been compromised and is sending out spam runs on a schedule? Currently I am getting up-to-date on patches on all my Exchange boxes. -Original Message- From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] Sent: Monday, August 02, 2010 2:17 PM To: NT System Admin Issues Subject: RE: malware that creates Outlook rules We are having a similar issue. We changed the users password, and since that user is in a meeting, we turned his machine off. Looks like it has to be coming from OWA. Here is some info from an error message our external MTA sent to me (our Exchange guys are looking into the matter): Transcript of session follows. Out: 220 mail3.wise.k12.va.us ESMTP In: EHLO mail.wise.k12.va.us Out: 250-mail3.wise.k12.va.us Out: 250-PIPELINING Out: 250-SIZE 8 Out: 250-VRFY Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:jev...@wise.k12.va.us SIZE=1163 Out: 250 2.1.0 Ok In: RCPT TO:fox2...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:khale...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aboshw...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:abdul...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:bm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:saltm...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:aarr1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:se...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:sanad1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:kham1...@naseej.com Out: 250 2.1.5 Ok In: RCPT TO:adi...@naseej.com Out: 250
WMI information gathering
We have a group that wants to come in, and scan our servers to gather information. We want to cooperate with this effort, but we don't want to give them access to be able to write back to the servers. Is this possible? Is there a tool that can be used without an admin account, in order to gather information from within WMI? Please contact offline for further details, if needed. As always, I sincerely appreciate any assistance any of you may be able to provide. Thanks, Joe ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
WSJ: MSFT reduced IE security to protect ad revenue
Microsoft Quashed Effort to Boost Online Privacy by Nick Wingfield, Wall Street Journal (2 Aug 2010) http://online.wsj.com/article/SB10001424052748703467304575383530439838568.html Internet Explorer's handling of cookies hasn't really changed in over a decade. The WSJ is claiming the IE development team actually wanted to improve things, but management axed it. Microsoft makes a lot of money from Internet advertising. Management didn't want to potentially impact that revenue stream, so they blocked some privacy features from IE. As far as I know, Firefox accepts third-party cookies by default, too. I wonder why *they* don't do anything about it. I find a bug for it[1] but it's been inactive for over a year. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=324397 Anyone know about Apple Safari and Google Chrome in this area? GOOG's got the same conflict-of-interest MSFT has here. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: MSFT reduced IE security to protect ad revenue
By default, Google Chrome allows third party cookies. It can be disabled. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Monday, August 02, 2010 7:00 PM To: NT System Admin Issues Subject: WSJ: MSFT reduced IE security to protect ad revenue Microsoft Quashed Effort to Boost Online Privacy by Nick Wingfield, Wall Street Journal (2 Aug 2010) http://online.wsj.com/article/SB10001424052748703467304575383530439838568.html Internet Explorer's handling of cookies hasn't really changed in over a decade. The WSJ is claiming the IE development team actually wanted to improve things, but management axed it. Microsoft makes a lot of money from Internet advertising. Management didn't want to potentially impact that revenue stream, so they blocked some privacy features from IE. As far as I know, Firefox accepts third-party cookies by default, too. I wonder why *they* don't do anything about it. I find a bug for it[1] but it's been inactive for over a year. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=324397 Anyone know about Apple Safari and Google Chrome in this area? GOOG's got the same conflict-of-interest MSFT has here. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Stupid, stupid, stupid hotmail/MSN Live redesign
All, Anyone on here use a Secure Computing Sidewinder (Now McAfee - http://www.mcafee.com/us/enterprise/products/network_security/firewall_enterprise.html) firewall? Anyone with it run into issues where the hotmail/MSN Live redesign last week fubar'ed access through the Sidewinder? I don't have a hotmail account, but a lot of my users can't get to their hotmail inboxes now, because of it. Actually, that's not quite true. They can get to the inbox, but they can't open any emails. Can't start to compose a new one either. It just sits there, and allows you to click on anything, without it responding at all. I'm up to my eyeballs doing stuff at the moment, so haven't had time to investigate. I suspect they're redirecting content to new domains or something ultra-stupid that breaks RFCs, because the Sidewinder is a very strict protocol proxy, but I just haven't had time to investigate. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Boss, Boss - the cloud, the cloud
