RE: malware that creates Outlook rules

[David Lum]

Right. I agree that short-cut answers are usually more effective. Having said 
that Ben Scott and Brian and a few others have posted really long tech-thick 
replies at times and they are absolute GOLD.

I was just laughing because I had been ignoring that thread for the most part 
and Brian's was the first of the thread I hit and I thought "man, my fellow 
(NWEA) tech's would barely understand a word of that".

Dave

-Original Message-
From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Tuesday, August 03, 2010 3:12 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

The poster of one of the questions I answered today - I can't remember where - 
emailed me and said "huh? That wasn't clear". So I rewrote my answer using 
lots more words. 

I generally answer questions with short-cut responses, as Brian did, assuming 
that the OP has most of the knowledge to get to the right answer.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, August 03, 2010 6:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Take that paragraph out of contest and it scarcely looks like English...

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Tuesday, August 03, 2010 1:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yep it's the same set of cmdlets you use for Exchange (as that's what l...@edu 
runs on). You can also use the OLSync ILM solution they offer. It's $500 + SQL 
Std for the ILM licensing but this will do GALSync from your existing 
AD/Exchange environment in to l...@edu. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: malware that creates Outlook rules

[Brian Desmond]

Let me know if you have any questions - I deal with this stuff several times a 
week. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, August 03, 2010 5:13 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

That's awesome. I look forward to playing with it.

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Tuesday, August 03, 2010 3:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yep it's the same set of cmdlets you use for Exchange (as that's what l...@edu 
runs on). You can also use the OLSync ILM solution they offer. It's $500 + SQL 
Std for the ILM licensing but this will do GALSync from your existing 
AD/Exchange environment in to l...@edu. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Steven Peck [mailto:sep...@gmail.com]
Sent: Tuesday, August 03, 2010 3:30 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Microsoft also has a similar program for EDUs for hosted mail.
http://www.microsoft.com/liveatedu/free-hosted-student-email.aspx

They have powershell cmdlets that work over the web for administrator so there 
should be some ways to accomplish automation of a sort.

Steven Peck
http://www.blkmtn.org


On Tue, Aug 3, 2010 at 12:39 PM, Brian Desmond  wrote:
> Most schools I've worked with either have something that plugs in to the 
> message bus of their ERP/SIS system for provisioning to outsourced services, 
> or, more frequently, they have a job which either scans an Oracle table every 
> so often or a batch job on the ERP side that dumps delta flat files and a 
> second job that picks them up and provisions to Google/etc.
>
> Thanks,
> Brian Desmond
> br...@briandesmond.com
>
> c   - 312.731.3132
>
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 2:27 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> I'm sure it is, and the Va. CC uses PeopleSoft for our Student Info 
> System(SIS) and so they worked together to create an automated process in 
> that, a student applies to the college, registers for classes and the next 
> day, they have the email account active.
> All this is done via the web.
> Maybe google would work with your SIS vendor to create something similar.
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Tuesday, August 03, 2010 12:08 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Hmm, interesting. I like that. Of course, setting it up for all students 
> automatically might prove to be tricky.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 6:44 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> And just after I sent this the light came on, Google Voice should do UM.
> I'd let google handle voice mail, email and anything else they want to give 
> to the students.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 7:42 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Not sure on the UM questions.
> Not an issue here as we don't have student housing or provide phones for them.
> I'm betting that it is possible though.
>
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, August 02, 2010 5:46 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Yeah, it's on the investigate list.  It does happen with staff on occasion 
> too, but not nearly as much as students.
>
> The major outstanding question I have is how to do Unified Messaging with 
> Exchange if the mailbox is outsourced? It's prolly something simple, but I 
> just haven't looked into it yet.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Monday, August 02, 2010 3:14 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Ah ha.
> Didn't notice the .edu addy.
> In that case, I would seriously investigate outsourcing that to MS or Google.
> The entire Va. Community College System went with Google for student email 
> and so far it has worked really well.
> Can't beat the cost too.  Zero and the student gets to keep their same email 
> as long as they want it.  No advertisements in their account whil

RE: malware that creates Outlook rules

[Brian Desmond]

That paragraph and the OP's vertical comprises much of what I do every week so 
like MBS said I assumed some knowledge there.

l...@edu is Microsoft's free offering for education for student email. It runs 
on Exchange 2010 up "in the cloud" and is hosted by Microsoft. OLSync is their 
term for the plugin for Identity Lifecycle Manager which allows you to 
synchronize your AD/Exchange up to l...@edu to provision all the data in to the 
hosted Exchange environment. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, August 03, 2010 5:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Take that paragraph out of contest and it scarcely looks like English...

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Tuesday, August 03, 2010 1:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yep it's the same set of cmdlets you use for Exchange (as that's what l...@edu 
runs on). You can also use the OLSync ILM solution they offer. It's $500 + SQL 
Std for the ILM licensing but this will do GALSync from your existing 
AD/Exchange environment in to l...@edu. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: malware that creates Outlook rules

[Brian Desmond]

Yes and if you were sneaky you might be able to forward mail to those mailboxes 
(such as UM data) to the cloud. I'm not sure if the voicemail form would be 
retained on the remote side, and you'd have a probably with MWIs on your phones 
and OCS as people would mark messages as read in the cloud but they will be 
unread on-premise.

Also keep in mind that in Exchange 2010 fax is not in the box anymore and 
requires a third party solution. You're going to be paying for the eCAL for all 
your users to do this as well as some hardware. I'm wondering once you factor 
in the relatively cheap storage for Exchange 2010 how much more you're going to 
be burning? Are you giving all your students a VM box or just employees and 
student workers? 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, August 03, 2010 5:13 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Good to know. Is it possible to host additional mailboxes locally just for 
voicemail/faxes and leave the actual mail in the cloud?  Not really UM per se, 
but it would allow us to get off of our 3rd party voicemail server and 
auto-attendant and use Exchange's considerably cheaper versions.

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Tuesday, August 03, 2010 2:38 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Currently UM in that scenario isn't possible. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:46 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's ac

RE: malware that creates Outlook rules

[Webster]

I didn't know we were having a contest!


Webster

> -Original Message-
> From: David Lum [mailto:david@nwea.org]
> Subject: RE: malware that creates Outlook rules
> 
> Take that paragraph out of contest...


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: malware that creates Outlook rules

[Crawford, Scott]

That's awesome. I look forward to playing with it.

