Re: Finding a huge file dump from June...

2010-08-02 Thread Kurt Buff
Thanks - looks like a good read.

On Mon, Aug 2, 2010 at 21:47, Sean Martin  wrote:
> I like the command line options but the file resource reporting features are
> a good way to trend utilization.
>
> http://technet.microsoft.com/en-us/magazine/2006.05.getcontrol.aspx
>
> - Sean
>
>
>
> On Aug 2, 2010, at 8:14 PM, Kurt Buff  wrote:
>
>> The other thing that comes to mind is to check the backup logs from
>> those dates. I don't know if my minion has set the logs to record
>> files backed up, but if they are set that way, I can diff them and see
>> what happened.
>>
>> If they aren't set that way, I'll have to see what kind of impact that
>> logging will entail, and make a judgment...
>>
>> Kurt
>>
>> On Mon, Aug 2, 2010 at 17:59, Michael B. Smith 
>> wrote:
>>>
>>> In re: [1], either 'du' or 'find' can do what you want.
>>>
>>> I'm pretty sure that I had a native Windows application called
>>> "scanner.exe" that did that too - but I'm unable to locate it right now.
>>>
>>> Regards,
>>>
>>> Michael B. Smith
>>> Consultant and Exchange MVP
>>> http://TheEssentialExchange.com
>>>
>>>
>>> -Original Message-
>>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>>> Sent: Monday, August 02, 2010 8:49 PM
>>> To: NT System Admin Issues
>>> Subject: Finding a huge file dump from June...
>>>
>>> All,
>>>
>>> On our file server we have a single 1.5tb partition - it's on a SAN.
>>> Over the course of 4 days recently it went from about 30% free to about
>>> 13% free - someone slammed around 200gb onto the file server.
>>>
>>> I have a general idea of where it might be - there are two top-level
>>> directories that are over 200gb each.
>>>
>>> However, windirstat hasn't been completely helpful, as I can't seem to
>>> isolate which files were loaded during those days, and none of the files
>>> that I've been looking at were huge - no ISO or VHD files worth mentioning,
>>> etc..
>>>
>>> I also am pretty confident that there are a *bunch* of duplicate files on
>>> those directories.
>>>
>>> So, I'm looking for a couple of things:
>>>
>>> 1) A way to get a directory listing that supports a time/date stamp (my
>>> choice of atime, mtime or ctime) size and a complete path name for each
>>> file/directory on a single line - something like:
>>>
>>>    2009-01-08  16:12   854,509
>>> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>>>
>>> I've tried every trick I can think of for the 'dir' command and it won't
>>> do what I want, and the 'ls' command from gunuwin32 doesn't seem to want to
>>> do this either. Is there a powershell one-liner that can do this for me
>>> perhaps?
>>>
>>> 2) A recommendation for a duplicate file finder - cheap or free would be
>>> preferred.
>>>
>>> Kurt
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>>   ~
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Holy mother of Vlad Tepes...

2010-08-02 Thread Kurt Buff
http://scienceblog.com/36957/data-sorting-world-record-falls-computer-scientists-break-terabyte-sort-barrier-in-60-seconds/

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


Re: Finding a huge file dump from June...

2010-08-02 Thread Sean Martin
I like the command line options but the file resource reporting  
features are a good way to trend utilization.


http://technet.microsoft.com/en-us/magazine/2006.05.getcontrol.aspx

- Sean



On Aug 2, 2010, at 8:14 PM, Kurt Buff  wrote:


The other thing that comes to mind is to check the backup logs from
those dates. I don't know if my minion has set the logs to record
files backed up, but if they are set that way, I can diff them and see
what happened.

If they aren't set that way, I'll have to see what kind of impact that
logging will entail, and make a judgment...

Kurt

On Mon, Aug 2, 2010 at 17:59, Michael B. Smith  
 wrote:

In re: [1], either 'du' or 'find' can do what you want.

I'm pretty sure that I had a native Windows application called  
"scanner.exe" that did that too - but I'm unable to locate it right  
now.


Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Monday, August 02, 2010 8:49 PM
To: NT System Admin Issues
Subject: Finding a huge file dump from June...

All,

On our file server we have a single 1.5tb partition - it's on a SAN.
Over the course of 4 days recently it went from about 30% free to  
about 13% free - someone slammed around 200gb onto the file server.


I have a general idea of where it might be - there are two top- 
level directories that are over 200gb each.


However, windirstat hasn't been completely helpful, as I can't seem  
to isolate which files were loaded during those days, and none of  
the files that I've been looking at were huge - no ISO or VHD files  
worth mentioning, etc..


I also am pretty confident that there are a *bunch* of duplicate  
files on those directories.


So, I'm looking for a couple of things:

1) A way to get a directory listing that supports a time/date stamp  
(my choice of atime, mtime or ctime) size and a complete path name  
for each file/directory on a single line - something like:


2009-01-08  16:12   854,509
K:\Groups\training\On-Site_Special_Training\Customer1.doc

I've tried every trick I can think of for the 'dir' command and it  
won't do what I want, and the 'ls' command from gunuwin32 doesn't  
seem to want to do this either. Is there a powershell one-liner  
that can do this for me perhaps?


2) A recommendation for a duplicate file finder - cheap or free  
would be preferred.


Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~  
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


Re: Finding a huge file dump from June...

2010-08-02 Thread Kurt Buff
The other thing that comes to mind is to check the backup logs from
those dates. I don't know if my minion has set the logs to record
files backed up, but if they are set that way, I can diff them and see
what happened.

If they aren't set that way, I'll have to see what kind of impact that
logging will entail, and make a judgment...

Kurt

On Mon, Aug 2, 2010 at 17:59, Michael B. Smith  wrote:
> In re: [1], either 'du' or 'find' can do what you want.
>
> I'm pretty sure that I had a native Windows application called "scanner.exe" 
> that did that too - but I'm unable to locate it right now.
>
> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Monday, August 02, 2010 8:49 PM
> To: NT System Admin Issues
> Subject: Finding a huge file dump from June...
>
> All,
>
> On our file server we have a single 1.5tb partition - it's on a SAN.
> Over the course of 4 days recently it went from about 30% free to about 13% 
> free - someone slammed around 200gb onto the file server.
>
> I have a general idea of where it might be - there are two top-level 
> directories that are over 200gb each.
>
> However, windirstat hasn't been completely helpful, as I can't seem to 
> isolate which files were loaded during those days, and none of the files that 
> I've been looking at were huge - no ISO or VHD files worth mentioning, etc..
>
> I also am pretty confident that there are a *bunch* of duplicate files on 
> those directories.
>
> So, I'm looking for a couple of things:
>
> 1) A way to get a directory listing that supports a time/date stamp (my 
> choice of atime, mtime or ctime) size and a complete path name for each 
> file/directory on a single line - something like:
>
>     2009-01-08  16:12   854,509
> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>
> I've tried every trick I can think of for the 'dir' command and it won't do 
> what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do 
> this either. Is there a powershell one-liner that can do this for me perhaps?
>
> 2) A recommendation for a duplicate file finder - cheap or free would be 
> preferred.
>
> Kurt
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: Finding a huge file dump from June...

2010-08-02 Thread Kurt Buff
I like that. Nice one-liner.

On Mon, Aug 2, 2010 at 20:52, Rubens Almeida  wrote:
> PowerShell... and here's one of my favorites one-liners to find big files:
>
> dir c:\temp -force -recurse | sort length -desc | format-table
> creationtime,lastwritetime,lastaccesstime,length,fullname -auto
>
> You can sort the results replacing the length by any of the properties
> after format-table
>
> On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
>> All,
>>
>> On our file server we have a single 1.5tb partition - it's on a SAN.
>> Over the course of 4 days recently it went from about 30% free to
>> about 13% free - someone slammed around 200gb onto the file server.
>>
>> I have a general idea of where it might be - there are two top-level
>> directories that are over 200gb each.
>>
>> However, windirstat hasn't been completely helpful, as I can't seem to
>> isolate which files were loaded during those days, and none of the
>> files that I've been looking at were huge - no ISO or VHD files worth
>> mentioning, etc..
>>
>> I also am pretty confident that there are a *bunch* of duplicate files
>> on those directories.
>>
>> So, I'm looking for a couple of things:
>>
>> 1) A way to get a directory listing that supports a time/date stamp
>> (my choice of atime, mtime or ctime) size and a complete path name for
>> each file/directory on a single line - something like:
>>
>>     2009-01-08  16:12   854,509
>> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>>
>> I've tried every trick I can think of for the 'dir' command and it
>> won't do what I want, and the 'ls' command from gunuwin32 doesn't seem
>> to want to do this either. Is there a powershell one-liner that can do
>> this for me perhaps?
>>
>> 2) A recommendation for a duplicate file finder - cheap or free would
>> be preferred.
>>
>> Kurt
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: Finding a huge file dump from June...

2010-08-02 Thread Kurt Buff
And that is almost certainly what I'm looking for.

I'll try that tomorrow.

Thank you sir.

Kurt

On Mon, Aug 2, 2010 at 18:21, Andrew S. Baker  wrote:
> Powershell...
>  dir C:\Temp -force | format-table -property CreationTime, Length, Name
>  dir C:\Temp -force | format-table -property LastWriteTime, Length, Name
>  dir C:\Temp -force | format-table -property LastAccessTime, Length, Name
>
> ASB (My XeeSM Profile)
> Exploiting Technology for Business Advantage...
>
>
> Signature powered by WiseStamp
>
> On Mon, Aug 2, 2010 at 9:07 PM, Andrew S. Baker  wrote:
>>
>> for %V in (C:\Temp\*.*) do @echo %~tV %~zV %~V
>> This is only the regular modified date of the file, though.
>>
>> PowerShell can do what you want, but I'd have to play with that longer to
>> tell you...
>>
>> ASB (My XeeSM Profile)
>> Exploiting Technology for Business Advantage...
>>
>>
>> Signature powered by WiseStamp
>>
>> On Mon, Aug 2, 2010 at 8:48 PM, Kurt Buff  wrote:
>>>
>>> All,
>>>
>>> On our file server we have a single 1.5tb partition - it's on a SAN.
>>> Over the course of 4 days recently it went from about 30% free to
>>> about 13% free - someone slammed around 200gb onto the file server.
>>>
>>> I have a general idea of where it might be - there are two top-level
>>> directories that are over 200gb each.
>>>
>>> However, windirstat hasn't been completely helpful, as I can't seem to
>>> isolate which files were loaded during those days, and none of the
>>> files that I've been looking at were huge - no ISO or VHD files worth
>>> mentioning, etc..
>>>
>>> I also am pretty confident that there are a *bunch* of duplicate files
>>> on those directories.
>>>
>>> So, I'm looking for a couple of things:
>>>
>>> 1) A way to get a directory listing that supports a time/date stamp
>>> (my choice of atime, mtime or ctime) size and a complete path name for
>>> each file/directory on a single line - something like:
>>>
>>>     2009-01-08  16:12   854,509
>>> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>>>
>>> I've tried every trick I can think of for the 'dir' command and it
>>> won't do what I want, and the 'ls' command from gunuwin32 doesn't seem
>>> to want to do this either. Is there a powershell one-liner that can do
>>> this for me perhaps?
>>>
>>> 2) A recommendation for a duplicate file finder - cheap or free would
>>> be preferred.
>>>
>>> Kurt
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: Finding a huge file dump from June...

2010-08-02 Thread Kurt Buff
On Mon, Aug 2, 2010 at 18:08, Ben Scott  wrote:
> On Mon, Aug 2, 2010 at 8:48 PM, Kurt Buff  wrote:
>> (my choice of atime, mtime or ctime)
>
>  Those Unix concepts don't exist one-to-one in Windows.

Yeah, but those are the terms that stick in my mind. Funny how that
works when you're exposed to the *nix virus, even after having started
with Windows oh so many years ago.

> atime is last accessed, Windows does that pretty much the same thing,
> as "Last accessed".
>
> mtime is last data modification (i.e., file contents).  ctime is last
> change to inode.  Changes to mtime always touch the ctime as well.
> Changes to some other things (such as permission mode) only touch the
> ctime.
>
> The Windows "Last modified" time is something more than mtime, prolly
> closer to ctime, but I think there are things you can do in a
> directory in Windows which don't touch the "Last modified" time which
> would on *nix.  (I could be wrong, but Windows has a bajillion
> different ways to access files, so hard to prove non-existence.)
>
> Windows also has a "Creation" time, date/time file was created in
> filesystem.  There's no standard implementation of that on *nix.
>
> When Windows copies a file, it generally preserves the "Last modified"
> time to match the original, but the "Creation" time is the time of the
> copy.  Looking for files with a recent "Creation" time may help you in
> your case.
>
>  The GUI can search for files by "Creation".  I don't know of a
> command-line tool off the top of my head.

Creation time is what I was looking for. I've been looking at
powershell for the past 10 minutes, and it may have a better answer
for me.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: Finding a huge file dump from June...

2010-08-02 Thread Kurt Buff
I'll have to read up on my 'find' implementation. That seems likely.

On Mon, Aug 2, 2010 at 17:59, Michael B. Smith  wrote:
> In re: [1], either 'du' or 'find' can do what you want.
>
> I'm pretty sure that I had a native Windows application called "scanner.exe" 
> that did that too - but I'm unable to locate it right now.
>
> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Monday, August 02, 2010 8:49 PM
> To: NT System Admin Issues
> Subject: Finding a huge file dump from June...
>
> All,
>
> On our file server we have a single 1.5tb partition - it's on a SAN.
> Over the course of 4 days recently it went from about 30% free to about 13% 
> free - someone slammed around 200gb onto the file server.
>
> I have a general idea of where it might be - there are two top-level 
> directories that are over 200gb each.
>
> However, windirstat hasn't been completely helpful, as I can't seem to 
> isolate which files were loaded during those days, and none of the files that 
> I've been looking at were huge - no ISO or VHD files worth mentioning, etc..
>
> I also am pretty confident that there are a *bunch* of duplicate files on 
> those directories.
>
> So, I'm looking for a couple of things:
>
> 1) A way to get a directory listing that supports a time/date stamp (my 
> choice of atime, mtime or ctime) size and a complete path name for each 
> file/directory on a single line - something like:
>
>     2009-01-08  16:12   854,509
> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>
> I've tried every trick I can think of for the 'dir' command and it won't do 
> what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do 
> this either. Is there a powershell one-liner that can do this for me perhaps?
>
> 2) A recommendation for a duplicate file finder - cheap or free would be 
> preferred.
>
> Kurt
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: Finding a huge file dump from June...