Right... http://consumerist.com/2010/08/crook-crack-check-image-sites.html ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: 2008 DC being offline
It was a regression. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, August 02, 2010 1:33 PM To: NT System Admin Issues Subject: Re: 2008 DC being offline Wow.. Why did it shift downward from 2003 to 2003R2? -ASB: http://XeeSM.com/AndrewBaker On Mon, Aug 2, 2010 at 2:24 PM, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com wrote: 60 is the default for 2000 and 2003 R2 forests, 180 for 2003, 2008, 2008 R2 forests. Note this is the original OS version of the first DC not the current FFL. There are scenarios you'd change this but they're fairly vertical. Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com c - 312.731.3132 -Original Message- From: David Lum [mailto:david@nwea.orgmailto:david@nwea.org] Sent: Monday, August 02, 2010 9:30 AM To: NT System Admin Issues Subject: RE: 2008 DC being offline I stand corrected, maybe it was 66 days. As a general rule I don't change defaults unless I have a compelling reason to do so, and I can't think of one here. -Original Message- From: Brian Desmond [mailto:br...@briandesmond.commailto:br...@briandesmond.com] Sent: Friday, July 30, 2010 4:07 PM To: NT System Admin Issues Subject: RE: 2008 DC being offline 30 days not unless you tinkered with some tombstone lifetime settings which I don't know why you would lower it... Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com c - 312.731.3132 -Original Message- From: David Lum [mailto:david@nwea.orgmailto:david@nwea.org] Sent: Wednesday, July 28, 2010 2:55 PM To: NT System Admin Issues Subject: RE: 2008 DC being offline Past 30 days offline it will complain - at least 2003 servers do, but I think it's also related to some AD archive or backup time settingI ran into something about 30 days when I restored a DC from a backup that was 36 days old. Minor in the scheme of things, just something to keep in mind. ...Then again, maybe that was of no help... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -Original Message- From: jesse-r...@wi.rr.commailto:jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.commailto:jesse-r...@wi.rr.com] Sent: Wednesday, July 28, 2010 11:56 AM To: NT System Admin Issues Subject: 2008 DC being offline Hello, A 2008 DC (lets call it Server-F) we have at another site has been offline for 6 weeks. We powered it down because the building was undergoing construction, and the building was effectively CLOSED for those 6 weeks. Construction is done and I'm ready to bring the server back online. Is there a problem with just turning Server-F on and letting it re-sync with active directory even though its been offline for 6 weeks? or... would I be better off bringing Server-F up WITHOUT a network cable connected, run dcpromo /forceremoval on it... then remove any references to the Server-F from my other DCs, and eventually re-promote server F back as a DC? Thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Finding a huge file dump from June...
All, On our file server we have a single 1.5tb partition - it's on a SAN. Over the course of 4 days recently it went from about 30% free to about 13% free - someone slammed around 200gb onto the file server. I have a general idea of where it might be - there are two top-level directories that are over 200gb each. However, windirstat hasn't been completely helpful, as I can't seem to isolate which files were loaded during those days, and none of the files that I've been looking at were huge - no ISO or VHD files worth mentioning, etc.. I also am pretty confident that there are a *bunch* of duplicate files on those directories. So, I'm looking for a couple of things: 1) A way to get a directory listing that supports a time/date stamp (my choice of atime, mtime or ctime) size and a complete path name for each file/directory on a single line - something like: 2009-01-08 16:12 854,509 K:\Groups\training\On-Site_Special_Training\Customer1.doc I've tried every trick I can think of for the 'dir' command and it won't do what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do this either. Is there a powershell one-liner that can do this for me perhaps? 2) A recommendation for a duplicate file finder - cheap or free would be preferred. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Boss, Boss - the cloud, the cloud
Well, not everything on the Internet is cloud computing Having said that, consolidating valuable assets should make them easier to protect (and should make protection more cost-effective). At the same time, such a collection of valuable assets increases the risk of attack, due to the potential payoff. So, any lapse in protection can be tremendously painful. Before engaging in any form of outsourcing -- whether on-shore, off-shore, or cloud -- be sure you have some way of determining what security standard the vendor is planning to live up to, and (more importantly), have something in the contract to mitigate your risks and those of your customers, should a breach occur... *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * Signature powered by WiseStamp http://www.wisestamp.com/email-install On Mon, Aug 2, 2010 at 8:06 PM, Kurt Buff kurt.b...@gmail.com wrote: Right... http://consumerist.com/2010/08/crook-crack-check-image-sites.html ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding a huge file dump from June...