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: Tuesday, August 03, 2010 3:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yep it's the same set of cmdlets you use for Exchange (as that's what l...@edu 
runs on). You can also use the OLSync ILM solution they offer. It's $500 + SQL 
Std for the ILM licensing but this will do GALSync from your existing 
AD/Exchange environment in to l...@edu. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Steven Peck [mailto:sep...@gmail.com] 
Sent: Tuesday, August 03, 2010 3:30 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Microsoft also has a similar program for EDUs for hosted mail.
http://www.microsoft.com/liveatedu/free-hosted-student-email.aspx

They have powershell cmdlets that work over the web for administrator so there 
should be some ways to accomplish automation of a sort.

Steven Peck
http://www.blkmtn.org


On Tue, Aug 3, 2010 at 12:39 PM, Brian Desmond  wrote:
> Most schools I've worked with either have something that plugs in to the 
> message bus of their ERP/SIS system for provisioning to outsourced services, 
> or, more frequently, they have a job which either scans an Oracle table every 
> so often or a batch job on the ERP side that dumps delta flat files and a 
> second job that picks them up and provisions to Google/etc.
>
> Thanks,
> Brian Desmond
> br...@briandesmond.com
>
> c   - 312.731.3132
>
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 2:27 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> I'm sure it is, and the Va. CC uses PeopleSoft for our Student Info 
> System(SIS) and so they worked together to create an automated process in 
> that, a student applies to the college, registers for classes and the next 
> day, they have the email account active.
> All this is done via the web.
> Maybe google would work with your SIS vendor to create something similar.
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Tuesday, August 03, 2010 12:08 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Hmm, interesting. I like that. Of course, setting it up for all students 
> automatically might prove to be tricky.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 6:44 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> And just after I sent this the light came on, Google Voice should do UM.
> I'd let google handle voice mail, email and anything else they want to give 
> to the students.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 7:42 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Not sure on the UM questions.
> Not an issue here as we don't have student housing or provide phones for them.
> I'm betting that it is possible though.
>
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, August 02, 2010 5:46 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Yeah, it's on the investigate list.  It does happen with staff on occasion 
> too, but not nearly as much as students.
>
> The major outstanding question I have is how to do Unified Messaging with 
> Exchange if the mailbox is outsourced? It's prolly something simple, but I 
> just haven't looked into it yet.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Monday, August 02, 2010 3:14 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Ah ha.
> Didn't notice the .edu addy.
> In that case, I would seriously investigate outsourcing that to MS or Google.
> The entire Va. Community College System went with Google for student email 
> and so far it has worked really well.
> Can't beat the cost too.  Zero and the student gets to keep their same email 
> as long as they want it.  No advertisements in their account while they are 
> students.  No backups, spam, outages and all that other support headaches for 
> me.  Great big plus.
>
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, August 02, 2010 4:05 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules

RE: malware that creates Outlook rules

[Crawford, Scott]

Good to know. Is it possible to host additional mailboxes locally just for 
voicemail/faxes and leave the actual mail in the cloud?  Not really UM per se, 
but it would allow us to get off of our 3rd party voicemail server and 
auto-attendant and use Exchange's considerably cheaper versions.

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: Tuesday, August 03, 2010 2:38 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Currently UM in that scenario isn't possible. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Monday, August 02, 2010 4:46 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript

RE: malware that creates Outlook rules

[Michael B. Smith]

The poster of one of the questions I answered today - I can't remember where - 
emailed me and said "huh? That wasn't clear". So I rewrote my answer using 
lots more words. 

I generally answer questions with short-cut responses, as Brian did, assuming 
that the OP has most of the knowledge to get to the right answer.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, August 03, 2010 6:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Take that paragraph out of contest and it scarcely looks like English...

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Tuesday, August 03, 2010 1:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yep it's the same set of cmdlets you use for Exchange (as that's what l...@edu 
runs on). You can also use the OLSync ILM solution they offer. It's $500 + SQL 
Std for the ILM licensing but this will do GALSync from your existing 
AD/Exchange environment in to l...@edu. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: malware that creates Outlook rules

[Crawford, Scott]

Outbound anti-spam:
I've been asking sunbelt to add this to Ninja for years. Still waiting on it, 
and I'm not sure why. In any case, I moved off Ninja and Vipre to Forefront so 
I'll let someone else continue the wait :).  Exchange now has outbound message 
throttling so you can set limits like x number of emails per minute. I'm hoping 
to dig into it and see if I can add a trigger to let me know when a user hits 
more than 5 or so emails per minute.

Blacklist removal - These links are the major ones we need:
Comcast
http://www.comcastsupport.com/rbl

ATT
http://wn.att.net/cgi-bin/block_admin.cgi

Microsoft
https://postmaster.live.com/snds/data.aspx
https://support.msn.com/eform.aspx?productKey=edfsmsbl&ct=eformts

Barracuda
http://www.barracudacentral.org/lookups/ip-reputation
http://www.barracudacentral.org/rbl/removal-request

Symantec
http://ipremoval.sms.symantec.com/lookup

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Tuesday, August 03, 2010 12:16 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Actually this was happening all weekend.  I was chasing my tail so hard I 
didn't think to e-mail this list until Monday.  Lesson learned.

Just to wrap up: thanks to Glen, Scott, Thomas, and anyone else who suggested 
the spam was coming from OWA via phished accounts.  I looked at the IIS logs on 
the OWA server and found entries like this:
... GET /exchange/bob.smith/Drafts/ Cmd=new 443 bsmith x.x.x.x 
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+InfoPath.2;+Crazy+Browser+3.0.3)...

Which I suppose shows new e-mails being created in the Drafts folder.  Any 
advice regarding interpreting these logs would be welcome.

After changing the affected user's passwords I think we are in the clear.  
Exchange queues are quiet since yesterday.

We publish OWA via ISA Server, so the OWA logs only the address of the ISA 
Server.  We checked our firewall logs and found quite a bit of traffic to OWA 
from Nigeria & India.  We're in Tennessee, so we are able to block those 
addresses as we won't have any legitimate traffic from them.

Based on the agent string above, I told URLScan to block Crazy Browser 
(http://www.crazybrowser.com/).  I wonder how many other browsers there are 
I've never even heard of.

Now I need to consider some kind of outbound anti-spam, figure out some 
scripting to notify me if the queues get out of hand, and get off all the 
blacklists I'm on.