2010-08-02 Thread Kurt Buff
Win2k3 R2. I'll have to look at the docos to see what I can find.

On Mon, Aug 2, 2010 at 17:59, Sean Martin  wrote:
> If no new files jump at you, someone may have inadvertantly copied a large
> directory.
>
> What OS are you running? I think 2003 R2 had some duplicate file reporting
> features. I imagine 2008 has the same features.
>
> - Sean
>
>
>
> On Aug 2, 2010, at 4:48 PM, Kurt Buff  wrote:
>
>> All,
>>
>> On our file server we have a single 1.5tb partition - it's on a SAN.
>> Over the course of 4 days recently it went from about 30% free to
>> about 13% free - someone slammed around 200gb onto the file server.
>>
>> I have a general idea of where it might be - there are two top-level
>> directories that are over 200gb each.
>>
>> However, windirstat hasn't been completely helpful, as I can't seem to
>> isolate which files were loaded during those days, and none of the
>> files that I've been looking at were huge - no ISO or VHD files worth
>> mentioning, etc..
>>
>> I also am pretty confident that there are a *bunch* of duplicate files
>> on those directories.
>>
>> So, I'm looking for a couple of things:
>>
>> 1) A way to get a directory listing that supports a time/date stamp
>> (my choice of atime, mtime or ctime) size and a complete path name for
>> each file/directory on a single line - something like:
>>
>>    2009-01-08  16:12   854,509
>> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>>
>> I've tried every trick I can think of for the 'dir' command and it
>> won't do what I want, and the 'ls' command from gunuwin32 doesn't seem
>> to want to do this either. Is there a powershell one-liner that can do
>> this for me perhaps?
>>
>> 2) A recommendation for a duplicate file finder - cheap or free would
>> be preferred.
>>
>> Kurt
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: Finding a huge file dump from June...

2010-08-02 Thread Rubens Almeida
PowerShell... and here's one of my favorites one-liners to find big files:

dir c:\temp -force -recurse | sort length -desc | format-table
creationtime,lastwritetime,lastaccesstime,length,fullname -auto

You can sort the results replacing the length by any of the properties
after format-table

On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
> All,
>
> On our file server we have a single 1.5tb partition - it's on a SAN.
> Over the course of 4 days recently it went from about 30% free to
> about 13% free - someone slammed around 200gb onto the file server.
>
> I have a general idea of where it might be - there are two top-level
> directories that are over 200gb each.
>
> However, windirstat hasn't been completely helpful, as I can't seem to
> isolate which files were loaded during those days, and none of the
> files that I've been looking at were huge - no ISO or VHD files worth
> mentioning, etc..
>
> I also am pretty confident that there are a *bunch* of duplicate files
> on those directories.
>
> So, I'm looking for a couple of things:
>
> 1) A way to get a directory listing that supports a time/date stamp
> (my choice of atime, mtime or ctime) size and a complete path name for
> each file/directory on a single line - something like:
>
>     2009-01-08  16:12   854,509
> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>
> I've tried every trick I can think of for the 'dir' command and it
> won't do what I want, and the 'ls' command from gunuwin32 doesn't seem
> to want to do this either. Is there a powershell one-liner that can do
> this for me perhaps?
>
> 2) A recommendation for a duplicate file finder - cheap or free would
> be preferred.
>
> Kurt
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: Finding a huge file dump from June...

2010-08-02 Thread Andrew S. Baker
Powershell...

* **dir C:\Temp -force | format-table -property CreationTime, Length, Name*
* dir C:\Temp -force | format-table -property LastWriteTime, Length, Name*
* dir C:\Temp -force | format-table -property LastAccessTime, Length, Name*


*ASB *(My XeeSM Profile) 
*Exploiting Technology for Business Advantage...*
* *
Signature powered by WiseStamp 


On Mon, Aug 2, 2010 at 9:07 PM, Andrew S. Baker  wrote:

> *for %V in (C:\Temp\*.*) do @echo %~tV %~zV %~V*
>
> This is only the regular modified date of the file, though.
>
>
> PowerShell can do what you want, but I'd have to play with that longer to
> tell you...
>
>
> *ASB *(My XeeSM Profile) 
> *Exploiting Technology for Business Advantage...*
> * *
> Signature powered by WiseStamp 
>
>
> On Mon, Aug 2, 2010 at 8:48 PM, Kurt Buff  wrote:
>
>> All,
>>
>> On our file server we have a single 1.5tb partition - it's on a SAN.
>> Over the course of 4 days recently it went from about 30% free to
>> about 13% free - someone slammed around 200gb onto the file server.
>>
>> I have a general idea of where it might be - there are two top-level
>> directories that are over 200gb each.
>>
>> However, windirstat hasn't been completely helpful, as I can't seem to
>> isolate which files were loaded during those days, and none of the
>> files that I've been looking at were huge - no ISO or VHD files worth
>> mentioning, etc..
>>
>> I also am pretty confident that there are a *bunch* of duplicate files
>> on those directories.
>>
>> So, I'm looking for a couple of things:
>>
>> 1) A way to get a directory listing that supports a time/date stamp
>> (my choice of atime, mtime or ctime) size and a complete path name for
>> each file/directory on a single line - something like:
>>
>> 2009-01-08  16:12   854,509
>> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>>
>> I've tried every trick I can think of for the 'dir' command and it
>> won't do what I want, and the 'ls' command from gunuwin32 doesn't seem
>> to want to do this either. Is there a powershell one-liner that can do
>> this for me perhaps?
>>
>> 2) A recommendation for a duplicate file finder - cheap or free would
>> be preferred.
>>
>> Kurt
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Finding a huge file dump from June...

2010-08-02 Thread Ben Scott
On Mon, Aug 2, 2010 at 8:48 PM, Kurt Buff  wrote:
> (my choice of atime, mtime or ctime)

  Those Unix concepts don't exist one-to-one in Windows.

atime is last accessed, Windows does that pretty much the same thing,
as "Last accessed".

mtime is last data modification (i.e., file contents).  ctime is last
change to inode.  Changes to mtime always touch the ctime as well.
Changes to some other things (such as permission mode) only touch the
ctime.

The Windows "Last modified" time is something more than mtime, prolly
closer to ctime, but I think there are things you can do in a
directory in Windows which don't touch the "Last modified" time which
would on *nix.  (I could be wrong, but Windows has a bajillion
different ways to access files, so hard to prove non-existence.)

Windows also has a "Creation" time, date/time file was created in
filesystem.  There's no standard implementation of that on *nix.

When Windows copies a file, it generally preserves the "Last modified"
time to match the original, but the "Creation" time is the time of the
copy.  Looking for files with a recent "Creation" time may help you in
your case.

  The GUI can search for files by "Creation".  I don't know of a
command-line tool off the top of my head.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


Re: Finding a huge file dump from June...

2010-08-02 Thread Andrew S. Baker
*for %V in (C:\Temp\*.*) do @echo %~tV %~zV %~V*

This is only the regular modified date of the file, though.


PowerShell can do what you want, but I'd have to play with that longer to
tell you...


*ASB *(My XeeSM Profile) 
*Exploiting Technology for Business Advantage...*
* *
Signature powered by WiseStamp 


On Mon, Aug 2, 2010 at 8:48 PM, Kurt Buff  wrote:

> All,
>
> On our file server we have a single 1.5tb partition - it's on a SAN.
> Over the course of 4 days recently it went from about 30% free to
> about 13% free - someone slammed around 200gb onto the file server.
>
> I have a general idea of where it might be - there are two top-level
> directories that are over 200gb each.
>
> However, windirstat hasn't been completely helpful, as I can't seem to
> isolate which files were loaded during those days, and none of the
> files that I've been looking at were huge - no ISO or VHD files worth
> mentioning, etc..
>
> I also am pretty confident that there are a *bunch* of duplicate files
> on those directories.
>
> So, I'm looking for a couple of things:
>
> 1) A way to get a directory listing that supports a time/date stamp
> (my choice of atime, mtime or ctime) size and a complete path name for
> each file/directory on a single line - something like:
>
> 2009-01-08  16:12   854,509
> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>
> I've tried every trick I can think of for the 'dir' command and it
> won't do what I want, and the 'ls' command from gunuwin32 doesn't seem
> to want to do this either. Is there a powershell one-liner that can do
> this for me perhaps?
>
> 2) A recommendation for a duplicate file finder - cheap or free would
> be preferred.
>
> Kurt
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Finding a huge file dump from June...

2010-08-02 Thread Michael B. Smith
In re: [1], either 'du' or 'find' can do what you want.

I'm pretty sure that I had a native Windows application called "scanner.exe" 
that did that too - but I'm unable to locate it right now.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, August 02, 2010 8:49 PM
To: NT System Admin Issues
Subject: Finding a huge file dump from June...

All,

On our file server we have a single 1.5tb partition - it's on a SAN.
Over the course of 4 days recently it went from about 30% free to about 13% 
free - someone slammed around 200gb onto the file server.

I have a general idea of where it might be - there are two top-level 
directories that are over 200gb each.

However, windirstat hasn't been completely helpful, as I can't seem to isolate 
which files were loaded during those days, and none of the files that I've been 
looking at were huge - no ISO or VHD files worth mentioning, etc..

I also am pretty confident that there are a *bunch* of duplicate files on those 
directories.

So, I'm looking for a couple of things:

1) A way to get a directory listing that supports a time/date stamp (my choice 
of atime, mtime or ctime) size and a complete path name for each file/directory 
on a single line - something like:

 2009-01-08  16:12   854,509
K:\Groups\training\On-Site_Special_Training\Customer1.doc

I've tried every trick I can think of for the 'dir' command and it won't do 
what I want, and the 'ls' command from gunuwin32 doesn't seem to want to do 
this either. Is there a powershell one-liner that can do this for me perhaps?

2) A recommendation for a duplicate file finder - cheap or free would be 
preferred.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Finding a huge file dump from June...

2010-08-02 Thread Sean Martin
If no new files jump at you, someone may have inadvertantly copied a  
large directory.


What OS are you running? I think 2003 R2 had some duplicate file  
reporting features. I imagine 2008 has the same features.


- Sean



On Aug 2, 2010, at 4:48 PM, Kurt Buff  wrote:


All,

On our file server we have a single 1.5tb partition - it's on a SAN.
Over the course of 4 days recently it went from about 30% free to
about 13% free - someone slammed around 200gb onto the file server.

I have a general idea of where it might be - there are two top-level
directories that are over 200gb each.

However, windirstat hasn't been completely helpful, as I can't seem to
isolate which files were loaded during those days, and none of the
files that I've been looking at were huge - no ISO or VHD files worth
mentioning, etc..

I also am pretty confident that there are a *bunch* of duplicate files
on those directories.

So, I'm looking for a couple of things:

1) A way to get a directory listing that supports a time/date stamp
(my choice of atime, mtime or ctime) size and a complete path name for
each file/directory on a single line - something like:

2009-01-08  16:12   854,509
K:\Groups\training\On-Site_Special_Training\Customer1.doc

I've tried every trick I can think of for the 'dir' command and it
won't do what I want, and the 'ls' command from gunuwin32 doesn't seem
to want to do this either. Is there a powershell one-liner that can do
this for me perhaps?

2) A recommendation for a duplicate file finder - cheap or free would
be preferred.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


Re: Boss, Boss - the cloud, the cloud

2010-08-02 Thread Andrew S. Baker
Well, not everything on the Internet is "cloud computing"

Having said that, consolidating valuable assets should make them easier to
protect (and should make protection more cost-effective).  At the same time,
such a collection of valuable assets increases the risk of attack, due to
the potential payoff.  So, any lapse in protection can be tremendously
painful.

Before engaging in any form of outsourcing -- whether on-shore, off-shore,
or cloud -- be sure you have some way of determining what security standard
the vendor is planning to live up to, and (more importantly), have something
in the contract to mitigate your risks and those of your customers, should a
breach occur...



*ASB *(My XeeSM Profile) 
*Exploiting Technology for Business Advantage...*
* *
Signature powered by WiseStamp 


On Mon, Aug 2, 2010 at 8:06 PM, Kurt Buff  wrote:

> Right...
> http://consumerist.com/2010/08/crook-crack-check-image-sites.html
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Finding a huge file dump from June...

2010-08-02 Thread Kurt Buff
All,

On our file server we have a single 1.5tb partition - it's on a SAN.
Over the course of 4 days recently it went from about 30% free to
about 13% free - someone slammed around 200gb onto the file server.

I have a general idea of where it might be - there are two top-level
directories that are over 200gb each.

However, windirstat hasn't been completely helpful, as I can't seem to
isolate which files were loaded during those days, and none of the
files that I've been looking at were huge - no ISO or VHD files worth
mentioning, etc..

I also am pretty confident that there are a *bunch* of duplicate files
on those directories.

So, I'm looking for a couple of things:

1) A way to get a directory listing that supports a time/date stamp
(my choice of atime, mtime or ctime) size and a complete path name for
each file/directory on a single line - something like:

 2009-01-08  16:12   854,509
K:\Groups\training\On-Site_Special_Training\Customer1.doc

I've tried every trick I can think of for the 'dir' command and it
won't do what I want, and the 'ls' command from gunuwin32 doesn't seem
to want to do this either. Is there a powershell one-liner that can do
this for me perhaps?

2) A recommendation for a duplicate file finder - cheap or free would
be preferred.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


RE: 2008 DC being offline

2010-08-02 Thread Brian Desmond
It was a regression.

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Monday, August 02, 2010 1:33 PM
To: NT System Admin Issues
Subject: Re: 2008 DC being offline

Wow.. Why did it shift downward from 2003 to 2003R2?

-ASB: http://XeeSM.com/AndrewBaker

On Mon, Aug 2, 2010 at 2:24 PM, Brian Desmond 
mailto:br...@briandesmond.com>> wrote:
60 is the default for 2000 and 2003 R2 forests, 180 for 2003, 2008, 2008 R2 
forests. Note this is the original OS version of the first DC not the current 
FFL.

There are scenarios you'd change this but they're fairly vertical.

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: David Lum [mailto:david@nwea.org]
Sent: Monday, August 02, 2010 9:30 AM
To: NT System Admin Issues
Subject: RE: 2008 DC being offline

I stand corrected, maybe it was 66 days. As a general rule I don't change 
defaults unless I have a compelling reason to do so, and I can't think of one 
here.