If no new files jump at you, someone may have inadvertantly copied a large directory. What OS are you running? I think 2003 R2 had some duplicate file reporting features. I imagine 2008 has the same features. - Sean On Aug 2, 2010, at 4:48 PM, Kurt Buff kurt.b...@gmail.com wrote: All, On our file server we have a single 1.5tb partition - it's on a SAN. Over the course of 4 days recently it went from about 30% free to about 13% free - someone slammed around 200gb onto the file server. I have a general idea of where it might be - there are two top-level directories that are over 200gb each. However, windirstat hasn't been completely helpful, as I can't seem to isolate which files were loaded during those days, and none of the files that I've been looking at were huge - no ISO or VHD files worth mentioning, etc.. I also am pretty confident that there are a *bunch* of duplicate files on those directories. So, I'm looking for a couple of things: 1) A way to get a directory listing that supports a time/date stamp (my choice of atime, mtime or ctime) size and a complete path name for each file/directory on a single line - something like: 2009-01-08 16:12 854,509 K:\Groups\training\On-Site_Special_Training\Customer1.doc I've tried every trick I can think of for the 'dir' command and it won't do what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do this either. Is there a powershell one-liner that can do this for me perhaps? 2) A recommendation for a duplicate file finder - cheap or free would be preferred. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Finding a huge file dump from June...
In re: [1], either 'du' or 'find' can do what you want. I'm pretty sure that I had a native Windows application called scanner.exe that did that too - but I'm unable to locate it right now. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, August 02, 2010 8:49 PM To: NT System Admin Issues Subject: Finding a huge file dump from June... All, On our file server we have a single 1.5tb partition - it's on a SAN. Over the course of 4 days recently it went from about 30% free to about 13% free - someone slammed around 200gb onto the file server. I have a general idea of where it might be - there are two top-level directories that are over 200gb each. However, windirstat hasn't been completely helpful, as I can't seem to isolate which files were loaded during those days, and none of the files that I've been looking at were huge - no ISO or VHD files worth mentioning, etc.. I also am pretty confident that there are a *bunch* of duplicate files on those directories. So, I'm looking for a couple of things: 1) A way to get a directory listing that supports a time/date stamp (my choice of atime, mtime or ctime) size and a complete path name for each file/directory on a single line - something like: 2009-01-08 16:12 854,509 K:\Groups\training\On-Site_Special_Training\Customer1.doc I've tried every trick I can think of for the 'dir' command and it won't do what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do this either. Is there a powershell one-liner that can do this for me perhaps? 2) A recommendation for a duplicate file finder - cheap or free would be preferred. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding a huge file dump from June...
*for %V in (C:\Temp\*.*) do @echo %~tV %~zV %~V* This is only the regular modified date of the file, though. PowerShell can do what you want, but I'd have to play with that longer to tell you... *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * Signature powered by WiseStamp http://www.wisestamp.com/email-install On Mon, Aug 2, 2010 at 8:48 PM, Kurt Buff kurt.b...@gmail.com wrote: All, On our file server we have a single 1.5tb partition - it's on a SAN. Over the course of 4 days recently it went from about 30% free to about 13% free - someone slammed around 200gb onto the file server. I have a general idea of where it might be - there are two top-level directories that are over 200gb each. However, windirstat hasn't been completely helpful, as I can't seem to isolate which files were loaded during those days, and none of the files that I've been looking at were huge - no ISO or VHD files worth mentioning, etc.. I also am pretty confident that there are a *bunch* of duplicate files on those directories. So, I'm looking for a couple of things: 1) A way to get a directory listing that supports a time/date stamp (my choice of atime, mtime or ctime) size and a complete path name for each file/directory on a single line - something like: 2009-01-08 16:12 854,509 K:\Groups\training\On-Site_Special_Training\Customer1.doc I've tried every trick I can think of for the 'dir' command and it won't do what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do this either. Is there a powershell one-liner that can do this for me perhaps? 2) A recommendation for a duplicate file finder - cheap or free would be preferred. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding a huge file dump from June...