--

From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] 
Sent: Monday, August 02, 2010 2:50 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules


We're a Lotus Notes shop using Postini as a relay, if it makes any 
difference... 

We had one desktop system here, and a few in NYC, where spam as being spewed 
out.  This actually had nothing at all to do with Domino/Lotus but rather a 
rogue SMTP server which got snuck onto some workstations. 

We were able to track this down by monitoring SMTP traffic through our 
firewall.  All SMTP traffic was to be comming from only one IP at each 
location, and it was all supposed to be directed to our Postini host. 

At least yours does not seem to be happening on a weekend...
-- 
Richard D. McClary 
Systems Administrator, Information Technology Group 
ASPCA® 
1717 S. Philo Rd, Ste 36 
Urbana, IL  61802 
  
richardmccl...@aspca.org 
  
P: 217-337-9761 
C: 217-417-1182 
F: 217-337-9761 
www.aspca.org 
  
The information contained in this e-mail, and any attachments hereto, is from 
The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is 
intended only for use by the addressee(s) named herein and may contain legally 
privileged and/or confidential information. If you are not the intended 
recipient of this e-mail, you are hereby notified that any dissemination, 
distribution, copying or use of the contents of this e-mail, and any 
attachments hereto, is strictly prohibited. If you have received this e-mail in 
error, please immediately notify me by reply email and permanently delete the 
original and any copy of this e-mail and any printout thereof. 
  

"Osborne, Richard"  wrote on 08/02/2010 02:40:09 PM:

> I have been monitoring the Exchange queues.  It's the only way I can
> tell when it is happening.  I found the aqadmcli.exe utility and 
> have been using it to clean the queues (aqadmcli "delmsg 
> flags=SENDER,sender=bob.sm...@wth.org".
> 
> I'll check the OWA logs ASAP.
> 
> Assuming I have had three users reply to phishing e-mails, is there 
> anything to fix besides changing their passwords?
> 
> Thanks everyone for the suggestions.
> 
> -Original Message-----
> From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
> Sent: Monday, August 02, 2010 2:35 PM
> To: NT System Admin Issues
&

RE: malware that creates Outlook rules

[David Lum]

Take that paragraph out of contest and it scarcely looks like English...

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: Tuesday, August 03, 2010 1:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yep it's the same set of cmdlets you use for Exchange (as that's what l...@edu 
runs on). You can also use the OLSync ILM solution they offer. It's $500 + SQL 
Std for the ILM licensing but this will do GALSync from your existing 
AD/Exchange environment in to l...@edu. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: malware that creates Outlook rules

[Brian Desmond]

Yep it's the same set of cmdlets you use for Exchange (as that's what l...@edu 
runs on). You can also use the OLSync ILM solution they offer. It's $500 + SQL 
Std for the ILM licensing but this will do GALSync from your existing 
AD/Exchange environment in to l...@edu. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Steven Peck [mailto:sep...@gmail.com] 
Sent: Tuesday, August 03, 2010 3:30 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Microsoft also has a similar program for EDUs for hosted mail.
http://www.microsoft.com/liveatedu/free-hosted-student-email.aspx

They have powershell cmdlets that work over the web for administrator so there 
should be some ways to accomplish automation of a sort.

Steven Peck
http://www.blkmtn.org


On Tue, Aug 3, 2010 at 12:39 PM, Brian Desmond  wrote:
> Most schools I've worked with either have something that plugs in to the 
> message bus of their ERP/SIS system for provisioning to outsourced services, 
> or, more frequently, they have a job which either scans an Oracle table every 
> so often or a batch job on the ERP side that dumps delta flat files and a 
> second job that picks them up and provisions to Google/etc.
>
> Thanks,
> Brian Desmond
> br...@briandesmond.com
>
> c   - 312.731.3132
>
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 2:27 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> I'm sure it is, and the Va. CC uses PeopleSoft for our Student Info 
> System(SIS) and so they worked together to create an automated process in 
> that, a student applies to the college, registers for classes and the next 
> day, they have the email account active.
> All this is done via the web.
> Maybe google would work with your SIS vendor to create something similar.
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Tuesday, August 03, 2010 12:08 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Hmm, interesting. I like that. Of course, setting it up for all students 
> automatically might prove to be tricky.
>
> -Original Message-----
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 6:44 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> And just after I sent this the light came on, Google Voice should do UM.
> I'd let google handle voice mail, email and anything else they want to give 
> to the students.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 7:42 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Not sure on the UM questions.
> Not an issue here as we don't have student housing or provide phones for them.
> I'm betting that it is possible though.
>
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, August 02, 2010 5:46 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Yeah, it's on the investigate list.  It does happen with staff on occasion 
> too, but not nearly as much as students.
>
> The major outstanding question I have is how to do Unified Messaging with 
> Exchange if the mailbox is outsourced? It's prolly something simple, but I 
> just haven't looked into it yet.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Monday, August 02, 2010 3:14 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Ah ha.
> Didn't notice the .edu addy.
> In that case, I would seriously investigate outsourcing that to MS or Google.
> The entire Va. Community College System went with Google for student email 
> and so far it has worked really well.
> Can't beat the cost too.  Zero and the student gets to keep their same email 
> as long as they want it.  No advertisements in their account while they are 
> students.  No backups, spam, outages and all that other support headaches for 
> me.  Great big plus.
>
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, August 02, 2010 4:05 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Yeah, that sounds nice except we have 2000 students with an average of 500 
> new ones every year so our major issue isn't repeat offenders.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...

Re: malware that creates Outlook rules

[Steven Peck]

Microsoft also has a similar program for EDUs for hosted mail.
http://www.microsoft.com/liveatedu/free-hosted-student-email.aspx

They have powershell cmdlets that work over the web for administrator
so there should be some ways to accomplish automation of a sort.