-Original Message-
From: Brian Desmond 
[mailto:br...@briandesmond.com]
Sent: Friday, July 30, 2010 4:07 PM
To: NT System Admin Issues
Subject: RE: 2008 DC being offline

30 days not unless you tinkered with some tombstone lifetime settings which I 
don't know why you would lower it...

Thanks,
Brian Desmond
br...@briandesmond.com

c - 312.731.3132



-Original Message-
From: David Lum [mailto:david@nwea.org]
Sent: Wednesday, July 28, 2010 2:55 PM
To: NT System Admin Issues
Subject: RE: 2008 DC being offline

Past 30 days offline it will complain - at least 2003 servers do, but I think 
it's also related to some AD archive or backup time settingI ran into 
something about 30 days when I restored a DC from a backup that was 36 days old.

Minor in the scheme of things, just something to keep in mind.

...Then again, maybe that was of no help...

David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764



-Original Message-
From: jesse-r...@wi.rr.com 
[mailto:jesse-r...@wi.rr.com]
Sent: Wednesday, July 28, 2010 11:56 AM
To: NT System Admin Issues
Subject: 2008 DC being offline

Hello,
A 2008 DC (lets call it Server-F) we have at another site has been offline
for 6 weeks.  We powered it down because the building was undergoing
construction, and the building was effectively CLOSED for those 6 weeks.
Construction is done and I'm ready to bring the server back online.

Is there a problem with just turning Server-F on and letting it re-sync
with active directory even though its been offline for 6 weeks?  or...
would I be better off bringing Server-F up WITHOUT a network cable
connected, run dcpromo /forceremoval on it... then remove any references to
the Server-F from my other DCs, and eventually re-promote server F back as
a DC?

Thoughts?





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Boss, Boss - the cloud, the cloud

2010-08-02 Thread Kurt Buff
Right...
http://consumerist.com/2010/08/crook-crack-check-image-sites.html

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


Stupid, stupid, stupid hotmail/MSN Live redesign

2010-08-02 Thread Kurt Buff
All,

Anyone on here use a Secure Computing Sidewinder (Now McAfee -
http://www.mcafee.com/us/enterprise/products/network_security/firewall_enterprise.html)
firewall?

Anyone with it run into issues where the hotmail/MSN Live redesign
last week fubar'ed access through the Sidewinder?

I don't have a hotmail account, but a lot of my users can't get to
their hotmail inboxes now, because of it.

Actually, that's not quite true. They can get to the inbox, but they
can't open any emails. Can't start to compose a new one either.

It just sits there, and allows you to click on anything, without it
responding at all.

I'm up to my eyeballs doing stuff at the moment, so haven't had time
to investigate.

I suspect they're redirecting content to new domains or something
ultra-stupid that breaks RFCs, because the Sidewinder is a very strict
protocol proxy, but I just haven't had time to investigate.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


RE: MSFT reduced IE security to protect ad revenue

2010-08-02 Thread Michael B. Smith
By default, Google Chrome allows third party cookies. It can be disabled.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Monday, August 02, 2010 7:00 PM
To: NT System Admin Issues
Subject: WSJ: MSFT reduced IE security to protect ad revenue

"Microsoft Quashed Effort to Boost Online Privacy"
by Nick Wingfield, Wall Street Journal (2 Aug 2010) 
http://online.wsj.com/article/SB10001424052748703467304575383530439838568.html

  Internet Explorer's handling of cookies hasn't really changed in over a 
decade.  The WSJ is claiming the IE development team actually wanted to improve 
things, but management axed it.  Microsoft makes a lot of money from Internet 
advertising.  Management didn't want to potentially impact that revenue stream, 
so they blocked some privacy features from IE.

  As far as I know, Firefox accepts third-party cookies by default, too.  I 
wonder why *they* don't do anything about it.  I find a bug for it[1] but it's 
been inactive for over a year.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=324397

  Anyone know about Apple Safari and Google Chrome in this area?
GOOG's got the same conflict-of-interest MSFT has here.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



WSJ: MSFT reduced IE security to protect ad revenue

2010-08-02 Thread Ben Scott
"Microsoft Quashed Effort to Boost Online Privacy"
by Nick Wingfield, Wall Street Journal (2 Aug 2010)
http://online.wsj.com/article/SB10001424052748703467304575383530439838568.html

  Internet Explorer's handling of cookies hasn't really changed in
over a decade.  The WSJ is claiming the IE development team actually
wanted to improve things, but management axed it.  Microsoft makes a
lot of money from Internet advertising.  Management didn't want to
potentially impact that revenue stream, so they blocked some privacy
features from IE.

  As far as I know, Firefox accepts third-party cookies by default,
too.  I wonder why *they* don't do anything about it.  I find a bug
for it[1] but it's been inactive for over a year.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=324397

  Anyone know about Apple Safari and Google Chrome in this area?
GOOG's got the same conflict-of-interest MSFT has here.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


WMI information gathering

2010-08-02 Thread Joseph Heaton
We have a group that wants to come in, and "scan our servers" to gather 
information.  We want to cooperate with this effort, but we don't want to give 
them access to be able to write back to the servers.  Is this possible?  Is 
there a tool that can be used without an admin account, in order to gather 
information from within WMI?  Please contact offline for further details, if 
needed.  As always, I sincerely appreciate any assistance any of you may be 
able to provide.

Thanks,

Joe



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



RE: malware that creates Outlook rules

2010-08-02 Thread Crawford, Scott
Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set

Re: Lotus Approach Files

2010-08-02 Thread Bob Hartung
Approach uses dBase format database file. Any program that can access a dBase 
file can access an Approach database. If you want the Approach front end (ie 
Forms, Reports, Views) you would need the Approach program.

--

Bob Hartung
Wisco Industries, Inc.
736 Janesville St.
Oregon, WI 53575
Tel: (608) 835-3106 x215
Fax: (608) 835-7399
e-mail: bhartung(at)wiscoind.com
  _  

From: James Kerr [mailto:cluster...@gmail.com]
To: NT System Admin Issues [mailto:ntsysad...@lyris.sunbelt-software.com]
Sent: Mon, 02 Aug 2010 15:08:40 -0500
Subject: Lotus Approach Files

  
We have an old database that is being used by a   company we now own. They are 
using an old version of smart suite to use the   Approach database. Is there a 
new version of this software that I can buy or   some kind of software that 
will work because the install files for the   program are not complete so I 
cant install it on any PCs anymore.  
   
James  

   

  

   

  
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OT: WHAT Was She Thinking?!?

2010-08-02 Thread Roger Wright
Reminds me of a movie we just watched a few days ago:
"Outsourced"   -  http://www.outsourcedthemovie.com/



Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 4:29 PM, Jonathan Link  wrote:
> Note: "he's no longer handling Dell calls."
>
> So, he's now doing HP support?
>
> On Mon, Aug 2, 2010 at 4:24 PM, Andrew S. Baker  wrote:
>>
>> How DARE you accuse that woman of thinking or using
>> any cognitive functions in any way, shape or form!
>> -ASB: http://XeeSM.com/AndrewBaker
>>
>>
>> On Mon, Aug 2, 2010 at 2:33 PM, Roger Wright  wrote:
>>>
>>> http://news.cnet.com/8301-17852_3-20012250-71.html
>>>
>>>
>>> Die dulci fruere!
>>>
>>> Roger Wright
>>> ___
>>
>>
>>
>>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: Lotus Approach Files

2010-08-02 Thread James Kerr

Doh! I already bought a copy of smart suite on ebay!


- Original Message - 
From: "Rubens Almeida" 

To: "NT System Admin Issues" 
Sent: Monday, August 02, 2010 4:25 PM
Subject: Re: Lotus Approach Files


Symphony: free, opens a lot of file types and if you can't find the
type you need, there's always the plugins:

http://symphony.lotus.com/


On Mon, Aug 2, 2010 at 5:08 PM, James Kerr  wrote:
We have an old database that is being used by a company we now own. They 
are
using an old version of smart suite to use the Approach database. Is there 
a

new version of this software that I can buy or some kind of software that
will work because the install files for the program are not complete so I
cant install it on any PCs anymore.

James






~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


Re: OT: WHAT Was She Thinking?!?

2010-08-02 Thread Richard Stovall
I saw that as well.  It is a deeply unsatisfying description of Mr. Shaikh's
current status.

On Mon, Aug 2, 2010 at 4:29 PM, Jonathan Link wrote:

> Note: "he's no longer handling Dell calls."
>
> So, he's now doing HP support?
>
> On Mon, Aug 2, 2010 at 4:24 PM, Andrew S. Baker  wrote:
>
>> How DARE you accuse that woman of thinking or using
>> any cognitive functions in any way, shape or form!
>>
>> -ASB: http://XeeSM.com/AndrewBaker 
>>
>>
>> On Mon, Aug 2, 2010 at 2:33 PM, Roger Wright  wrote:
>>
>>> http://news.cnet.com/8301-17852_3-20012250-71.html
>>>
>>>
>>> Die dulci fruere!
>>>
>>> Roger Wright
>>> ___
>>
>>
>>
>>
>>
>>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Lotus Approach Files

2010-08-02 Thread James Kerr
Excellent I didn't even think of ebay. I'm not familiar with the Lotus stuff 
at all.



- Original Message - 
From: "Roger Wright" 

To: "NT System Admin Issues" 
Sent: Monday, August 02, 2010 4:12 PM
Subject: Re: Lotus Approach Files


http://preview.tinyurl.com/39p336p


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 4:08 PM, James Kerr  wrote:
We have an old database that is being used by a company we now own. They 
are
using an old version of smart suite to use the Approach database. Is there 
a

new version of this software that I can buy or some kind of software that
will work because the install files for the program are not complete so I
cant install it on any PCs anymore.

James






~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


RE: OT: WHAT Was She Thinking?!?

2010-08-02 Thread Maglinger, Paul
Nah, he doing Photoshop support now.

 

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Sent: Monday, August 02, 2010 3:30 PM
To: NT System Admin Issues
Subject: Re: OT: WHAT Was She Thinking?!?

 

Note: "he's no longer handling Dell calls."

 

So, he's now doing HP support?

On Mon, Aug 2, 2010 at 4:24 PM, Andrew S. Baker 
wrote:

How DARE you accuse that woman of thinking or using any cognitive
functions in any way, shape or form! 


-ASB: http://XeeSM.com/AndrewBaker

 

On Mon, Aug 2, 2010 at 2:33 PM, Roger Wright  wrote:

http://news.cnet.com/8301-17852_3-20012250-71.html


Die dulci fruere!

Roger Wright
___

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OT: WHAT Was She Thinking?!?

2010-08-02 Thread Jonathan Link
Note: "he's no longer handling Dell calls."

So, he's now doing HP support?

On Mon, Aug 2, 2010 at 4:24 PM, Andrew S. Baker  wrote:

> How DARE you accuse that woman of thinking or using any cognitive functions
> in any way, shape or form!
>
> -ASB: http://XeeSM.com/AndrewBaker 
>
>
> On Mon, Aug 2, 2010 at 2:33 PM, Roger Wright  wrote:
>
>> http://news.cnet.com/8301-17852_3-20012250-71.html
>>
>>
>> Die dulci fruere!
>>
>> Roger Wright
>> ___
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Lotus Approach Files

2010-08-02 Thread Rubens Almeida
Symphony: free, opens a lot of file types and if you can't find the
type you need, there's always the plugins:

http://symphony.lotus.com/


On Mon, Aug 2, 2010 at 5:08 PM, James Kerr  wrote:
> We have an old database that is being used by a company we now own. They are
> using an old version of smart suite to use the Approach database. Is there a
> new version of this software that I can buy or some kind of software that
> will work because the install files for the program are not complete so I
> cant install it on any PCs anymore.
>
> James
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: OT: WHAT Was She Thinking?!?

2010-08-02 Thread Andrew S. Baker
How DARE you accuse that woman of thinking or using any cognitive functions
in any way, shape or form!

-ASB: http://XeeSM.com/AndrewBaker


On Mon, Aug 2, 2010 at 2:33 PM, Roger Wright  wrote:

> http://news.cnet.com/8301-17852_3-20012250-71.html
>
>
> Die dulci fruere!
>
> Roger Wright
> ___

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: malware that creates Outlook rules

2010-08-02 Thread Kurt Buff
Ideas:

Patch your machines - XP SP2 is no longer supported. Get to SP3, and
get all the patches after that, including today's emergency patch.

Patch your Wind2k3 server, too. Current is SP2, and you're not there,
so you're *WAY* behind.

Get UBCD4WIN, and boot any suspect machines with it and see what VIPRE
Rescue and Malwarebytes find when run that way.

Block port 25 outbound at your firewall (and probably port 587 -
submission) for all machines except your Exchange server, then record
which machines are bouncing off of the firewall from the inside after
that.

Oh heck, block everything outbound at your firewall for your
workstations except ports 80 and 443, and anything that you have an
actual business case for opening up. That will tell you oodles about
your environment.