On Mon, Aug 2, 2010 at 8:48 PM, Kurt Buff kurt.b...@gmail.com wrote: (my choice of atime, mtime or ctime) Those Unix concepts don't exist one-to-one in Windows. atime is last accessed, Windows does that pretty much the same thing, as Last accessed. mtime is last data modification (i.e., file contents). ctime is last change to inode. Changes to mtime always touch the ctime as well. Changes to some other things (such as permission mode) only touch the ctime. The Windows Last modified time is something more than mtime, prolly closer to ctime, but I think there are things you can do in a directory in Windows which don't touch the Last modified time which would on *nix. (I could be wrong, but Windows has a bajillion different ways to access files, so hard to prove non-existence.) Windows also has a Creation time, date/time file was created in filesystem. There's no standard implementation of that on *nix. When Windows copies a file, it generally preserves the Last modified time to match the original, but the Creation time is the time of the copy. Looking for files with a recent Creation time may help you in your case. The GUI can search for files by Creation. I don't know of a command-line tool off the top of my head. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding a huge file dump from June...
Powershell... * **dir C:\Temp -force | format-table -property CreationTime, Length, Name* * dir C:\Temp -force | format-table -property LastWriteTime, Length, Name* * dir C:\Temp -force | format-table -property LastAccessTime, Length, Name* *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * Signature powered by WiseStamp http://www.wisestamp.com/email-install On Mon, Aug 2, 2010 at 9:07 PM, Andrew S. Baker asbz...@gmail.com wrote: *for %V in (C:\Temp\*.*) do @echo %~tV %~zV %~V* This is only the regular modified date of the file, though. PowerShell can do what you want, but I'd have to play with that longer to tell you... *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * Signature powered by WiseStamp http://www.wisestamp.com/email-install On Mon, Aug 2, 2010 at 8:48 PM, Kurt Buff kurt.b...@gmail.com wrote: All, On our file server we have a single 1.5tb partition - it's on a SAN. Over the course of 4 days recently it went from about 30% free to about 13% free - someone slammed around 200gb onto the file server. I have a general idea of where it might be - there are two top-level directories that are over 200gb each. However, windirstat hasn't been completely helpful, as I can't seem to isolate which files were loaded during those days, and none of the files that I've been looking at were huge - no ISO or VHD files worth mentioning, etc.. I also am pretty confident that there are a *bunch* of duplicate files on those directories. So, I'm looking for a couple of things: 1) A way to get a directory listing that supports a time/date stamp (my choice of atime, mtime or ctime) size and a complete path name for each file/directory on a single line - something like: 2009-01-08 16:12 854,509 K:\Groups\training\On-Site_Special_Training\Customer1.doc I've tried every trick I can think of for the 'dir' command and it won't do what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do this either. Is there a powershell one-liner that can do this for me perhaps? 2) A recommendation for a duplicate file finder - cheap or free would be preferred. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding a huge file dump from June...
PowerShell... and here's one of my favorites one-liners to find big files: dir c:\temp -force -recurse | sort length -desc | format-table creationtime,lastwritetime,lastaccesstime,length,fullname -auto You can sort the results replacing the length by any of the properties after format-table On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff kurt.b...@gmail.com wrote: All, On our file server we have a single 1.5tb partition - it's on a SAN. Over the course of 4 days recently it went from about 30% free to about 13% free - someone slammed around 200gb onto the file server. I have a general idea of where it might be - there are two top-level directories that are over 200gb each. However, windirstat hasn't been completely helpful, as I can't seem to isolate which files were loaded during those days, and none of the files that I've been looking at were huge - no ISO or VHD files worth mentioning, etc.. I also am pretty confident that there are a *bunch* of duplicate files on those directories. So, I'm looking for a couple of things: 1) A way to get a directory listing that supports a time/date stamp (my choice of atime, mtime or ctime) size and a complete path name for each file/directory on a single line - something like: 2009-01-08 16:12 854,509 K:\Groups\training\On-Site_Special_Training\Customer1.doc I've tried every trick I can think of for the 'dir' command and it won't do what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do this either. Is there a powershell one-liner that can do this for me perhaps? 2) A recommendation for a duplicate file finder - cheap or free would be preferred. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding a huge file dump from June...