Steven Peck
http://www.blkmtn.org


On Tue, Aug 3, 2010 at 12:39 PM, Brian Desmond  wrote:
> Most schools I've worked with either have something that plugs in to the 
> message bus of their ERP/SIS system for provisioning to outsourced services, 
> or, more frequently, they have a job which either scans an Oracle table every 
> so often or a batch job on the ERP side that dumps delta flat files and a 
> second job that picks them up and provisions to Google/etc.
>
> Thanks,
> Brian Desmond
> br...@briandesmond.com
>
> c   - 312.731.3132
>
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 2:27 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> I'm sure it is, and the Va. CC uses PeopleSoft for our Student Info 
> System(SIS) and so they worked together to create an automated process in 
> that, a student applies to the college, registers for classes and the next 
> day, they have the email account active.
> All this is done via the web.
> Maybe google would work with your SIS vendor to create something similar.
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Tuesday, August 03, 2010 12:08 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Hmm, interesting. I like that. Of course, setting it up for all students 
> automatically might prove to be tricky.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 6:44 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> And just after I sent this the light came on, Google Voice should do UM.
> I'd let google handle voice mail, email and anything else they want to give 
> to the students.
>
> -----Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 7:42 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Not sure on the UM questions.
> Not an issue here as we don't have student housing or provide phones for them.
> I'm betting that it is possible though.
>
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, August 02, 2010 5:46 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Yeah, it's on the investigate list.  It does happen with staff on occasion 
> too, but not nearly as much as students.
>
> The major outstanding question I have is how to do Unified Messaging with 
> Exchange if the mailbox is outsourced? It's prolly something simple, but I 
> just haven't looked into it yet.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Monday, August 02, 2010 3:14 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Ah ha.
> Didn't notice the .edu addy.
> In that case, I would seriously investigate outsourcing that to MS or Google.
> The entire Va. Community College System went with Google for student email 
> and so far it has worked really well.
> Can't beat the cost too.  Zero and the student gets to keep their same email 
> as long as they want it.  No advertisements in their account while they are 
> students.  No backups, spam, outages and all that other support headaches for 
> me.  Great big plus.
>
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, August 02, 2010 4:05 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Yeah, that sounds nice except we have 2000 students with an average of 500 
> new ones every year so our major issue isn't repeat offenders.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Monday, August 02, 2010 2:51 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> When this happened here, we disabled their email account until they completed 
> our security awareness training, for the second time.
> With supervisors complete support.
>
> -Original Message-
> From: Osborne, Richard [mailto:richard.osbo...@wth.org]
> Sent: Monday, August 02, 2010 3:40 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
&

RE: malware that creates Outlook rules

[Brian Desmond]

Most schools I've worked with either have something that plugs in to the 
message bus of their ERP/SIS system for provisioning to outsourced services, 
or, more frequently, they have a job which either scans an Oracle table every 
so often or a batch job on the ERP side that dumps delta flat files and a 
second job that picks them up and provisions to Google/etc. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Tuesday, August 03, 2010 2:27 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm sure it is, and the Va. CC uses PeopleSoft for our Student Info System(SIS) 
and so they worked together to create an automated process in that, a student 
applies to the college, registers for classes and the next day, they have the 
email account active.
All this is done via the web.
Maybe google would work with your SIS vendor to create something similar.

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Tuesday, August 03, 2010 12:08 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Hmm, interesting. I like that. Of course, setting it up for all students 
automatically might prove to be tricky.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Tuesday, August 03, 2010 6:44 AM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

And just after I sent this the light came on, Google Voice should do UM.
I'd let google handle voice mail, email and anything else they want to give to 
the students.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Tuesday, August 03, 2010 7:42 AM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Not sure on the UM questions.
Not an issue here as we don't have student housing or provide phones for them.
I'm betting that it is possible though.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 5:46 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until 

RE: malware that creates Outlook rules

[Brian Desmond]

Currently UM in that scenario isn't possible. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Monday, August 02, 2010 4:46 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 

RE: malware that creates Outlook rules

[Glen Johnson]

I'm sure it is, and the Va. CC uses PeopleSoft for our Student Info System(SIS) 
and so they worked together to create an automated process in that, a student 
applies to the college, registers for classes and the next day, they have the 
email account active.
All this is done via the web.
Maybe google would work with your SIS vendor to create something similar.

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, August 03, 2010 12:08 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Hmm, interesting. I like that. Of course, setting it up for all students 
automatically might prove to be tricky.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Tuesday, August 03, 2010 6:44 AM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

And just after I sent this the light came on, Google Voice should do UM.
I'd let google handle voice mail, email and anything else they want to give to 
the students.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Tuesday, August 03, 2010 7:42 AM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Not sure on the UM questions.
Not an issue here as we don't have student housing or provide phones for them.
I'm betting that it is possible though.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 5:46 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the l

RE: malware that creates Outlook rules

[Osborne, Richard]

Actually this was happening all weekend.  I was chasing my tail so hard I 
didn't think to e-mail this list until Monday.  Lesson learned.

Just to wrap up: thanks to Glen, Scott, Thomas, and anyone else who suggested 
the spam was coming from OWA via phished accounts.  I looked at the IIS logs on 
the OWA server and found entries like this:
... GET /exchange/bob.smith/Drafts/ Cmd=new 443 bsmith x.x.x.x 
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+InfoPath.2;+Crazy+Browser+3.0.3)...

Which I suppose shows new e-mails being created in the Drafts folder.  Any 
advice regarding interpreting these logs would be welcome.

After changing the affected user's passwords I think we are in the clear.  
Exchange queues are quiet since yesterday.

We publish OWA via ISA Server, so the OWA logs only the address of the ISA 
Server.  We checked our firewall logs and found quite a bit of traffic to OWA 
from Nigeria & India.  We're in Tennessee, so we are able to block those 
addresses as we won't have any legitimate traffic from them.

Based on the agent string above, I told URLScan to block Crazy Browser 
(http://www.crazybrowser.com/).  I wonder how many other browsers there are 
I've never even heard of.

Now I need to consider some kind of outbound anti-spam, figure out some 
scripting to notify me if the queues get out of hand, and get off all the 
blacklists I'm on.

--

From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] 
Sent: Monday, August 02, 2010 2:50 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules


We're a Lotus Notes shop using Postini as a relay, if it makes any 
difference... 

We had one desktop system here, and a few in NYC, where spam as being spewed 
out.  This actually had nothing at all to do with Domino/Lotus but rather a 
rogue SMTP server which got snuck onto some workstations. 

We were able to track this down by monitoring SMTP traffic through our 
firewall.  All SMTP traffic was to be comming from only one IP at each 
location, and it was all supposed to be directed to our Postini host. 