Kurt

On Mon, Aug 2, 2010 at 10:46, Osborne, Richard  wrote:
> Has anyone seen malware that creates an Outlook rule that moves all new
> mail to Deleted Items and then sends out a bunch of spam?  I have a few
> users that have been hit with something I can't find.  I scanned the PCs
> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
> anything.  Then I turned off the PCs and something is still accessing
> their mailboxes.  I scanned the Exchange server also.  I am not seeing
> anything in Exchange User Monitor or Windows Security logs and our
> network guys say they don't see any unusual traffic to our Exchange
> server.
>
> Google finds a couple of people reporting the same thing but no
> resolution.
>
> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
> SP2 on Server 2003 SP1.
>
> Thanks for any ideas.
>
>
>
> Richard Osborne
> Information Systems
> Jackson-Madison County General Hospital
>
> NOTICE:  (1) The foregoing is not intended to be a legally binding or
> legally effective electronic signature. (2) This message may contain
> legally privileged or confidential information.  If you are not the
> intended recipient of this message, please so notify me, disregard the
> foregoing message, and delete the message immediately.  I apologize for
> any inconvenience this may have caused.
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



RE: malware that creates Outlook rules

2010-08-02 Thread Jason Reeves
We haven't had any of those problems since switching to opendns and Vipre
for exchange.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they
completed our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell
when it is happening.  I found the aqadmcli.exe utility and have been using
it to clean the queues (aqadmcli "delmsg
flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything
to fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster
than your exchange server can process so it will get backed up so disabling
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their
PC powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent
in the last 5 hours but I don't have any confidence that I have found the
source.  Maybe there's a PC with a high-privileged account that has been
compromised and is sending out spam runs on a schedule?  Currently I am
getting up-to-date on patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since
that user is in a meeting, we turned his machine off.  Looks like it has to
be coming from OWA.  Here is some info from an error message our external
MTA sent to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your Exchange
server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard 
wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard 
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all 
>> new mail to Deleted Items and then sends out a bunch of spam?  I have 
>> a few users that have been hit with something I can't find.  I 
>> scanned the PCs with VIPRE, MalwareBytes, & Symantec's online scanner 
>> and didn't find anything.  Then I turned off the PCs and something is 
>> still accessing their mailboxes.  I scanned the Exchange server also.
>> I am not seeing anything in Exchange User Monitor or Windows Security 
>> logs and our network guys say they don't see any unusual traffic to 
>> our Exchange server.
>>
>> Google finds a couple of people reporting 

RE: malware that creates Outlook rules

2010-08-02 Thread Glen Johnson
Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your Exchange 
server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard  
wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!

Re: OT: WHAT Was She Thinking?!?

2010-08-02 Thread Joseph Heaton
Ya, I saw that the other night when News 10 broadcast it.  What that article 
doesn't say is that she watched the tech download the pictures once he found 
them.  Then, along with shipping that laptop, the tech also charged a new 
computer and printer to this lady's Dell account, and shipped it to his 
"girlfriend" somewhere back east.  Only when he contacted Tara, apologizing for 
charging her account, and that he'd pay her back, please don't tell his bosses, 
he didn't want to lose his job, etc., did she finally go to the media to try to 
get some help with the issue...

>>> Roger Wright  8/2/2010 11:33 AM >>>
http://news.cnet.com/8301-17852_3-20012250-71.html 


Die dulci fruere!

Roger Wright
___

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: Lotus Approach Files

2010-08-02 Thread Roger Wright
http://preview.tinyurl.com/39p336p


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 4:08 PM, James Kerr  wrote:
> We have an old database that is being used by a company we now own. They are
> using an old version of smart suite to use the Approach database. Is there a
> new version of this software that I can buy or some kind of software that
> will work because the install files for the program are not complete so I
> cant install it on any PCs anymore.
>
> James
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Lotus Approach Files

2010-08-02 Thread James Kerr
We have an old database that is being used by a company we now own. They are 
using an old version of smart suite to use the Approach database. Is there a 
new version of this software that I can buy or some kind of software that will 
work because the install files for the program are not complete so I cant 
install it on any PCs anymore.

James
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: malware that creates Outlook rules

2010-08-02 Thread Crawford, Scott
Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your Exchange 
server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard  
wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard 
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all 
>> new mail to Deleted Items and then sends out a bunch of spam?  I have 
>> a few users that have been hit with something I can't find.  I 
>> scanned the PCs with VIPRE, MalwareBytes, & Symantec's online scanner 
>> and didn't find anything.  Then I turned off the PCs and something is 
>> still accessing their mailboxes.  I scanned the Exchange server also.
>> I am not seeing anything in Exchange User Monitor or Windows Security 
>> logs and our network guys say they don't see any unusual traffic to 
>> o

RE: malware that creates Outlook rules

2010-08-02 Thread Crawford, Scott
This actually looks promising.  We just recently got off 2003 so I'll be 
investigating this heavily.

http://technet.microsoft.com/en-us/library/dd298094.aspx

The problem we have is that we keep getting on spam lists and then blocked from 
sending email to hotmail, gmail, etc. Hopefully a ThrottlePolicy of say 2 or 3 
per minute, will be enough to let us catch it before we get blocked.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 2:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your Exchange 
server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard  
wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard 
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all 
>> new mail to Deleted Items and then sends out a bunch of spam?  I have 
>> a few users that have been hit with something I can't find.  I 
>> scanned the PCs with VIPRE, MalwareBytes, & Symantec's online scanner 
>> and didn't find anything.  Then I turned off the PCs and something is 
>> still accessing their mailboxes.  I scanned the Exchange server also.  
>> I am not seeing anything in Exchange User Monitor or Windows Security 
>> logs and our network guys say they don't see any unusual traffic to 
>> our Exchange server.
>>
>> Google finds a couple of people reporting the same thing but no 
>> resolut

RE: malware that creates Outlook rules

2010-08-02 Thread Glen Johnson
When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your Exchange 
server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard  
wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard 
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all 
>> new mail to Deleted Items and then sends out a bunch of spam?  I have 
>> a few users that have been hit with something I can't find.  I 
>> scanned the PCs with VIPRE, MalwareBytes, & Symantec's online scanner 
>> and didn't find anything.  Then I turned off the PCs and something is 
>> still accessing their mailboxes.  I scanned the Exchange server also.
>> I am not seeing anything in Exchange User Monitor or Windows Security 
>> logs and our network guys say they don't see any unusual traffic to 
>> our Exchange server.
>>
>> Google finds a couple of people reporting the same thing but no 
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospit

RE: malware that creates Outlook rules

2010-08-02 Thread RichardMcClary
We're a Lotus Notes shop using Postini as a relay, if it makes any 
difference...

We had one desktop system here, and a few in NYC, where spam as being 
spewed out.  This actually had nothing at all to do with Domino/Lotus but 
rather a rogue SMTP server which got snuck onto some workstations.

We were able to track this down by monitoring SMTP traffic through our 
firewall.  All SMTP traffic was to be comming from only one IP at each 
location, and it was all supposed to be directed to our Postini host.

At least yours does not seem to be happening on a weekend...
--
Richard D. McClary
Systems Administrator, Information Technology Group 
ASPCA®
1717 S. Philo Rd, Ste 36
Urbana, IL  61802
 
richardmccl...@aspca.org
 
P: 217-337-9761
C: 217-417-1182
F: 217-337-9761
www.aspca.org
 
The information contained in this e-mail, and any attachments hereto, is 
from The American Society for the Prevention of Cruelty to Animals® (ASPCA
®) and is intended only for use by the addressee(s) named herein and may 
contain legally privileged and/or confidential information. If you are not 
the intended recipient of this e-mail, you are hereby notified that any 
dissemination, distribution, copying or use of the contents of this 
e-mail, and any attachments hereto, is strictly prohibited. If you have 
received this e-mail in error, please immediately notify me by reply email 
and permanently delete the original and any copy of this e-mail and any 
printout thereof.
 

"Osborne, Richard"  wrote on 08/02/2010 02:40:09 
PM:

> I have been monitoring the Exchange queues.  It's the only way I can
> tell when it is happening.  I found the aqadmcli.exe utility and 
> have been using it to clean the queues (aqadmcli "delmsg 
> flags=SENDER,sender=bob.sm...@wth.org".
> 
> I'll check the OWA logs ASAP.
> 
> Assuming I have had three users reply to phishing e-mails, is there 
> anything to fix besides changing their passwords?
> 
> Thanks everyone for the suggestions.
> 
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
> Sent: Monday, August 02, 2010 2:35 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
> 
> Also check those exchange smtp queues.
> If it is compromised accounts the spammers can send spam via you owa
> faster than your exchange server can process so it will get backed 
> up so disabling accounts or changing passwords wont stop it until 
> the queues are emptied.
> 
> 
> -Original Message-
> From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
> Sent: Monday, August 02, 2010 3:32 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
> 
> I'm glad I'm not the only sufferer!
> 
> I'll try and answer the other questions that were asked:
> 
> 1) yes, the spam continued even with the user's account disabled and
> their PC powered off
> 2) yes, only our Exchange server can send SMTP to the Internet
> 3) my OWA servers are clean according to VIPRE & MalwareBytes
> 
> So far this has hit 3 users (out of ~5000).  I have not seen any 
> spam sent in the last 5 hours but I don't have any confidence that I
> have found the source.  Maybe there's a PC with a high-privileged 
> account that has been compromised and is sending out spam runs on a 
> schedule?  Currently I am getting up-to-date on patches on all my 
> Exchange boxes.
> 
> -Original Message-
> From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
> Sent: Monday, August 02, 2010 2:17 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
> 
> We are having a similar issue.  We changed the users password, and 
> since that user is in a meeting, we turned his machine off.  Looks 
> like it has to be coming from OWA.  Here is some info from an error 
> message our external MTA sent to me (our Exchange guys are looking 
> into the matter):
> 
> Transcript of session follows.
> 
>  Out: 220 mail3.wise.k12.va.us ESMTP
>  In:  EHLO mail.wise.k12.va.us
>  Out: 250-mail3.wise.k12.va.us
>  Out: 250-PIPELINING
>  Out: 250-SIZE 8
>  Out: 250-VRFY
>  Out: 250-ETRN
>  Out: 250-ENHANCEDSTATUSCODES
>  Out: 250-8BITMIME
>  Out: 250 DSN
>  In:  MAIL FROM: SIZE=1163
>  Out: 250 2.1.0 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
> 
> Shane
> 
> 
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 2:35 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
> 
> Is your firewall set to only allow SMTP (port 25) traffic from your 
> Exchange server?
> 
> 
> Die dulci fruere!
> 
> Roger Wright
> ___
> 

RE: malware that creates Outlook rules

2010-08-02 Thread Osborne, Richard
I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your Exchange 
server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard  
wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard 
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all 
>> new mail to Deleted Items and then sends out a bunch of spam?  I have 
>> a few users that have been hit with something I can't find.  I 
>> scanned the PCs with VIPRE, MalwareBytes, & Symantec's online scanner 
>> and didn't find anything.  Then I turned off the PCs and something is 
>> still accessing their mailboxes.  I scanned the Exchange server also.  
>> I am not seeing anything in Exchange User Monitor or Windows Security 
>> logs and our network guys say they don't see any unusual traffic to 
>> our Exchange server.
>>
>> Google finds a couple of people reporting the same thing but no 
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospital
>>
>> NOTICE:  (1) The foregoing is not intended to be a legally binding or 
>> legally effective electronic signature. (2) This message may contain 
>> legally privileged or confidential information.  If you are not the 
>> intended recipient of this message, please so notify me, disregard 
>> the foregoing message, and delete the message immediately.  I 
>

Re: malware that creates Outlook rules

2010-08-02 Thread Steven Peck
You need to go through the OWA logs for that users access history to
verify if it is through OWA.   It won't infect your OWA servers.

On Mon, Aug 2, 2010 at 12:35 PM, Crawford, Scott  wrote:
> It's very likely a phished account. This happens to us on a regular basis and 
> there's really nothing that can be done to fix it short of educating the 
> users, which is...difficult. The fact that spam was continuing even after the 
> account is disabled could be chalked up to mail still in the queues.
>
> -Original Message-
> From: Osborne, Richard [mailto:richard.osbo...@wth.org]
> Sent: Monday, August 02, 2010 2:32 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> I'm glad I'm not the only sufferer!
>
> I'll try and answer the other questions that were asked:
>
> 1) yes, the spam continued even with the user's account disabled and their PC 
> powered off
> 2) yes, only our Exchange server can send SMTP to the Internet
> 3) my OWA servers are clean according to VIPRE & MalwareBytes
>
> So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
> the last 5 hours but I don't have any confidence that I have found the 
> source.  Maybe there's a PC with a high-privileged account that has been 
> compromised and is sending out spam runs on a schedule?  Currently I am 
> getting up-to-date on patches on all my Exchange boxes.
>
> -Original Message-
> From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
> Sent: Monday, August 02, 2010 2:17 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> We are having a similar issue.  We changed the users password, and since that 
> user is in a meeting, we turned his machine off.  Looks like it has to be 
> coming from OWA.  Here is some info from an error message our external MTA 
> sent to me (our Exchange guys are looking into the matter):
>
> Transcript of session follows.
>
>  Out: 220 mail3.wise.k12.va.us ESMTP
>  In:  EHLO mail.wise.k12.va.us
>  Out: 250-mail3.wise.k12.va.us
>  Out: 250-PIPELINING
>  Out: 250-SIZE 8
>  Out: 250-VRFY
>  Out: 250-ETRN
>  Out: 250-ENHANCEDSTATUSCODES
>  Out: 250-8BITMIME
>  Out: 250 DSN
>  In:  MAIL FROM: SIZE=1163
>  Out: 250 2.1.0 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>
> Shane
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 2:35 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Is your firewall set to only allow SMTP (port 25) traffic from your
> Exchange server?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard
>  wrote:
>> I disabled their accounts and it didn't help.
>>
>>
>> -Original Message-
>> From: Roger Wright [mailto:rhw...@gmail.com]
>> Sent: Monday, August 02, 2010 1:09 PM
>> To: NT System Admin Issues
>> Subject: Re: malware that creates Outlook rules
>>
>> Have you had the users change their passwords yet?
>>
>>
>> Die dulci fruere!
>>
>> Roger Wright
>> ___
>>
>>
>>
>>
>> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
>>  wrote:
>>> Has anyone seen malware that creates an Outlook rule that moves all new
>>> mail to Deleted Items and then sends out a bunch of spam?  I have a few
>>> users that have been hit with something I can't find.  I scanned the PCs
>>> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
>>> anything.  Then I turned off the PCs and something is still accessing
>>> their mailboxes.  I scanned the Exchange server also.  I am not seeing
>>> anything in Exchange User Monitor or Windows Security logs and our
>>> network guys say they don't see any unusual traffic to our Exchange
>>> server.
>>>
>>> Google finds a couple of people reporting the same thing but no
>>> resolution.
>>>
>>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>>> SP2 on Server 2003 SP1.
>>>
>>> Thanks for any ideas.
>>>
>>>
>>>
>>> Richard Osborne
>>> Information Systems
>>> Jackson-Madison County General Hospital
>>>
>>> NOTICE:  (1) The foregoing is not intended to be a legally binding or
>>> legally effective electronic signature. (2) This message may contain
>>> legally privileged or confidential information.  If you are not the
>>> intended recipient of this message, please so notify me, disregard the
>>> foregoing message, and delete the message immediately.  I apologize for
>>> any inconvenience this may have caused.
>>>
>>>
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~ 