Win2k3 R2. I'll have to look at the docos to see what I can find. On Mon, Aug 2, 2010 at 17:59, Sean Martin seanmarti...@gmail.com wrote: If no new files jump at you, someone may have inadvertantly copied a large directory. What OS are you running? I think 2003 R2 had some duplicate file reporting features. I imagine 2008 has the same features. - Sean On Aug 2, 2010, at 4:48 PM, Kurt Buff kurt.b...@gmail.com wrote: All, On our file server we have a single 1.5tb partition - it's on a SAN. Over the course of 4 days recently it went from about 30% free to about 13% free - someone slammed around 200gb onto the file server. I have a general idea of where it might be - there are two top-level directories that are over 200gb each. However, windirstat hasn't been completely helpful, as I can't seem to isolate which files were loaded during those days, and none of the files that I've been looking at were huge - no ISO or VHD files worth mentioning, etc.. I also am pretty confident that there are a *bunch* of duplicate files on those directories. So, I'm looking for a couple of things: 1) A way to get a directory listing that supports a time/date stamp (my choice of atime, mtime or ctime) size and a complete path name for each file/directory on a single line - something like: 2009-01-08 16:12 854,509 K:\Groups\training\On-Site_Special_Training\Customer1.doc I've tried every trick I can think of for the 'dir' command and it won't do what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do this either. Is there a powershell one-liner that can do this for me perhaps? 2) A recommendation for a duplicate file finder - cheap or free would be preferred. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding a huge file dump from June...
I'll have to read up on my 'find' implementation. That seems likely. On Mon, Aug 2, 2010 at 17:59, Michael B. Smith mich...@smithcons.com wrote: In re: [1], either 'du' or 'find' can do what you want. I'm pretty sure that I had a native Windows application called scanner.exe that did that too - but I'm unable to locate it right now. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, August 02, 2010 8:49 PM To: NT System Admin Issues Subject: Finding a huge file dump from June... All, On our file server we have a single 1.5tb partition - it's on a SAN. Over the course of 4 days recently it went from about 30% free to about 13% free - someone slammed around 200gb onto the file server. I have a general idea of where it might be - there are two top-level directories that are over 200gb each. However, windirstat hasn't been completely helpful, as I can't seem to isolate which files were loaded during those days, and none of the files that I've been looking at were huge - no ISO or VHD files worth mentioning, etc.. I also am pretty confident that there are a *bunch* of duplicate files on those directories. So, I'm looking for a couple of things: 1) A way to get a directory listing that supports a time/date stamp (my choice of atime, mtime or ctime) size and a complete path name for each file/directory on a single line - something like: 2009-01-08 16:12 854,509 K:\Groups\training\On-Site_Special_Training\Customer1.doc I've tried every trick I can think of for the 'dir' command and it won't do what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do this either. Is there a powershell one-liner that can do this for me perhaps? 2) A recommendation for a duplicate file finder - cheap or free would be preferred. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding a huge file dump from June...
On Mon, Aug 2, 2010 at 18:08, Ben Scott mailvor...@gmail.com wrote: On Mon, Aug 2, 2010 at 8:48 PM, Kurt Buff kurt.b...@gmail.com wrote: (my choice of atime, mtime or ctime) Those Unix concepts don't exist one-to-one in Windows. Yeah, but those are the terms that stick in my mind. Funny how that works when you're exposed to the *nix virus, even after having started with Windows oh so many years ago. atime is last accessed, Windows does that pretty much the same thing, as Last accessed. mtime is last data modification (i.e., file contents). ctime is last change to inode. Changes to mtime always touch the ctime as well. Changes to some other things (such as permission mode) only touch the ctime. The Windows Last modified time is something more than mtime, prolly closer to ctime, but I think there are things you can do in a directory in Windows which don't touch the Last modified time which would on *nix. (I could be wrong, but Windows has a bajillion different ways to access files, so hard to prove non-existence.) Windows also has a Creation time, date/time file was created in filesystem. There's no standard implementation of that on *nix. When Windows copies a file, it generally preserves the Last modified time to match the original, but the Creation time is the time of the copy. Looking for files with a recent Creation time may help you in your case. The GUI can search for files by Creation. I don't know of a command-line tool off the top of my head. Creation time is what I was looking for. I've been looking at powershell for the past 10 minutes, and it may have a better answer for me. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding a huge file dump from June...