At least yours does not seem to be happening on a weekend...
-- 
Richard D. McClary 
Systems Administrator, Information Technology Group 
ASPCA® 
1717 S. Philo Rd, Ste 36 
Urbana, IL  61802 
  
richardmccl...@aspca.org 
  
P: 217-337-9761 
C: 217-417-1182 
F: 217-337-9761 
www.aspca.org 
  
The information contained in this e-mail, and any attachments hereto, is from 
The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is 
intended only for use by the addressee(s) named herein and may contain legally 
privileged and/or confidential information. If you are not the intended 
recipient of this e-mail, you are hereby notified that any dissemination, 
distribution, copying or use of the contents of this e-mail, and any 
attachments hereto, is strictly prohibited. If you have received this e-mail in 
error, please immediately notify me by reply email and permanently delete the 
original and any copy of this e-mail and any printout thereof. 
  

"Osborne, Richard"  wrote on 08/02/2010 02:40:09 PM:

> I have been monitoring the Exchange queues.  It's the only way I can
> tell when it is happening.  I found the aqadmcli.exe utility and 
> have been using it to clean the queues (aqadmcli "delmsg 
> flags=SENDER,sender=bob.sm...@wth.org".
> 
> I'll check the OWA logs ASAP.
> 
> Assuming I have had three users reply to phishing e-mails, is there 
> anything to fix besides changing their passwords?
> 
> Thanks everyone for the suggestions.
> 
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
> Sent: Monday, August 02, 2010 2:35 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
> 
> Also check those exchange smtp queues.
> If it is compromised accounts the spammers can send spam via you owa
> faster than your exchange server can process so it will get backed 
> up so disabling accounts or changing passwords wont stop it until 
> the queues are emptied.
> 
> 
> -Original Message-----
> From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
> Sent: Monday, August 02, 2010 3:32 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
> 
> I'm glad I'm not the only sufferer!
> 
> I'll try and answer the other questions that were asked:
> 
> 1) yes, the spam continued even with the user's account disabled and
> their PC powered off
> 2) yes, only our Exchange server can send SMTP to the Internet
> 3) my OWA servers are clean according to VIPRE & MalwareBytes
> 
> So far this has hit 3 users (out of ~5000).  I have not seen any 
> spam sent in the last 5 hours but I don't have any confidence that I
&

RE: malware that creates Outlook rules

[Crawford, Scott]

Hmm, interesting. I like that. Of course, setting it up for all students 
automatically might prove to be tricky.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Tuesday, August 03, 2010 6:44 AM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

And just after I sent this the light came on, Google Voice should do UM.
I'd let google handle voice mail, email and anything else they want to give to 
the students.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Tuesday, August 03, 2010 7:42 AM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Not sure on the UM questions.
Not an issue here as we don't have student housing or provide phones for them.
I'm betting that it is possible though.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 5:46 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in 

RE: malware that creates Outlook rules

[Glen Johnson]

And just after I sent this the light came on, Google Voice should do UM.
I'd let google handle voice mail, email and anything else they want to give to 
the students.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Tuesday, August 03, 2010 7:42 AM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Not sure on the UM questions.
Not an issue here as we don't have student housing or provide phones for them.
I'm betting that it is possible though.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 5:46 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 O

RE: malware that creates Outlook rules

[Glen Johnson]

Not sure on the UM questions.
Not an issue here as we don't have student housing or provide phones for them.
I'm betting that it is possible though.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Monday, August 02, 2010 5:46 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT 

RE: malware that creates Outlook rules

[Crawford, Scott]

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT S

Re: malware that creates Outlook rules

[Kurt Buff]

Ideas:

Patch your machines - XP SP2 is no longer supported. Get to SP3, and
get all the patches after that, including today's emergency patch.

Patch your Wind2k3 server, too. Current is SP2, and you're not there,
so you're *WAY* behind.

Get UBCD4WIN, and boot any suspect machines with it and see what VIPRE
Rescue and Malwarebytes find when run that way.

Block port 25 outbound at your firewall (and probably port 587 -
submission) for all machines except your Exchange server, then record
which machines are bouncing off of the firewall from the inside after
that.

Oh heck, block everything outbound at your firewall for your
workstations except ports 80 and 443, and anything that you have an
actual business case for opening up. That will tell you oodles about
your environment.

Kurt

On Mon, Aug 2, 2010 at 10:46, Osborne, Richard  wrote:
> Has anyone seen malware that creates an Outlook rule that moves all new
> mail to Deleted Items and then sends out a bunch of spam?  I have a few
> users that have been hit with something I can't find.  I scanned the PCs
> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
> anything.  Then I turned off the PCs and something is still accessing
> their mailboxes.  I scanned the Exchange server also.  I am not seeing
> anything in Exchange User Monitor or Windows Security logs and our
> network guys say they don't see any unusual traffic to our Exchange
> server.
>
> Google finds a couple of people reporting the same thing but no
> resolution.
>
> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
> SP2 on Server 2003 SP1.
>
> Thanks for any ideas.
>
>
>
> Richard Osborne
> Information Systems
> Jackson-Madison County General Hospital
>
> NOTICE:  (1) The foregoing is not intended to be a legally binding or
> legally effective electronic signature. (2) This message may contain
> legally privileged or confidential information.  If you are not the
> intended recipient of this message, please so notify me, disregard the
> foregoing message, and delete the message immediately.  I apologize for
> any inconvenience this may have caused.
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: malware that creates Outlook rules

[Jason Reeves]

We haven't had any of those problems since switching to opendns and Vipre
for exchange.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they
completed our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell
when it is happening.  I found the aqadmcli.exe utility and have been using
it to clean the queues (aqadmcli "delmsg
flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything
to fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster
than your exchange server can process so it will get backed up so disabling
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their
PC powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent
in the last 5 hours but I don't have any confidence that I have found the
source.  Maybe there's a PC with a high-privileged account that has been
compromised and is sending out spam runs on a schedule?  Currently I am
getting up-to-date on patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since
that user is in a meeting, we turned his machine off.  Looks like it has to
be coming from OWA.  Here is some info from an error message our external
MTA sent to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your Exchange
server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard 
wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard 
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all 
>> new mail to Deleted Items and then sends out a bunch of spam?  I have 
>> a few users that have been hit with something I can't find.  I 
>> scanned the PCs with VIPRE, MalwareBytes, & Symantec's online scanner 
>> and didn't find anything.  Then I turned off the PCs and something is 
>> still accessing their mailboxes.  I scanned the Exchange server also.
>> I am not seeing anythin

RE: malware that creates Outlook rules

[Glen Johnson]

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your Exchange 
server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard  
wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that c

RE: malware that creates Outlook rules

[Crawford, Scott]