RE: malware that creates Outlook rules

2010-08-02 Thread Crawford, Scott
It's very likely a phished account. This happens to us on a regular basis and 
there's really nothing that can be done to fix it short of educating the users, 
which is...difficult. The fact that spam was continuing even after the account 
is disabled could be chalked up to mail still in the queues.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 2:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] 
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com] 
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your
Exchange server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard
 wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all new
>> mail to Deleted Items and then sends out a bunch of spam?  I have a few
>> users that have been hit with something I can't find.  I scanned the PCs
>> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
>> anything.  Then I turned off the PCs and something is still accessing
>> their mailboxes.  I scanned the Exchange server also.  I am not seeing
>> anything in Exchange User Monitor or Windows Security logs and our
>> network guys say they don't see any unusual traffic to our Exchange
>> server.
>>
>> Google finds a couple of people reporting the same thing but no
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospital
>>
>> NOTICE:  (1) The foregoing is not intended to be a legally binding or
>> legally effective electronic signature. (2) This message may contain
>> legally privileged or confidential information.  If you are not the
>> intended recipient of this message, please so notify me, disregard the
>> foregoing message, and delete the message immediately.  I apologize for
>> any inconvenience this may have caused.
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



RE: malware that creates Outlook rules

2010-08-02 Thread Glen Johnson
Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your Exchange 
server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard  
wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard 
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all 
>> new mail to Deleted Items and then sends out a bunch of spam?  I have 
>> a few users that have been hit with something I can't find.  I 
>> scanned the PCs with VIPRE, MalwareBytes, & Symantec's online scanner 
>> and didn't find anything.  Then I turned off the PCs and something is 
>> still accessing their mailboxes.  I scanned the Exchange server also.  
>> I am not seeing anything in Exchange User Monitor or Windows Security 
>> logs and our network guys say they don't see any unusual traffic to 
>> our Exchange server.
>>
>> Google finds a couple of people reporting the same thing but no 
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospital
>>
>> NOTICE:  (1) The foregoing is not intended to be a legally binding or 
>> legally effective electronic signature. (2) This message may contain 
>> legally privileged or confidential information.  If you are not the 
>> intended recipient of this message, please so notify me, disregard 
>> the foregoing message, and delete the message immediately.  I 
>> apologize for any inconvenience this may have caused.
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>>   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



RE: malware that creates Outlook rules

2010-08-02 Thread Osborne, Richard
I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] 
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com] 
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your
Exchange server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard
 wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all new
>> mail to Deleted Items and then sends out a bunch of spam?  I have a few
>> users that have been hit with something I can't find.  I scanned the PCs
>> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
>> anything.  Then I turned off the PCs and something is still accessing
>> their mailboxes.  I scanned the Exchange server also.  I am not seeing
>> anything in Exchange User Monitor or Windows Security logs and our
>> network guys say they don't see any unusual traffic to our Exchange
>> server.
>>
>> Google finds a couple of people reporting the same thing but no
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospital
>>
>> NOTICE:  (1) The foregoing is not intended to be a legally binding or
>> legally effective electronic signature. (2) This message may contain
>> legally privileged or confidential information.  If you are not the
>> intended recipient of this message, please so notify me, disregard the
>> foregoing message, and delete the message immediately.  I apologize for
>> any inconvenience this may have caused.
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



RE: malware that creates Outlook rules

2010-08-02 Thread Glen Johnson
Check the sent items folder to see if the user replied to a phishing
email.  You might have 1000's of emails to go through to find but it
might be there, unless they gave the user id and password to a web site.
We've seen very similar things here.  Massive spam in the sent folder
but just before all the spam was a reply with user id and password.
Also check for auto reply rules.  Saw those on one account.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 1:47 PM
To: NT System Admin Issues
Subject: malware that creates Outlook rules

Has anyone seen malware that creates an Outlook rule that moves all new
mail to Deleted Items and then sends out a bunch of spam?  I have a few
users that have been hit with something I can't find.  I scanned the PCs
with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
anything.  Then I turned off the PCs and something is still accessing
their mailboxes.  I scanned the Exchange server also.  I am not seeing
anything in Exchange User Monitor or Windows Security logs and our
network guys say they don't see any unusual traffic to our Exchange
server.

Google finds a couple of people reporting the same thing but no
resolution.

Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
SP2 on Server 2003 SP1.

Thanks for any ideas.



Richard Osborne
Information Systems
Jackson-Madison County General Hospital

NOTICE:  (1) The foregoing is not intended to be a legally binding or
legally effective electronic signature. (2) This message may contain
legally privileged or confidential information.  If you are not the
intended recipient of this message, please so notify me, disregard the
foregoing message, and delete the message immediately.  I apologize for
any inconvenience this may have caused.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



RE: backing up too much data

2010-08-02 Thread Don Guyer
Little late, but.Funny you say this. At a previous job, we kept our 
monthly/quarterly/yearly backups at a local branch. Dailies went to IM for 
2-week rotation.

Don Guyer
Systems Engineer - Information Services
Prudential, Fox & Roach/Trident Group
431 W. Lancaster Avenue
Devon, PA 19333
Direct: (610) 993-3299
Fax: (610) 650-5306
don.gu...@prufoxroach.com

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Wednesday, July 28, 2010 1:10 PM
To: NT System Admin Issues
Subject: Re: backing up too much data

I assume for the moment (further data might invalidate this
assumption) that Iron Moutain and the like are not within budget.

Having made that assumption, Ben has uttered Magic Words there:

Bank Vault

OP's org almost certainly has a bank account with a local branch. I'd
bet in a place like DC either that branch, or another bank nearby, has
safe deposit boxes for rent, relatively inexpensively.

Makes for a nice lunch hour detour, I think.

Kurt

On Wed, Jul 28, 2010 at 09:57, Ben Scott  wrote:
> On Wed, Jul 28, 2010 at 9:54 AM, Erik Goldoff  wrote:
>> Seems that a wise investment would be a quality fire-resistant safe big
>> enough to hold a fire resistant lock box
>
>  Fire safes aren't what most people think they are.  Many of them are
> rated for paper only, not machine media.  Most of the ones which are
> rated for machine media give you an hour, maybe two.  Unless it's a
> bank vault, assume a serious structure fire is going to kill whatever
> you've got in your fire safe.
>
>  Depending the specifics of the organization and the people and the
> data, I'd worry more about a local disaster than about the VP going
> rogue and taking the data with him.  Stolen/misplaced media can be
> addressed by encryption.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: malware that creates Outlook rules

2010-08-02 Thread Thomas Mullins
We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com] 
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your
Exchange server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard
 wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all new
>> mail to Deleted Items and then sends out a bunch of spam?  I have a few
>> users that have been hit with something I can't find.  I scanned the PCs
>> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
>> anything.  Then I turned off the PCs and something is still accessing
>> their mailboxes.  I scanned the Exchange server also.  I am not seeing
>> anything in Exchange User Monitor or Windows Security logs and our
>> network guys say they don't see any unusual traffic to our Exchange
>> server.
>>
>> Google finds a couple of people reporting the same thing but no
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospital
>>
>> NOTICE:  (1) The foregoing is not intended to be a legally binding or
>> legally effective electronic signature. (2) This message may contain
>> legally privileged or confidential information.  If you are not the
>> intended recipient of this message, please so notify me, disregard the
>> foregoing message, and delete the message immediately.  I apologize for
>> any inconvenience this may have caused.
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: Upcoming Out of Band update

2010-08-02 Thread Kurt Buff
And, it looks as if they're being strict about it too...

I don't see a patch for either Win2k or WinXP SP2 - they both EOL'ed in July.

Kurt

On Mon, Aug 2, 2010 at 09:16, Rob Bonfiglio  wrote:
> I sent this earlier, but it looks like it may not have made it to the list
> since I had been unsubscribed from my little episode this weekend:
>
>
> We got this from our TAM this morning.  No real details, other than that
> there will be an out of band update and details will be released later:
>
> http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: malware that creates Outlook rules

2010-08-02 Thread Roger Wright
Is your firewall set to only allow SMTP (port 25) traffic from your
Exchange server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard
 wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all new
>> mail to Deleted Items and then sends out a bunch of spam?  I have a few
>> users that have been hit with something I can't find.  I scanned the PCs
>> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
>> anything.  Then I turned off the PCs and something is still accessing
>> their mailboxes.  I scanned the Exchange server also.  I am not seeing
>> anything in Exchange User Monitor or Windows Security logs and our
>> network guys say they don't see any unusual traffic to our Exchange
>> server.
>>
>> Google finds a couple of people reporting the same thing but no
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospital
>>
>> NOTICE:  (1) The foregoing is not intended to be a legally binding or
>> legally effective electronic signature. (2) This message may contain
>> legally privileged or confidential information.  If you are not the
>> intended recipient of this message, please so notify me, disregard the
>> foregoing message, and delete the message immediately.  I apologize for
>> any inconvenience this may have caused.
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



RE: 2008 DC being offline

2010-08-02 Thread Michael B. Smith
Can you say "bug"?  :-P

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Monday, August 02, 2010 2:33 PM
To: NT System Admin Issues
Subject: Re: 2008 DC being offline

Wow.. Why did it shift downward from 2003 to 2003R2?

-ASB: http://XeeSM.com/AndrewBaker

On Mon, Aug 2, 2010 at 2:24 PM, Brian Desmond 
mailto:br...@briandesmond.com>> wrote:
60 is the default for 2000 and 2003 R2 forests, 180 for 2003, 2008, 2008 R2 
forests. Note this is the original OS version of the first DC not the current 
FFL.

There are scenarios you'd change this but they're fairly vertical.

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: David Lum [mailto:david@nwea.org]
Sent: Monday, August 02, 2010 9:30 AM
To: NT System Admin Issues
Subject: RE: 2008 DC being offline

I stand corrected, maybe it was 66 days. As a general rule I don't change 
defaults unless I have a compelling reason to do so, and I can't think of one 
here.

-Original Message-
From: Brian Desmond 
[mailto:br...@briandesmond.com]
Sent: Friday, July 30, 2010 4:07 PM
To: NT System Admin Issues
Subject: RE: 2008 DC being offline

30 days not unless you tinkered with some tombstone lifetime settings which I 
don't know why you would lower it...

Thanks,
Brian Desmond
br...@briandesmond.com

c - 312.731.3132



-Original Message-
From: David Lum [mailto:david@nwea.org]
Sent: Wednesday, July 28, 2010 2:55 PM
To: NT System Admin Issues
Subject: RE: 2008 DC being offline

Past 30 days offline it will complain - at least 2003 servers do, but I think 
it's also related to some AD archive or backup time settingI ran into 
something about 30 days when I restored a DC from a backup that was 36 days old.

Minor in the scheme of things, just something to keep in mind.

...Then again, maybe that was of no help...

David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764



-Original Message-
From: jesse-r...@wi.rr.com 
[mailto:jesse-r...@wi.rr.com]
Sent: Wednesday, July 28, 2010 11:56 AM
To: NT System Admin Issues
Subject: 2008 DC being offline

Hello,
A 2008 DC (lets call it Server-F) we have at another site has been offline
for 6 weeks.  We powered it down because the building was undergoing
construction, and the building was effectively CLOSED for those 6 weeks.
Construction is done and I'm ready to bring the server back online.

Is there a problem with just turning Server-F on and letting it re-sync
with active directory even though its been offline for 6 weeks?  or...
would I be better off bringing Server-F up WITHOUT a network cable
connected, run dcpromo /forceremoval on it... then remove any references to
the Server-F from my other DCs, and eventually re-promote server F back as
a DC?

Thoughts?





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: 2008 DC being offline

2010-08-02 Thread Andrew S. Baker
Wow.. Why did it shift downward from 2003 to 2003R2?

-ASB: http://XeeSM.com/AndrewBaker


On Mon, Aug 2, 2010 at 2:24 PM, Brian Desmond wrote:

> 60 is the default for 2000 and 2003 R2 forests, 180 for 2003, 2008, 2008 R2
> forests. Note this is the original OS version of the first DC not the
> current FFL.
>
> There are scenarios you'd change this but they're fairly vertical.
>
> Thanks,
> Brian Desmond
> br...@briandesmond.com
>
> c   - 312.731.3132
>
>
> -Original Message-
> From: David Lum [mailto:david@nwea.org]
> Sent: Monday, August 02, 2010 9:30 AM
> To: NT System Admin Issues
> Subject: RE: 2008 DC being offline
>
> I stand corrected, maybe it was 66 days. As a general rule I don't change
> defaults unless I have a compelling reason to do so, and I can't think of
> one here.
>
> -Original Message-
> From: Brian Desmond [mailto:br...@briandesmond.com]
> Sent: Friday, July 30, 2010 4:07 PM
> To: NT System Admin Issues
> Subject: RE: 2008 DC being offline
>
> 30 days not unless you tinkered with some tombstone lifetime settings which
> I don't know why you would lower it...
>
> Thanks,
> Brian Desmond
> br...@briandesmond.com
>
> c - 312.731.3132
>
>
>
> -Original Message-
> From: David Lum [mailto:david@nwea.org]
> Sent: Wednesday, July 28, 2010 2:55 PM
> To: NT System Admin Issues
> Subject: RE: 2008 DC being offline
>
> Past 30 days offline it will complain - at least 2003 servers do, but I
> think it's also related to some AD archive or backup time settingI ran
> into something about 30 days when I restored a DC from a backup that was 36
> days old.
>
> Minor in the scheme of things, just something to keep in mind.
>
> ...Then again, maybe that was of no help...
>
> David Lum // SYSTEMS ENGINEER
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 // (Cell) 503.267.9764
>
>
>
> -Original Message-
> From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com]
> Sent: Wednesday, July 28, 2010 11:56 AM
> To: NT System Admin Issues
> Subject: 2008 DC being offline
>
> Hello,
> A 2008 DC (lets call it Server-F) we have at another site has been offline
> for 6 weeks.  We powered it down because the building was undergoing
> construction, and the building was effectively CLOSED for those 6 weeks.
> Construction is done and I'm ready to bring the server back online.
>
> Is there a problem with just turning Server-F on and letting it re-sync
> with active directory even though its been offline for 6 weeks?  or...
> would I be better off bringing Server-F up WITHOUT a network cable
> connected, run dcpromo /forceremoval on it... then remove any references to
> the Server-F from my other DCs, and eventually re-promote server F back as
> a DC?
>
> Thoughts?
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: malware that creates Outlook rules

2010-08-02 Thread S Powell
you turned off the computers and it is still happening?
I'd check OWA.

 you disabled the accounts, and the spam is still being sent?