And that is almost certainly what I'm looking for. I'll try that tomorrow. Thank you sir. Kurt On Mon, Aug 2, 2010 at 18:21, Andrew S. Baker asbz...@gmail.com wrote: Powershell... dir C:\Temp -force | format-table -property CreationTime, Length, Name dir C:\Temp -force | format-table -property LastWriteTime, Length, Name dir C:\Temp -force | format-table -property LastAccessTime, Length, Name ASB (My XeeSM Profile) Exploiting Technology for Business Advantage... Signature powered by WiseStamp On Mon, Aug 2, 2010 at 9:07 PM, Andrew S. Baker asbz...@gmail.com wrote: for %V in (C:\Temp\*.*) do @echo %~tV %~zV %~V This is only the regular modified date of the file, though. PowerShell can do what you want, but I'd have to play with that longer to tell you... ASB (My XeeSM Profile) Exploiting Technology for Business Advantage... Signature powered by WiseStamp On Mon, Aug 2, 2010 at 8:48 PM, Kurt Buff kurt.b...@gmail.com wrote: All, On our file server we have a single 1.5tb partition - it's on a SAN. Over the course of 4 days recently it went from about 30% free to about 13% free - someone slammed around 200gb onto the file server. I have a general idea of where it might be - there are two top-level directories that are over 200gb each. However, windirstat hasn't been completely helpful, as I can't seem to isolate which files were loaded during those days, and none of the files that I've been looking at were huge - no ISO or VHD files worth mentioning, etc.. I also am pretty confident that there are a *bunch* of duplicate files on those directories. So, I'm looking for a couple of things: 1) A way to get a directory listing that supports a time/date stamp (my choice of atime, mtime or ctime) size and a complete path name for each file/directory on a single line - something like: 2009-01-08 16:12 854,509 K:\Groups\training\On-Site_Special_Training\Customer1.doc I've tried every trick I can think of for the 'dir' command and it won't do what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do this either. Is there a powershell one-liner that can do this for me perhaps? 2) A recommendation for a duplicate file finder - cheap or free would be preferred. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding a huge file dump from June...
I like that. Nice one-liner. On Mon, Aug 2, 2010 at 20:52, Rubens Almeida rubensalme...@gmail.com wrote: PowerShell... and here's one of my favorites one-liners to find big files: dir c:\temp -force -recurse | sort length -desc | format-table creationtime,lastwritetime,lastaccesstime,length,fullname -auto You can sort the results replacing the length by any of the properties after format-table On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff kurt.b...@gmail.com wrote: All, On our file server we have a single 1.5tb partition - it's on a SAN. Over the course of 4 days recently it went from about 30% free to about 13% free - someone slammed around 200gb onto the file server. I have a general idea of where it might be - there are two top-level directories that are over 200gb each. However, windirstat hasn't been completely helpful, as I can't seem to isolate which files were loaded during those days, and none of the files that I've been looking at were huge - no ISO or VHD files worth mentioning, etc.. I also am pretty confident that there are a *bunch* of duplicate files on those directories. So, I'm looking for a couple of things: 1) A way to get a directory listing that supports a time/date stamp (my choice of atime, mtime or ctime) size and a complete path name for each file/directory on a single line - something like: 2009-01-08 16:12 854,509 K:\Groups\training\On-Site_Special_Training\Customer1.doc I've tried every trick I can think of for the 'dir' command and it won't do what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do this either. Is there a powershell one-liner that can do this for me perhaps? 2) A recommendation for a duplicate file finder - cheap or free would be preferred. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding a huge file dump from June...
The other thing that comes to mind is to check the backup logs from those dates. I don't know if my minion has set the logs to record files backed up, but if they are set that way, I can diff them and see what happened. If they aren't set that way, I'll have to see what kind of impact that logging will entail, and make a judgment... Kurt On Mon, Aug 2, 2010 at 17:59, Michael B. Smith mich...@smithcons.com wrote: In re: [1], either 'du' or 'find' can do what you want. I'm pretty sure that I had a native Windows application called scanner.exe that did that too - but I'm unable to locate it right now. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, August 02, 2010 8:49 PM To: NT System Admin Issues Subject: Finding a huge file dump from June... All, On our file server we have a single 1.5tb partition - it's on a SAN. Over the course of 4 days recently it went from about 30% free to about 13% free - someone slammed around 200gb onto the file server. I have a general idea of where it might be - there are two top-level directories that are over 200gb each. However, windirstat hasn't been completely helpful, as I can't seem to isolate which files were loaded during those days, and none of the files that I've been looking at were huge - no ISO or VHD files worth mentioning, etc.. I also am pretty confident that there are a *bunch* of duplicate files on those directories. So, I'm looking for a couple of things: 1) A way to get a directory listing that supports a time/date stamp (my choice of atime, mtime or ctime) size and a complete path name for each file/directory on a single line - something like: 2009-01-08 16:12 854,509 K:\Groups\training\On-Site_Special_Training\Customer1.doc I've tried every trick I can think of for the 'dir' command and it won't do what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do this either. Is there a powershell one-liner that can do this for me perhaps? 2) A recommendation for a duplicate file finder - cheap or free would be preferred. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding a huge file dump from June...