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your Exchange 
server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard  
wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard 
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all 
>> new mail to Deleted Items and then sends out a bunch of spam?  I have 
>> a few users that have been hit with something I can't find.  I 
>> scanned the PCs with VIPRE, MalwareBytes, & Symantec's online scanner 
>> and didn't find anything.  Then I turned off the PCs and something is 
>> still accessing their mailbox

RE: malware that creates Outlook rules

[Crawford, Scott]

This actually looks promising.  We just recently got off 2003 so I'll be 
investigating this heavily.

http://technet.microsoft.com/en-us/library/dd298094.aspx

The problem we have is that we keep getting on spam lists and then blocked from 
sending email to hotmail, gmail, etc. Hopefully a ThrottlePolicy of say 2 or 3 
per minute, will be enough to let us catch it before we get blocked.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 2:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your Exchange 
server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard  
wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard 
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all 
>> new mail to Deleted Items and then sends out a bunch of spam?  I have 
>> a few users that have been hit with something I can't find.  I 
>> scanned the PCs with VIPRE, MalwareBytes, & Symantec's online scanner 
>> and didn't find anything.  Then I turned off the PCs and something is 
>> still accessing their mailboxes.  I scanned the Exchange server also.  
>> I am not seeing anything in Exchange User Mon

RE: malware that creates Outlook rules

[Glen Johnson]

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your Exchange 
server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard  
wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard 
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all 
>> new mail to Deleted Items and then sends out a bunch of spam?  I have 
>> a few users that have been hit with something I can't find.  I 
>> scanned the PCs with VIPRE, MalwareBytes, & Symantec's online scanner 
>> and didn't find anything.  Then I turned off the PCs and something is 
>> still accessing their mailboxes.  I scanned the Exchange server also.
>> I am not seeing anything in Exchange User Monitor or Windows Security 
>> logs and our network guys say they don't see any unusual traffic to 
>> our Exchange server.
>>
>> Google finds a couple of people reporting the same thing but no 
>> resolu

RE: malware that creates Outlook rules

[RichardMcClary]

We're a Lotus Notes shop using Postini as a relay, if it makes any 
difference...

We had one desktop system here, and a few in NYC, where spam as being 
spewed out.  This actually had nothing at all to do with Domino/Lotus but 
rather a rogue SMTP server which got snuck onto some workstations.

We were able to track this down by monitoring SMTP traffic through our 
firewall.  All SMTP traffic was to be comming from only one IP at each 
location, and it was all supposed to be directed to our Postini host.

At least yours does not seem to be happening on a weekend...
--
Richard D. McClary
Systems Administrator, Information Technology Group 
ASPCA®
1717 S. Philo Rd, Ste 36
Urbana, IL  61802
 
richardmccl...@aspca.org
 
P: 217-337-9761
C: 217-417-1182
F: 217-337-9761
www.aspca.org
 
The information contained in this e-mail, and any attachments hereto, is 
from The American Society for the Prevention of Cruelty to Animals® (ASPCA
®) and is intended only for use by the addressee(s) named herein and may 
contain legally privileged and/or confidential information. If you are not 
the intended recipient of this e-mail, you are hereby notified that any 
dissemination, distribution, copying or use of the contents of this 
e-mail, and any attachments hereto, is strictly prohibited. If you have 
received this e-mail in error, please immediately notify me by reply email 
and permanently delete the original and any copy of this e-mail and any 
printout thereof.
 

"Osborne, Richard"  wrote on 08/02/2010 02:40:09 
PM:

> I have been monitoring the Exchange queues.  It's the only way I can
> tell when it is happening.  I found the aqadmcli.exe utility and 
> have been using it to clean the queues (aqadmcli "delmsg 
> flags=SENDER,sender=bob.sm...@wth.org".
> 
> I'll check the OWA logs ASAP.
> 
> Assuming I have had three users reply to phishing e-mails, is there 
> anything to fix besides changing their passwords?
> 
> Thanks everyone for the suggestions.
> 
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
> Sent: Monday, August 02, 2010 2:35 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
> 
> Also check those exchange smtp queues.
> If it is compromised accounts the spammers can send spam via you owa
> faster than your exchange server can process so it will get backed 
> up so disabling accounts or changing passwords wont stop it until 
> the queues are emptied.
> 
> 
> -Original Message-
> From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
> Sent: Monday, August 02, 2010 3:32 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
> 
> I'm glad I'm not the only sufferer!
> 
> I'll try and answer the other questions that were asked:
> 
> 1) yes, the spam continued even with the user's account disabled and
> their PC powered off
> 2) yes, only our Exchange server can send SMTP to the Internet
> 3) my OWA servers are clean according to VIPRE & MalwareBytes
> 
> So far this has hit 3 users (out of ~5000).  I have not seen any 
> spam sent in the last 5 hours but I don't have any confidence that I
> have found the source.  Maybe there's a PC with a high-privileged 
> account that has been compromised and is sending out spam runs on a 
> schedule?  Currently I am getting up-to-date on patches on all my 
> Exchange boxes.
> 
> -Original Message-
> From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
> Sent: Monday, August 02, 2010 2:17 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
> 
> We are having a similar issue.  We changed the users password, and 
> since that user is in a meeting, we turned his machine off.  Looks 
> like it has to be coming from OWA.  Here is some info from an error 
> message our external MTA sent to me (our Exchange guys are looking 
> into the matter):
> 
> Transcript of session follows.
> 
>  Out: 220 mail3.wise.k12.va.us ESMTP
>  In:  EHLO mail.wise.k12.va.us
>  Out: 250-mail3.wise.k12.va.us
>  Out: 250-PIPELINING
>  Out: 250-SIZE 8
>  Out: 250-VRFY
>  Out: 250-ETRN
>  Out: 250-ENHANCEDSTATUSCODES
>  Out: 250-8BITMIME
>  Out: 250 DSN
>  In:  MAIL FROM: SIZE=1163
>  Out: 250 2.1.0 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1

RE: malware that creates Outlook rules

[Osborne, Richard]

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your Exchange 
server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard  
wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard 
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all 
>> new mail to Deleted Items and then sends out a bunch of spam?  I have 
>> a few users that have been hit with something I can't find.  I 
>> scanned the PCs with VIPRE, MalwareBytes, & Symantec's online scanner 
>> and didn't find anything.  Then I turned off the PCs and something is 
>> still accessing their mailboxes.  I scanned the Exchange server also.  
>> I am not seeing anything in Exchange User Monitor or Windows Security 
>> logs and our network guys say they don't see any unusual traffic to 
>> our Exchange server.
>>
>> Google finds a couple of people reporting the same thing but no 
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospital
>>
>> NOTICE:  (1) The foregoing is not intended to be

Re: malware that creates Outlook rules

[Steven Peck]

You need to go through the OWA logs for that users access history to
verify if it is through OWA.   It won't infect your OWA servers.