Google.com  Learn it. Live it. Love it.



On Mon, Aug 2, 2010 at 11:21, Osborne, Richard  wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all new
>> mail to Deleted Items and then sends out a bunch of spam?  I have a few
>> users that have been hit with something I can't find.  I scanned the PCs
>> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
>> anything.  Then I turned off the PCs and something is still accessing
>> their mailboxes.  I scanned the Exchange server also.  I am not seeing
>> anything in Exchange User Monitor or Windows Security logs and our
>> network guys say they don't see any unusual traffic to our Exchange
>> server.
>>
>> Google finds a couple of people reporting the same thing but no
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospital
>>
>> NOTICE:  (1) The foregoing is not intended to be a legally binding or
>> legally effective electronic signature. (2) This message may contain
>> legally privileged or confidential information.  If you are not the
>> intended recipient of this message, please so notify me, disregard the
>> foregoing message, and delete the message immediately.  I apologize for
>> any inconvenience this may have caused.
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



RE: 2008 DC being offline

2010-08-02 Thread Brian Desmond
60 is the default for 2000 and 2003 R2 forests, 180 for 2003, 2008, 2008 R2 
forests. Note this is the original OS version of the first DC not the current 
FFL.

There are scenarios you'd change this but they're fairly vertical. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: David Lum [mailto:david@nwea.org] 
Sent: Monday, August 02, 2010 9:30 AM
To: NT System Admin Issues
Subject: RE: 2008 DC being offline

I stand corrected, maybe it was 66 days. As a general rule I don't change 
defaults unless I have a compelling reason to do so, and I can't think of one 
here.

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: Friday, July 30, 2010 4:07 PM
To: NT System Admin Issues
Subject: RE: 2008 DC being offline

30 days not unless you tinkered with some tombstone lifetime settings which I 
don't know why you would lower it...

Thanks,
Brian Desmond
br...@briandesmond.com

c - 312.731.3132



-Original Message-
From: David Lum [mailto:david@nwea.org] 
Sent: Wednesday, July 28, 2010 2:55 PM
To: NT System Admin Issues
Subject: RE: 2008 DC being offline

Past 30 days offline it will complain - at least 2003 servers do, but I think 
it's also related to some AD archive or backup time settingI ran into 
something about 30 days when I restored a DC from a backup that was 36 days old.

Minor in the scheme of things, just something to keep in mind.

...Then again, maybe that was of no help...

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764



-Original Message-
From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] 
Sent: Wednesday, July 28, 2010 11:56 AM
To: NT System Admin Issues
Subject: 2008 DC being offline

Hello,
A 2008 DC (lets call it Server-F) we have at another site has been offline
for 6 weeks.  We powered it down because the building was undergoing
construction, and the building was effectively CLOSED for those 6 weeks. 
Construction is done and I'm ready to bring the server back online. 

Is there a problem with just turning Server-F on and letting it re-sync
with active directory even though its been offline for 6 weeks?  or...
would I be better off bringing Server-F up WITHOUT a network cable
connected, run dcpromo /forceremoval on it... then remove any references to
the Server-F from my other DCs, and eventually re-promote server F back as
a DC?

Thoughts?



mail2web.com - Microsoft(r) Exchange solutions from a leading provider -
http://link.mail2web.com/Business/Exchange



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



RE: malware that creates Outlook rules

2010-08-02 Thread Osborne, Richard
I disabled their accounts and it didn't help.


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com] 
Sent: Monday, August 02, 2010 1:09 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Have you had the users change their passwords yet?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
 wrote:
> Has anyone seen malware that creates an Outlook rule that moves all new
> mail to Deleted Items and then sends out a bunch of spam?  I have a few
> users that have been hit with something I can't find.  I scanned the PCs
> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
> anything.  Then I turned off the PCs and something is still accessing
> their mailboxes.  I scanned the Exchange server also.  I am not seeing
> anything in Exchange User Monitor or Windows Security logs and our
> network guys say they don't see any unusual traffic to our Exchange
> server.
>
> Google finds a couple of people reporting the same thing but no
> resolution.
>
> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
> SP2 on Server 2003 SP1.
>
> Thanks for any ideas.
>
>
>
> Richard Osborne
> Information Systems
> Jackson-Madison County General Hospital
>
> NOTICE:  (1) The foregoing is not intended to be a legally binding or
> legally effective electronic signature. (2) This message may contain
> legally privileged or confidential information.  If you are not the
> intended recipient of this message, please so notify me, disregard the
> foregoing message, and delete the message immediately.  I apologize for
> any inconvenience this may have caused.
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: Upcoming Out of Band update

2010-08-02 Thread Jonathan Link
Out of curiosity, how long can we expect it to take to download once we've
synchronized?  I wouldn't think it would take very long to show up waiting
for approval, but it has been 20 minutes, even though I can see the various
patches were listed in the synchronization report.



On Mon, Aug 2, 2010 at 1:51 PM, Angus Scott-Fleming wrote:

> On 2 Aug 2010 at 12:16, Rob Bonfiglio  wrote:
>
> > I sent this earlier, but it looks like it may not have made it to the
> > list since I had been unsubscribed from my little episode this weekend:
> >
> >
> > We got this from our TAM this morning. No real details, other than that
> > there will be an out of band update and details will be released later:
> >
> > http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx
>
>Microsoft Security Bulletin MS10-046 - Critical: Vulnerability in
> Windows
>Shell Could Allow Remote Code Execution (2286198)
>http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx
>
>
> --
> Angus Scott-Fleming
> GeoApps, Tucson, Arizona
> 1-520-290-5038
> Security Blog: http://geoapps.com/
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: malware that creates Outlook rules

2010-08-02 Thread Roger Wright
Have you had the users change their passwords yet?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
 wrote:
> Has anyone seen malware that creates an Outlook rule that moves all new
> mail to Deleted Items and then sends out a bunch of spam?  I have a few
> users that have been hit with something I can't find.  I scanned the PCs
> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
> anything.  Then I turned off the PCs and something is still accessing
> their mailboxes.  I scanned the Exchange server also.  I am not seeing
> anything in Exchange User Monitor or Windows Security logs and our
> network guys say they don't see any unusual traffic to our Exchange
> server.
>
> Google finds a couple of people reporting the same thing but no
> resolution.
>
> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
> SP2 on Server 2003 SP1.
>
> Thanks for any ideas.
>
>
>
> Richard Osborne
> Information Systems
> Jackson-Madison County General Hospital
>
> NOTICE:  (1) The foregoing is not intended to be a legally binding or
> legally effective electronic signature. (2) This message may contain
> legally privileged or confidential information.  If you are not the
> intended recipient of this message, please so notify me, disregard the
> foregoing message, and delete the message immediately.  I apologize for
> any inconvenience this may have caused.
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: Upcoming Out of Band update

2010-08-02 Thread Angus Scott-Fleming
On 2 Aug 2010 at 12:16, Rob Bonfiglio  wrote:

> I sent this earlier, but it looks like it may not have made it to the 
> list since I had been unsubscribed from my little episode this weekend:
> 
> 
> We got this from our TAM this morning. No real details, other than that 
> there will be an out of band update and details will be released later:
> 
> http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx

Microsoft Security Bulletin MS10-046 - Critical: Vulnerability in Windows 
Shell Could Allow Remote Code Execution (2286198)
http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx


--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


malware that creates Outlook rules

2010-08-02 Thread Osborne, Richard
Has anyone seen malware that creates an Outlook rule that moves all new
mail to Deleted Items and then sends out a bunch of spam?  I have a few
users that have been hit with something I can't find.  I scanned the PCs
with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
anything.  Then I turned off the PCs and something is still accessing
their mailboxes.  I scanned the Exchange server also.  I am not seeing
anything in Exchange User Monitor or Windows Security logs and our
network guys say they don't see any unusual traffic to our Exchange
server.

Google finds a couple of people reporting the same thing but no
resolution.

Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
SP2 on Server 2003 SP1.

Thanks for any ideas.



Richard Osborne
Information Systems
Jackson-Madison County General Hospital

NOTICE:  (1) The foregoing is not intended to be a legally binding or
legally effective electronic signature. (2) This message may contain
legally privileged or confidential information.  If you are not the
intended recipient of this message, please so notify me, disregard the
foregoing message, and delete the message immediately.  I apologize for
any inconvenience this may have caused.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: It's that day!

2010-08-02 Thread James Kerr
Hah, awesome!
  - Original Message - 
  From: Alan Davies 
  To: NT System Admin Issues 
  Sent: Monday, August 02, 2010 4:37 AM
  Subject: RE: It's that day!


  We're hiding in all sorts of corners .. working in London but from Dublin ;o)



  a



--
  From: James Kerr [mailto:cluster...@gmail.com] 
  Sent: 31 July 2010 13:46
  To: NT System Admin Issues
  Subject: Re: It's that day!


  Nice, I was born in Temple street and  raised in Artane Dublin. But I have 
more time in the US at this point. Nice to see another Irishman on this list. 
Good luck with the twins, I have a couple of wee ones myself. Sláinte

  James

  On 7/31/2010 5:49 AM, tony patton wrote: 
Yep, born and bred. 

Currently in Cavan, but moving back to Tyrone and been offered a new job in 
Derry. 

Regards

Tony Patton
Desktop Support Analyst - Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com 



From:"James Kerr"  
To:"NT System Admin Issues"  
Date:30/07/2010 17:45 
Subject:Re: It's that day! 





Tony, are you an Irishman? 
- Original Message - 
From: tony patton 
To: NT System Admin Issues 
Sent: Friday, July 30, 2010 11:59 AM 
Subject: Re: It's that day! 

Thx folks, hope it rubs off on everyone else that needs/wants it :) 

Its an advancement career-wise, moving to full-time server support with 
another company. 
It's a bit of a pay-cut, but it'll pay off in the long term, the new 
company will provide a new challenge and the technologies that they are 
involved in are wide-ranging. 

A busy schedule ahead of me, finish up here on the 10th September, 
re-locate, start the new job, and twins on the way Xmas week. 
Fun times ahead :) 

Regards

Tony Patton
Desktop Support Analyst - Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com 



From:Don Kuhlman  
To:"NT System Admin Issues"  
Date:30/07/2010 16:50 
Subject:Re: It's that day! 





Congrats Tony! Hopefully some of that good fortune will rub off :) 
 
Don K 



From: tony patton 
To: NT System Admin Issues 
Sent: Fri, July 30, 2010 10:26:40 AM
Subject: RE: It's that day!

I got offered a new job today, so I'm happy :) 

Regards

Tony Patton
Desktop Support Analyst - Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com 



From:richardmccl...@aspca.org 
To:"NT System Admin Issues"  
Date:30/07/2010 15:22 
Subject:RE: It's that day! 






Anyway, for those of us who feel our career is in the crapper- 

I had to replace one of those on Sysadmin Appreciation Day a few years 
back. 
-- 
richard 

"Maglinger, Paul"  wrote on 07/30/2010 09:11:52 AM:

> Just got an email from a co-worker. 
> "Happy S.A.D." 
>   
> Ironic? 
>   
>   
> From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com] 
> Sent: Friday, July 30, 2010 9:03 AM
> To: NT System Admin Issues
> Subject: RE: It's that day! 
>   
> So it's worth 25cents?  Starbucks is $2 here. 
> I like that miserable stuff from Mickey D's  ($1) 
>   
> From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
> Sent: Friday, July 30, 2010 9:47 AM
> To: NT System Admin Issues
> Subject: RE: It's that day! 
>   
> This, and $1.75 gets you a cup of coffee at Starbucks. 
> And there was much rejoicing. yea... 
>   
> From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] 
> Sent: Friday, July 30, 2010 8:10 AM
> To: NT System Admin Issues
> Subject: It's that day! 
>   
> 
> http://www.sysadminday.com/ 
> 
> And my Help Desk guy got the day off!
> -- 
> Richard 
>   
>   
>   
>   
> 
> 
> **
> 
> CONFIDENTIALITY NOTICE - The information transmitted in this message
> is intended only for the person or entity to which it is addressed 
> and may contain confidential and/or privileged material. Any review,
> retransmission, dissemination or other use of this information by 
> persons or entities other than the intended recipient is prohibited.
> If you received this in error, please contact the sender and destroy
> all copies of this document. Thank you.
> 
> Butler Schein Animal 

RE: Fwd: Upcoming Out of Band update

2010-08-02 Thread N Parr
http://news.cnet.com/8301-1009_3-20012270-83.html?tag=nl.e757



From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] 
Sent: Monday, August 02, 2010 11:23 AM
To: NT System Admin Issues
Subject: Re: Fwd: Upcoming Out of Band update



They think they have a patch for the .LNK vulnerability.  They have also
found a really nasty virus ("SALITY") which has been transmitted by this
vulnerability. 

They feel it is enough of an emergency to release it on a Monday (rather
than on the second Tuesday). 

This information is elsewhere, including the Sunbelt blog and The
Register. 

Thanks!
-- 
Richard D. McClary 
Systems Administrator, Information Technology Group 
ASPCA(r) 


Rob Bonfiglio  wrote on 08/02/2010 11:16:00 AM:

> I sent this earlier, but it looks like it may not have made it to 
> the list since I had been unsubscribed from my little episode this
weekend:
> 

> We got this from our TAM this morning.  No real details, other than 
> that there will be an out of band update and details will be released
later: 
>   
> http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx 
> 
>   
>   

 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Fwd: Upcoming Out of Band update

2010-08-02 Thread RichardMcClary
They think they have a patch for the .LNK vulnerability.  They have also 
found a really nasty virus ("SALITY") which has been transmitted by this 
vulnerability.

They feel it is enough of an emergency to release it on a Monday (rather 
than on the second Tuesday).

This information is elsewhere, including the Sunbelt blog and The 
Register.