I like the command line options but the file resource reporting features are a good way to trend utilization. http://technet.microsoft.com/en-us/magazine/2006.05.getcontrol.aspx - Sean On Aug 2, 2010, at 8:14 PM, Kurt Buff kurt.b...@gmail.com wrote: The other thing that comes to mind is to check the backup logs from those dates. I don't know if my minion has set the logs to record files backed up, but if they are set that way, I can diff them and see what happened. If they aren't set that way, I'll have to see what kind of impact that logging will entail, and make a judgment... Kurt On Mon, Aug 2, 2010 at 17:59, Michael B. Smith mich...@smithcons.com wrote: In re: [1], either 'du' or 'find' can do what you want. I'm pretty sure that I had a native Windows application called scanner.exe that did that too - but I'm unable to locate it right now. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, August 02, 2010 8:49 PM To: NT System Admin Issues Subject: Finding a huge file dump from June... All, On our file server we have a single 1.5tb partition - it's on a SAN. Over the course of 4 days recently it went from about 30% free to about 13% free - someone slammed around 200gb onto the file server. I have a general idea of where it might be - there are two top- level directories that are over 200gb each. However, windirstat hasn't been completely helpful, as I can't seem to isolate which files were loaded during those days, and none of the files that I've been looking at were huge - no ISO or VHD files worth mentioning, etc.. I also am pretty confident that there are a *bunch* of duplicate files on those directories. So, I'm looking for a couple of things: 1) A way to get a directory listing that supports a time/date stamp (my choice of atime, mtime or ctime) size and a complete path name for each file/directory on a single line - something like: 2009-01-08 16:12 854,509 K:\Groups\training\On-Site_Special_Training\Customer1.doc I've tried every trick I can think of for the 'dir' command and it won't do what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do this either. Is there a powershell one-liner that can do this for me perhaps? 2) A recommendation for a duplicate file finder - cheap or free would be preferred. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Holy mother of Vlad Tepes...
http://scienceblog.com/36957/data-sorting-world-record-falls-computer-scientists-break-terabyte-sort-barrier-in-60-seconds/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding a huge file dump from June...
Thanks - looks like a good read. On Mon, Aug 2, 2010 at 21:47, Sean Martin seanmarti...@gmail.com wrote: I like the command line options but the file resource reporting features are a good way to trend utilization. http://technet.microsoft.com/en-us/magazine/2006.05.getcontrol.aspx - Sean On Aug 2, 2010, at 8:14 PM, Kurt Buff kurt.b...@gmail.com wrote: The other thing that comes to mind is to check the backup logs from those dates. I don't know if my minion has set the logs to record files backed up, but if they are set that way, I can diff them and see what happened. If they aren't set that way, I'll have to see what kind of impact that logging will entail, and make a judgment... Kurt On Mon, Aug 2, 2010 at 17:59, Michael B. Smith mich...@smithcons.com wrote: In re: [1], either 'du' or 'find' can do what you want. I'm pretty sure that I had a native Windows application called scanner.exe that did that too - but I'm unable to locate it right now. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, August 02, 2010 8:49 PM To: NT System Admin Issues Subject: Finding a huge file dump from June... All, On our file server we have a single 1.5tb partition - it's on a SAN. Over the course of 4 days recently it went from about 30% free to about 13% free - someone slammed around 200gb onto the file server. I have a general idea of where it might be - there are two top-level directories that are over 200gb each. However, windirstat hasn't been completely helpful, as I can't seem to isolate which files were loaded during those days, and none of the files that I've been looking at were huge - no ISO or VHD files worth mentioning, etc.. I also am pretty confident that there are a *bunch* of duplicate files on those directories. So, I'm looking for a couple of things: 1) A way to get a directory listing that supports a time/date stamp (my choice of atime, mtime or ctime) size and a complete path name for each file/directory on a single line - something like: 2009-01-08 16:12 854,509 K:\Groups\training\On-Site_Special_Training\Customer1.doc I've tried every trick I can think of for the 'dir' command and it won't do what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do this either. Is there a powershell one-liner that can do this for me perhaps? 2) A recommendation for a duplicate file finder - cheap or free would be preferred. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