On Mon, Aug 2, 2010 at 12:35 PM, Crawford, Scott  wrote:
> It's very likely a phished account. This happens to us on a regular basis and 
> there's really nothing that can be done to fix it short of educating the 
> users, which is...difficult. The fact that spam was continuing even after the 
> account is disabled could be chalked up to mail still in the queues.
>
> -Original Message-
> From: Osborne, Richard [mailto:richard.osbo...@wth.org]
> Sent: Monday, August 02, 2010 2:32 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> I'm glad I'm not the only sufferer!
>
> I'll try and answer the other questions that were asked:
>
> 1) yes, the spam continued even with the user's account disabled and their PC 
> powered off
> 2) yes, only our Exchange server can send SMTP to the Internet
> 3) my OWA servers are clean according to VIPRE & MalwareBytes
>
> So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
> the last 5 hours but I don't have any confidence that I have found the 
> source.  Maybe there's a PC with a high-privileged account that has been 
> compromised and is sending out spam runs on a schedule?  Currently I am 
> getting up-to-date on patches on all my Exchange boxes.
>
> -Original Message-
> From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
> Sent: Monday, August 02, 2010 2:17 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> We are having a similar issue.  We changed the users password, and since that 
> user is in a meeting, we turned his machine off.  Looks like it has to be 
> coming from OWA.  Here is some info from an error message our external MTA 
> sent to me (our Exchange guys are looking into the matter):
>
> Transcript of session follows.
>
>  Out: 220 mail3.wise.k12.va.us ESMTP
>  In:  EHLO mail.wise.k12.va.us
>  Out: 250-mail3.wise.k12.va.us
>  Out: 250-PIPELINING
>  Out: 250-SIZE 8
>  Out: 250-VRFY
>  Out: 250-ETRN
>  Out: 250-ENHANCEDSTATUSCODES
>  Out: 250-8BITMIME
>  Out: 250 DSN
>  In:  MAIL FROM: SIZE=1163
>  Out: 250 2.1.0 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>  In:  RCPT TO:
>  Out: 250 2.1.5 Ok
>
> Shane
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 2:35 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Is your firewall set to only allow SMTP (port 25) traffic from your
> Exchange server?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard
>  wrote:
>> I disabled their accounts and it didn't help.
>>
>>
>> -Original Message-
>> From: Roger Wright [mailto:rhw...@gmail.com]
>> Sent: Monday, August 02, 2010 1:09 PM
>> To: NT System Admin Issues
>> Subject: Re: malware that creates Outlook rules
>>
>> Have you had the users change their passwords yet?
>>
>>
>> Die dulci fruere!
>>
>> Roger Wright
>> ___
>>
>>
>>
>>
>> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
>>  wrote:
>>> Has anyone seen malware that creates an Outlook rule that moves all new
>>> mail to Deleted Items and then sends out a bunch of spam?  I have a few
>>> users that have been hit with something I can't find.  I scanned the PCs
>>> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
>>> anything.  Then I turned off the PCs and something is still accessing
>>> their mailboxes.  I scanned the Exchange server also.  I am not seeing
>>> anything in Exchange User Monitor or Windows Security logs and our
>>> network guys say they don't see any unusual traffic to our Exchange
>>> server.
>>>
>>> Google finds a couple of people reporting the same thing but no
>>> resolution.
>>>
>>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>>> SP2 on Server 2003 SP1.
>>>
>>> Th

RE: malware that creates Outlook rules

[Crawford, Scott]

It's very likely a phished account. This happens to us on a regular basis and 
there's really nothing that can be done to fix it short of educating the users, 
which is...difficult. The fact that spam was continuing even after the account 
is disabled could be chalked up to mail still in the queues.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 2:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] 
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com] 
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your
Exchange server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard
 wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all new
>> mail to Deleted Items and then sends out a bunch of spam?  I have a few
>> users that have been hit with something I can't find.  I scanned the PCs
>> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
>> anything.  Then I turned off the PCs and something is still accessing
>> their mailboxes.  I scanned the Exchange server also.  I am not seeing
>> anything in Exchange User Monitor or Windows Security logs and our
>> network guys say they don't see any unusual traffic to our Exchange
>> server.
>>
>> Google finds a couple of people reporting the same thing but no
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospital
>>
>> NOTICE:  (1) The foregoing is not intended to be a legally binding or
>> legally effective electronic signature. (2) This message may contain
>> legally privileged or confidential information.  If you are not the
>> intended recipient of this message, please so notify me, disregard the
>> foregoing message, and delete the message immediately.  I apologize for
>> any inconvenience this may have caused.
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: malware that creates Outlook rules

[Glen Johnson]

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your Exchange 
server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard  
wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard 
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all 
>> new mail to Deleted Items and then sends out a bunch of spam?  I have 
>> a few users that have been hit with something I can't find.  I 
>> scanned the PCs with VIPRE, MalwareBytes, & Symantec's online scanner 
>> and didn't find anything.  Then I turned off the PCs and something is 
>> still accessing their mailboxes.  I scanned the Exchange server also.  
>> I am not seeing anything in Exchange User Monitor or Windows Security 
>> logs and our network guys say they don't see any unusual traffic to 
>> our Exchange server.
>>
>> Google finds a couple of people reporting the same thing but no 
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospital
>>
>> NOTICE:  (1) The foregoing is not intended to be a legally binding or 
>> legally effective electronic signature. (2) This message may contain 
>> legally privileged or confidential information.  If you are not the 
>> intended recipient of this message, please so notify me, disregard 
>> the foregoing message, and delete the message immediately.  I 
>> apologize for any inconvenience this may have caused.
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: malware that creates Outlook rules

[Osborne, Richard]