Thanks!
--
Richard D. McClary
Systems Administrator, Information Technology Group 
ASPCA®


Rob Bonfiglio  wrote on 08/02/2010 11:16:00 AM:

> I sent this earlier, but it looks like it may not have made it to 
> the list since I had been unsubscribed from my little episode this 
weekend:
> 

> We got this from our TAM this morning.  No real details, other than 
> that there will be an out of band update and details will be released 
later:
>  
> http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx
> 
> 
> 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Fwd: Upcoming Out of Band update

2010-08-02 Thread Rob Bonfiglio
I sent this earlier, but it looks like it may not have made it to the list
since I had been unsubscribed from my little episode this weekend:


We got this from our TAM this morning.  No real details, other than that
there will be an out of band update and details will be released later:

http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

eventcreate with carriage returns

2010-08-02 Thread Oliver Marshall
Anyone got any idea whether it's possible to use eventcreate to create an event 
log entry that contains carriage returns in the description? If so, how?

Is there another tool I can use to achieve this?

Olly

[cid:personal24823.jpg]

[cid:g2supportsmall_250x58border18be.png]

Network Support
Online Backups
Server Management

Tel: 0845 307 3443
Email: oliver.marsh...@g2support.com
Web: http://www.g2support.com
Twitter: g2support
Newsletter: http://www.g2support.com/newsletter
Mail: 2 Roundhill Road, Brighton, Sussex, BN2 3RF

Find out more about our referral gift scheme at 
www.g2support.com/referral

G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE
BN3 7LE. Our registered company number is OC316341.

Disclaimer added by CodeTwo Exchange Rules 2007
www.codetwo.com


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<><>

Re: Your copy of ?Networking and Security for Dummies"

2010-08-02 Thread Kurt Buff
Not if you want to capture data at modern speeds.

On Mon, Aug 2, 2010 at 01:32, Alan Davies  wrote:
> Yep - great for sniffing traffic too when you don't want to bother with
> a span port ;)
>
>
>
>
> a
>
> -Original Message-
> From: Angus Scott-Fleming [mailto:angu...@geoapps.com]
> Sent: 31 July 2010 05:31
> To: NT System Admin Issues
> Subject: Re: Your copy of ?Networking and Security for Dummies"
>
> On 30 Jul 2010 at 14:55, richardmccl...@aspca.org  wrote:
>
>> Hubs are still out there! Years ago, some folks did a great job of
>> hiding them, like over ceilings, etc for workgroups.
>
> I've heard some motels use them since they're cheaper than switches.
>
> Download without form here:
> http://lto.libredigital.com/?SonicWALL_Dell_GettingStartedwithNetworking
> andSecurityforDummies
>
> Or use any email address @thisisnotmyrealemail.com in the form.
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> 
> WARNING:
> The information in this email and any attachments is confidential and may be 
> legally privileged.
>
> If you are not the named addressee, you must not use, copy or disclose this 
> email (including any attachments) or the information in it save to the named 
> addressee nor take any action in reliance on it. If you receive this email or 
> any attachments in error, please notify the sender immediately and then 
> delete the same and any copies.
>
> "CLS Services Ltd × Registered in England No 4132704 × Registered Office: 
> Exchange Tower × One Harbour Exchange Square × London E14 9GE"
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



RE: Wireless Machine Authentication

2010-08-02 Thread Malcolm Reitz
We used the machine AD credentials, as that is the path of least resistance.
It is a pretty simple GPO configuration to set it all up, too.

 

-Malcolm

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, August 02, 2010 10:03
To: NT System Admin Issues
Subject: RE: Wireless Machine Authentication

 

You can either use machine certs or machine credentials (against AD, if the
machines have credentials in AD.)

 

Cheers

Ken

 

From: Kelsey, John [mailto:jckel...@drmc.org] 
Sent: Friday, 30 July 2010 10:36 PM
To: NT System Admin Issues
Subject: FW: Wireless Machine Authentication

 

All Cisco LWAP access points using a 5508 wireless controller.  We have PEAP
set up so users can authenticate on the wireless network using their AD
login.peachy.

 

BUT.we have some machines that need to authenticate on the wireless before
the user logs on (so they get can group policies and such).  I thought we
could just provide a generic credential and it would work but no such luck.
How the heck do you make this work?  The workstations are XP SP3 with intel
wireless cards. 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Wireless Machine Authentication

2010-08-02 Thread Ken Schaefer
You can either use machine certs or machine credentials (against AD, if the 
machines have credentials in AD...)

Cheers
Ken

From: Kelsey, John [mailto:jckel...@drmc.org]
Sent: Friday, 30 July 2010 10:36 PM
To: NT System Admin Issues
Subject: FW: Wireless Machine Authentication

All Cisco LWAP access points using a 5508 wireless controller.  We have PEAP 
set up so users can authenticate on the wireless network using their AD 
login...peachy.

BUT...we have some machines that need to authenticate on the wireless before 
the user logs on (so they get can group policies and such).  I thought we could 
just provide a generic credential and it would work but no such luck.  How the 
heck do you make this work?  The workstations are XP SP3 with intel wireless 
cards.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: 2008 DC being offline

2010-08-02 Thread David Lum
I stand corrected, maybe it was 66 days. As a general rule I don't change 
defaults unless I have a compelling reason to do so, and I can't think of one 
here.

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: Friday, July 30, 2010 4:07 PM
To: NT System Admin Issues
Subject: RE: 2008 DC being offline

30 days not unless you tinkered with some tombstone lifetime settings which I 
don't know why you would lower it...

Thanks,
Brian Desmond
br...@briandesmond.com

c - 312.731.3132



-Original Message-
From: David Lum [mailto:david@nwea.org] 
Sent: Wednesday, July 28, 2010 2:55 PM
To: NT System Admin Issues
Subject: RE: 2008 DC being offline

Past 30 days offline it will complain - at least 2003 servers do, but I think 
it's also related to some AD archive or backup time settingI ran into 
something about 30 days when I restored a DC from a backup that was 36 days old.

Minor in the scheme of things, just something to keep in mind.

...Then again, maybe that was of no help...

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764



-Original Message-
From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] 
Sent: Wednesday, July 28, 2010 11:56 AM
To: NT System Admin Issues
Subject: 2008 DC being offline

Hello,
A 2008 DC (lets call it Server-F) we have at another site has been offline
for 6 weeks.  We powered it down because the building was undergoing
construction, and the building was effectively CLOSED for those 6 weeks. 
Construction is done and I'm ready to bring the server back online. 

Is there a problem with just turning Server-F on and letting it re-sync
with active directory even though its been offline for 6 weeks?  or...
would I be better off bringing Server-F up WITHOUT a network cable
connected, run dcpromo /forceremoval on it... then remove any references to
the Server-F from my other DCs, and eventually re-promote server F back as
a DC?

Thoughts?



mail2web.com - Microsoft(r) Exchange solutions from a leading provider -
http://link.mail2web.com/Business/Exchange



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



RE: OT: Apologies

2010-08-02 Thread itli...@imcu.com
 

Thanks for the info



From: Rob Bonfiglio [mailto:robbonfig...@gmail.com] 
Posted At: Sunday, August 01, 2010 12:42 PM
Posted To: itli...@imcu.com
Conversation: OT: Apologies
Subject: Re: OT: Apologies
  

It looks like it was some variant Antivirus Pro 2009.  The odd part is
that I never clicked on anything to prompt it's "install."  It looks
like it changed my IE and FF proxy settings and performed a man in the
middle, either that or it just harvested while I was logged into gmail.
I've checked my Sent items in gmail and did not see the actual sent
messages in there.  But my proxy settings were definitely changed
(although no IP addresses were listed as the proxy in either of them.)

 

In any case, I've gone to another machine and changed my password and I
am flattening my laptop and rebuilding it.  It was time for that to
happen anyway.

On Sun, Aug 1, 2010 at 11:54 AM, James Kerr 
wrote:

What visus is this? I seen similar things happen with peoples yahoo and
aol mail accounts.Did it get your account password? 



On 8/1/2010 11:00 AM, Rob Bonfiglio wrote:

Sorry for the spam that looks like went to the list from my account.  I
got hit with a virus and it spammed everyone in my gmail address book.

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Wireless Machine Authentication

2010-08-02 Thread Malcolm Reitz
If you set the XP SP3 802.1x authentication mode back to its default, you
should get what you want. The default authentication mode allows a computer
to authenticate with PEAP under its computer account credentials. When a
user logs in to the computer, the auth process is repeated, this time with
the user's credentials.

 

-Malcolm

 

From: Kelsey, John [mailto:jckel...@drmc.org] 
Sent: Friday, July 30, 2010 09:36
To: NT System Admin Issues
Subject: FW: Wireless Machine Authentication

 

All Cisco LWAP access points using a 5508 wireless controller.  We have PEAP
set up so users can authenticate on the wireless network using their AD
login.peachy.

 

BUT.we have some machines that need to authenticate on the wireless before
the user logs on (so they get can group policies and such).  I thought we
could just provide a generic credential and it would work but no such luck.
How the heck do you make this work?  The workstations are XP SP3 with intel
wireless cards.

 

Thanks all!

 

*
John C. Kelsey
DuBois Regional Medical Center
(:  814.375.3073  
2  :   814.375.4005
*: jckel...@drmc.org 
*

 

 

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Vipre Rescue issues

2010-08-02 Thread John Aldrich
Yeah. I downloaded it yesterday. I suppose it could have been glitchy. I'll
see about downloading another copy, just to be safe. The hard drive in that
computer is probably going on 9+ years old.. I bought the computer from a
former employer before I got married and we just celebrated our 8th
anniversary last month. sooo. it's not unbelievable that the hard drive
might be having issues. I'm strongly tempted to take an image of that hard
drive and put it on the second hard drive in the system, which we're using
for raw storage. J

 

John-AldrichTile-Tools

 

From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] 
Sent: Monday, August 02, 2010 8:55 AM
To: NT System Admin Issues
Subject: Re: Vipre Rescue issues

 


1. As you mentioned, run a scandisk 

2. Try a new download of VIPRERESCUE.  It's possible you got a bad download,
or something burped during the install. 

Good luck!
-- 
Richard D. McClary 
Systems Administrator, Information Technology Group 
ASPCAR 
1717 S. Philo Rd, Ste 36 
Urbana, IL  61802 
  
richardmccl...@aspca.org 
  
P: 217-337-9761 
C: 217-417-1182 
F: 217-337-9761 
  www.aspca.org 
  

The information contained in this e-mail, and any attachments hereto, is
from The American Society for the Prevention of Cruelty to AnimalsR (ASPCAR)
and is intended only for use by the addressee(s) named herein and may
contain legally privileged and/or confidential information. If you are not
the intended recipient of this e-mail, you are hereby notified that any
dissemination, distribution, copying or use of the contents of this e-mail,
and any attachments hereto, is strictly prohibited. If you have received
this e-mail in error, please immediately notify me by reply email and
permanently delete the original and any copy of this e-mail and any printout
thereof. 
  

"John Aldrich"  wrote on 08/02/2010 07:51:16
AM:

> Trying to run a scan on my wife's PC at home (XP Pro SP3) using 
> VipreRescue, I get an error something about "unable to execute 
> instruction." Sorry, it's a long address string and I didn't write 
> it down. This happens both in "regular" mode and in safe-mode with 
> command-prompt-only. Any idea what's going on? A MalwareBytes scan 
> didn't find anything (at least in "regular" mode - have not tried 
> "safe mode" yet.) 
> The reason I tried this was because the system has been behaving 
> "flaky" lately.nothing really to put my finger on. My wife almost 
> installed MyWebSearch this weekend, so she could play some old-style
> "arcade" games (PacMan, Galaga, etc) but I pointed out to her that 
> she really didn't want that stuff. Anyway, between that "near miss" 
> and the flakiness of the system, I thought I'd check for malware. 
>   
> I've already checked the C: drive using SMART tools, and although 
> it's an older drive, it appears to have no issues. Guess I ought to 
> run a scandisk, just to be safe. 
>   
> [image removed] [image removed] 
>   
>   
>   

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<><>

RE: OT: Vipre effectiveness & false positives

2010-08-02 Thread Steven Calvanese
We used Vipre last year until It couldn't stop conficker from spreading.
Installed Symantec Endpoint and haven't had any issues.  You have to
babysit Vipre way too much.

 

From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Friday, July 30, 2010 11:06 AM
To: NT System Admin Issues
Subject: RE: OT: Vipre effectiveness & false positives

 

I can understand FP's against lesser used applications, but when part of
Windows or a commonly installed MS product is tagged, there's no real
excuse for that IMHO.

 

Still, I've asked Alex to provide any comparison data he can come up
with, and to the extent the evidence is unbiased and convincing, I may
put forth Vipre as an alternative.

 

Thanks everybody for all the feedback.  

 

Carl

 

From: David Lum [mailto:david@nwea.org] 
Sent: Friday, July 30, 2010 2:23 AM
To: NT System Admin Issues
Subject: RE: OT: Vipre effectiveness & false positives

 

As I have stated in previous AV threads, I actually use/manage 3
different AV products: Vipre Enterprise (3 clients, ~25 systems, plus my
home machines), Trend WorryFree (1 client, 55 systems) and McAfee
(%dayjob%, ~500 systems) and Vipre easily has more false positives  than
the other two: 3 in the last 12 months, vs zero for Trend and McAfee.
Twice it ate Outlook.exe, one other time it ate Iexplore.exe. Not enough
to make we want to switch from Vipre, just offering a data point.

 

A bit over a year ago Vipre replaced Trend at home (1 server, 3PC's),
Symantec at a client of 17, and standalone McAfee at a client of 7, no
major issues transitioning any of them. There were enough teething pains
(FP's) early on to prevent me from replacing it at the bigger client as
well as %dayjob%.

 

I avoided the recent McAfee fiasco because I grab updates ~20 hours
after they typcically release, didn't know Trend had one recently.

 

Alternately, none of these sites have had infections requiring a HDD
wipe.

 

Dave

 



From: Ralph Smith 
Sent: Thursday, July 29, 2010 8:49 PM
To: NT System Admin Issues 
Subject: RE: Vipre effectiveness & false positives

I don't disagree, but when you are presented with information you have
to evaluate the validity of the data, and hopefully get clarification
from those involved when it implies that there may be a problem.  Virus
Bulletin actually warned in the explanation of the chart that it was
just one result and that conclusions shouldn't be jumped to until there
was more data.  

 

And sometimes, a horse is just a horse, of course.

 

 



From: Kim Longenbaugh [mailto:k...@colonialsavings.com] 
Sent: Thursday, July 29, 2010 4:39 PM
To: NT System Admin Issues
Subject: RE: Vipre effectiveness & false positives

My point was really that all AV vendors have experience FPs, not just
Vipre.

 

I agree that statistics can be a valuable tool, it's just that which
ones you choose and how you present them can be misleading.  For
example, in a horse race between the US and Russia, the US horse won.
In the American papers, it was reported that the US was took first
place.  In the Russian papers, it was reported that the US was next to
last and that Russia was second place.  The statistics reported in both
cases were true, but the picture they gave of the race was very
different.

 

From: Ralph Smith [mailto:m...@gatewayindustries.org] 
Sent: Thursday, July 29, 2010 3:08 PM
To: NT System Admin Issues
Subject: RE: Vipre effectiveness & false positives

 

True, but there were people on the VIPRE forum that were hit just as
hard by a couple of the FPs that VIPRE had.  I'm not knocking VIPRE at
all - I like it a lot and would purchase it again with no hesitation.

 

However, when a well known organization like Virus Bulletin publishes
test results, it makes sense to look at the data and try to understand
what it means and how it may impact your organization.   I personally
feel confident with Sunbelt, but I would be interested to understand how
they interpret the chart and what they feel the implications are for
their product.

 

By the way, some lies may be statistics, but not all statistics are
lies.  Information, including statistical, is the basis for sound
decision making.

 



From: Kim Longenbaugh [mailto:k...@colonialsavings.com] 
Sent: Thursday, July 29, 2010 2:28 PM
To: NT System Admin Issues
Subject: RE: Vipre effectiveness & false positives

 

How about a little perspective on false positives?

 

http://news.cnet.com/8301-1009_3-20003074-83.html

 

and a reminder about statistics from Mark Twain:

"there's 3 kinds of lies: lies, damned lies, and statistics"

 

 

From: Ralph Smith [mailto:m...@gatewayindustries.org] 
Sent: Thursday, July 29, 2010 1:20 PM
To: NT System Admin Issues
Subject: RE: Vipre effectiveness & false positives

 

I've had VIPRE for a couple of years now, and was fortunately not hit
hard with the false positive problems others have had.  With about 180
W

Re: Vipre Rescue issues

2010-08-02 Thread RichardMcClary
1. As you mentioned, run a scandisk

2. Try a new download of VIPRERESCUE.  It's possible you got a bad 
download, or something burped during the install.

Good luck!
--
Richard D. McClary
Systems Administrator, Information Technology Group 
ASPCA®
1717 S. Philo Rd, Ste 36
Urbana, IL  61802
 
richardmccl...@aspca.org
 
P: 217-337-9761
C: 217-417-1182
F: 217-337-9761
www.aspca.org
 
The information contained in this e-mail, and any attachments hereto, is 
from The American Society for the Prevention of Cruelty to Animals® (ASPCA
®) and is intended only for use by the addressee(s) named herein and may 
contain legally privileged and/or confidential information. If you are not 
the intended recipient of this e-mail, you are hereby notified that any 
dissemination, distribution, copying or use of the contents of this 
e-mail, and any attachments hereto, is strictly prohibited. If you have 
received this e-mail in error, please immediately notify me by reply email 
and permanently delete the original and any copy of this e-mail and any 
printout thereof.
 

"John Aldrich"  wrote on 08/02/2010 07:51:16 
AM:

> Trying to run a scan on my wife?s PC at home (XP Pro SP3) using 
> VipreRescue, I get an error something about ?unable to execute 
> instruction?? Sorry, it?s a long address string and I didn?t write 
> it down. This happens both in ?regular? mode and in safe-mode with 
> command-prompt-only. Any idea what?s going on? A MalwareBytes scan 
> didn?t find anything (at least in ?regular? mode ? have not tried 
> ?safe mode? yet.)
> The reason I tried this was because the system has been behaving 
> ?flaky? lately?nothing really to put my finger on. My wife almost 
> installed MyWebSearch this weekend, so she could play some old-style
> ?arcade? games (PacMan, Galaga, etc) but I pointed out to her that 
> she really didn?t want that stuff. Anyway, between that ?near miss? 
> and the flakiness of the system, I thought I?d check for malware.
> 
> I?ve already checked the C: drive using SMART tools, and although 
> it?s an older drive, it appears to have no issues. Guess I ought to 
> run a scandisk, just to be safe.
> 
> [image removed] [image removed] 
> 
> 
> 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Vipre Rescue issues

2010-08-02 Thread John Aldrich
Trying to run a scan on my wife's PC at home (XP Pro SP3) using VipreRescue,
I get an error something about "unable to execute instruction." Sorry, it's
a long address string and I didn't write it down. This happens both in
"regular" mode and in safe-mode with command-prompt-only. Any idea what's
going on? A MalwareBytes scan didn't find anything (at least in "regular"
mode - have not tried "safe mode" yet.)

The reason I tried this was because the system has been behaving "flaky"
lately.nothing really to put my finger on. My wife almost installed
MyWebSearch this weekend, so she could play some old-style "arcade" games
(PacMan, Galaga, etc) but I pointed out to her that she really didn't want
that stuff. Anyway, between that "near miss" and the flakiness of the
system, I thought I'd check for malware.

 

I've already checked the C: drive using SMART tools, and although it's an
older drive, it appears to have no issues. Guess I ought to run a scandisk,
just to be safe.

 

John-AldrichTile-Tools

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<><>

RE: Free Outlook Alternatives

2010-08-02 Thread Ralph Smith
Just saw this in a newsletter from Sourceforge this morning:

 

9. DavMail POP/IMAP/SMTP/Caldav to Exchange
https://sourceforge.net/projects/davmail Ever wanted to get rid of
Outlook ? DavMail is a POP/IMAP/SMTP/Caldav/LDAP gateway allowing users
to use any mail/calendar client with Exchange, even from the internet
through Outlook Web Access on any platform, tested on MacOSX, Linux and
Windows

 

 

Never heard of it before, but in case you're interested.

 

 



From: Robert Jackson [mailto:r...@walkermartyn.co.uk] 
Sent: Monday, August 02, 2010 3:20 AM
To: NT System Admin Issues
Subject: Free Outlook Alternatives

 

Anyone recommend a good free M$ Outlook alternative (for Windows) that
fully integrates with Exchange Server (2003)?

 

Regards,

Rab.

=

Robert Jackson  Phone: +44 (0) 141 332
7999

IT Manager   Fax: +44 (0) 141
331 2820

Walker Martyn Ltd

1 Park Circus PlaceEmail:
r...@walkermartyn.co.uk  

Glasgow G3 6AH, Scotland   Web:
http://www.walkermartyn.co.uk  

=




The information in this internet E-mail is confidential and is intended
solely for the addressee. Access, copying or re-use of information in it
by anyone else is unauthorised. Any views or opinions presented are
solely those of the author and do not necessarily represent those of
Walker Martyn Ltd or any of its affiliates. If you are not the intended
recipient please contact administra...@walkermartyn.co.uk.

Walker Martyn Ltd, company number SC197533. Company is registered in
Scotland and has its registered office at 1 Park Circus Place, Glasgow
G3 6AH, UK.

 

 

 

Confidentiality Notice: 


--





This communication, including any attachments, may contain confidential inf
ormation and is intended only for the individual or entity to whom it is add
ressed. Any review, dissemination, or copying of this communication by anyon
e other than the intended recipient is strictly prohibited. If you are not t
he intended recipient, please contact the sender by reply email, delete and 
destroy all copies of the original message.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: It's that day!

2010-08-02 Thread Alan Davies
We're hiding in all sorts of corners .. working in London but from Dublin ;o)
 
 
 
a



From: James Kerr [mailto:cluster...@gmail.com] 
Sent: 31 July 2010 13:46
To: NT System Admin Issues
Subject: Re: It's that day!


Nice, I was born in Temple street and  raised in Artane Dublin. But I have more 
time in the US at this point. Nice to see another Irishman on this list. Good 
luck with the twins, I have a couple of wee ones myself. Sláinte

James

On 7/31/2010 5:49 AM, tony patton wrote: 

Yep, born and bred. 

Currently in Cavan, but moving back to Tyrone and been offered a new 
job in Derry. 

Regards

Tony Patton
Desktop Support Analyst - Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com 



From:"James Kerr"  
  
To:"NT System Admin Issues" 
 
  
Date:30/07/2010 17:45 
Subject:Re: It's that day! 






Tony, are you an Irishman? 
- Original Message - 
From: tony patton   
To: NT System Admin Issues 
  
Sent: Friday, July 30, 2010 11:59 AM 
Subject: Re: It's that day! 

Thx folks, hope it rubs off on everyone else that needs/wants it :) 

Its an advancement career-wise, moving to full-time server support with 
another company. 
It's a bit of a pay-cut, but it'll pay off in the long term, the new 
company will provide a new challenge and the technologies that they are 
involved in are wide-ranging. 

A busy schedule ahead of me, finish up here on the 10th September, 
re-locate, start the new job, and twins on the way Xmas week. 
Fun times ahead :) 

Regards

Tony Patton
Desktop Support Analyst - Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com 



From:Don Kuhlman  
  
To:"NT System Admin Issues" 
 
  
Date:30/07/2010 16:50 
Subject:Re: It's that day! 






Congrats Tony! Hopefully some of that good fortune will rub off :) 
 
Don K 




From: tony patton  
 
To: NT System Admin Issues  
 
Sent: Fri, July 30, 2010 10:26:40 AM
Subject: RE: It's that day!

I got offered a new job today, so I'm happy :) 

Regards

Tony Patton
Desktop Support Analyst - Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com 



From:richardmccl...@aspca.org 
To:"NT System Admin Issues" 
 
  
Date:30/07/2010 15:22 
Subject:RE: It's that day! 







Anyway, for those of us who feel our career is in the crapper- 

I had to replace one of those on Sysadmin Appreciation Day a few years 
back. 
-- 
richard 

"Maglinger, Paul"    
wrote on 07/30/2010 09:11:52 AM:

> Just got an email from a co-worker. 
> "Happy S.A.D." 
>   
> Ironic? 
>   
>   
> From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com 
 ] 
> Sent: Friday, July 30, 2010 9:03 AM
> To: NT System Admin Issues
> Subject: RE: It's that day! 
>   
> So it's worth 25cents?  Starbucks is $2 here. 
> I like that miserable stuff from Mickey D's  ($1) 
>   
> From: Maglinger, Paul [mailto:pmaglin...@scvl.com 
 ] 
> Sent: Friday, July 30, 2010 9:47 AM
> To: NT System Admin Issues
> Subject: RE: It's that day! 
>   
> This, and $1.75 gets you a cup of coffee at Starbucks. 
> And there was much rejoicing. yea... 
>   
> From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org 
 ] 
> Sent: Friday, July 30, 2010 8:10 AM
> To: NT System Admin Issues
> Subject: It's that day! 
>   
> 
> http://

RE: Your copy of ?Networking and Security for Dummies"

2010-08-02 Thread Alan Davies
Yep - great for sniffing traffic too when you don't want to bother with
a span port ;)




a 

-Original Message-
From: Angus Scott-Fleming [mailto:angu...@geoapps.com] 
Sent: 31 July 2010 05:31
To: NT System Admin Issues
Subject: Re: Your copy of ?Networking and Security for Dummies"

On 30 Jul 2010 at 14:55, richardmccl...@aspca.org  wrote:

> Hubs are still out there! Years ago, some folks did a great job of 
> hiding them, like over ceilings, etc for workgroups. 

I've heard some motels use them since they're cheaper than switches.

Download without form here:
http://lto.libredigital.com/?SonicWALL_Dell_GettingStartedwithNetworking
andSecurityforDummies

Or use any email address @thisisnotmyrealemail.com in the form.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


WARNING:
The information in this email and any attachments is confidential and may be 
legally privileged.

If you are not the named addressee, you must not use, copy or disclose this 
email (including any attachments) or the information in it save to the named 
addressee nor take any action in reliance on it. If you receive this email or 
any attachments in error, please notify the sender immediately and then delete 
the same and any copies.

"CLS Services Ltd × Registered in England No 4132704 × Registered Office: 
Exchange Tower × One Harbour Exchange Square × London E14 9GE"



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



Re: Free Outlook Alternatives

2010-08-02 Thread Andrew Levicki
Hi Rab,

Evolution has been ported to Windows recently:

http://www.dipconsultants.com/evolution/

Regards,

Andrew

On 2 August 2010 16:20, Robert Jackson  wrote:

>  Anyone recommend a good free M$ Outlook alternative (for Windows) that
> fully integrates with Exchange Server (2003)?
>
>  Regards,
>
> Rab.
>
> =
>
> Robert Jackson  Phone: +44 (0) 141 332 7999
>
> IT Manager   Fax: +44 (0) 141 331
> 2820
>
> Walker Martyn Ltd
>
> 1 Park Circus PlaceEmail: *
> r...@walkermartyn.co.uk* 
>
> Glasgow G3 6AH, Scotland   Web: *
> http://www.walkermartyn.co.uk* 
>
> =
>
> 
>
> The information in this internet E-mail is confidential and is intended
> solely for the addressee. Access, copying or re-use of information in it by
> anyone else is unauthorised. Any views or opinions presented are solely
> those of the author and do not necessarily represent those of Walker Martyn
> Ltd or any of its affiliates. If you are not the intended recipient please
> contact administra...@walkermartyn.co.uk.
>
> Walker Martyn Ltd, company number SC197533. Company is registered in
> Scotland and has its registered office at 1 Park Circus Place, Glasgow G3
> 6AH, UK.
>
> 
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Free Outlook Alternatives

2010-08-02 Thread Robert Jackson
Anyone recommend a good free M$ Outlook alternative (for Windows) that
fully integrates with Exchange Server (2003)?



Regards,
Rab.
=
Robert Jackson  Phone: +44 (0) 141 332
7999
IT Manager   Fax: +44 (0) 141
331 2820
Walker Martyn Ltd
1 Park Circus PlaceEmail:
r...@walkermartyn.co.uk
Glasgow G3 6AH, Scotland   Web:
http://www.walkermartyn.co.uk
=



The information in this internet E-mail is confidential and is intended
solely for the addressee. Access, copying or re-use of information in it
by anyone else is unauthorised. Any views or opinions presented are
solely those of the author and do not necessarily represent those of
Walker Martyn Ltd or any of its affiliates. If you are not the
intended recipient please contact  administra...@walkermartyn.co.uk

Walker Martyn Ltd, company number SC197533. Company is 
registered in Scotland and has its registered office at 1 Park
Circus Place, Glasgow G3 6AH, UK.





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~