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us] 
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com] 
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your
Exchange server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard
 wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all new
>> mail to Deleted Items and then sends out a bunch of spam?  I have a few
>> users that have been hit with something I can't find.  I scanned the PCs
>> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
>> anything.  Then I turned off the PCs and something is still accessing
>> their mailboxes.  I scanned the Exchange server also.  I am not seeing
>> anything in Exchange User Monitor or Windows Security logs and our
>> network guys say they don't see any unusual traffic to our Exchange
>> server.
>>
>> Google finds a couple of people reporting the same thing but no
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospital
>>
>> NOTICE:  (1) The foregoing is not intended to be a legally binding or
>> legally effective electronic signature. (2) This message may contain
>> legally privileged or confidential information.  If you are not the
>> intended recipient of this message, please so notify me, disregard the
>> foregoing message, and delete the message immediately.  I apologize for
>> any inconvenience this may have caused.
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: malware that creates Outlook rules

[Glen Johnson]

Check the sent items folder to see if the user replied to a phishing
email.  You might have 1000's of emails to go through to find but it
might be there, unless they gave the user id and password to a web site.
We've seen very similar things here.  Massive spam in the sent folder
but just before all the spam was a reply with user id and password.
Also check for auto reply rules.  Saw those on one account.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Monday, August 02, 2010 1:47 PM
To: NT System Admin Issues
Subject: malware that creates Outlook rules

Has anyone seen malware that creates an Outlook rule that moves all new
mail to Deleted Items and then sends out a bunch of spam?  I have a few
users that have been hit with something I can't find.  I scanned the PCs
with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
anything.  Then I turned off the PCs and something is still accessing
their mailboxes.  I scanned the Exchange server also.  I am not seeing
anything in Exchange User Monitor or Windows Security logs and our
network guys say they don't see any unusual traffic to our Exchange
server.

Google finds a couple of people reporting the same thing but no
resolution.

Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
SP2 on Server 2003 SP1.

Thanks for any ideas.



Richard Osborne
Information Systems
Jackson-Madison County General Hospital

NOTICE:  (1) The foregoing is not intended to be a legally binding or
legally effective electronic signature. (2) This message may contain
legally privileged or confidential information.  If you are not the
intended recipient of this message, please so notify me, disregard the
foregoing message, and delete the message immediately.  I apologize for
any inconvenience this may have caused.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: malware that creates Outlook rules

[Thomas Mullins]

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok

Shane


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com] 
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Is your firewall set to only allow SMTP (port 25) traffic from your
Exchange server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard
 wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all new
>> mail to Deleted Items and then sends out a bunch of spam?  I have a few
>> users that have been hit with something I can't find.  I scanned the PCs
>> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
>> anything.  Then I turned off the PCs and something is still accessing
>> their mailboxes.  I scanned the Exchange server also.  I am not seeing
>> anything in Exchange User Monitor or Windows Security logs and our
>> network guys say they don't see any unusual traffic to our Exchange
>> server.
>>
>> Google finds a couple of people reporting the same thing but no
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospital
>>
>> NOTICE:  (1) The foregoing is not intended to be a legally binding or
>> legally effective electronic signature. (2) This message may contain
>> legally privileged or confidential information.  If you are not the
>> intended recipient of this message, please so notify me, disregard the
>> foregoing message, and delete the message immediately.  I apologize for
>> any inconvenience this may have caused.
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: malware that creates Outlook rules

[Roger Wright]

Is your firewall set to only allow SMTP (port 25) traffic from your
Exchange server?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 2:21 PM, Osborne, Richard
 wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all new
>> mail to Deleted Items and then sends out a bunch of spam?  I have a few
>> users that have been hit with something I can't find.  I scanned the PCs
>> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
>> anything.  Then I turned off the PCs and something is still accessing
>> their mailboxes.  I scanned the Exchange server also.  I am not seeing
>> anything in Exchange User Monitor or Windows Security logs and our
>> network guys say they don't see any unusual traffic to our Exchange
>> server.
>>
>> Google finds a couple of people reporting the same thing but no
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospital
>>
>> NOTICE:  (1) The foregoing is not intended to be a legally binding or
>> legally effective electronic signature. (2) This message may contain
>> legally privileged or confidential information.  If you are not the
>> intended recipient of this message, please so notify me, disregard the
>> foregoing message, and delete the message immediately.  I apologize for
>> any inconvenience this may have caused.
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: malware that creates Outlook rules

[S Powell]

you turned off the computers and it is still happening?
I'd check OWA.

 you disabled the accounts, and the spam is still being sent?



Google.com  Learn it. Live it. Love it.



On Mon, Aug 2, 2010 at 11:21, Osborne, Richard  wrote:
> I disabled their accounts and it didn't help.
>
>
> -Original Message-
> From: Roger Wright [mailto:rhw...@gmail.com]
> Sent: Monday, August 02, 2010 1:09 PM
> To: NT System Admin Issues
> Subject: Re: malware that creates Outlook rules
>
> Have you had the users change their passwords yet?
>
>
> Die dulci fruere!
>
> Roger Wright
> ___
>
>
>
>
> On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
>  wrote:
>> Has anyone seen malware that creates an Outlook rule that moves all new
>> mail to Deleted Items and then sends out a bunch of spam?  I have a few
>> users that have been hit with something I can't find.  I scanned the PCs
>> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
>> anything.  Then I turned off the PCs and something is still accessing
>> their mailboxes.  I scanned the Exchange server also.  I am not seeing
>> anything in Exchange User Monitor or Windows Security logs and our
>> network guys say they don't see any unusual traffic to our Exchange
>> server.
>>
>> Google finds a couple of people reporting the same thing but no
>> resolution.
>>
>> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
>> SP2 on Server 2003 SP1.
>>
>> Thanks for any ideas.
>>
>>
>>
>> Richard Osborne
>> Information Systems
>> Jackson-Madison County General Hospital
>>
>> NOTICE:  (1) The foregoing is not intended to be a legally binding or
>> legally effective electronic signature. (2) This message may contain
>> legally privileged or confidential information.  If you are not the
>> intended recipient of this message, please so notify me, disregard the
>> foregoing message, and delete the message immediately.  I apologize for
>> any inconvenience this may have caused.
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: malware that creates Outlook rules

[Osborne, Richard]

I disabled their accounts and it didn't help.


-Original Message-
From: Roger Wright [mailto:rhw...@gmail.com] 
Sent: Monday, August 02, 2010 1:09 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Have you had the users change their passwords yet?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
 wrote:
> Has anyone seen malware that creates an Outlook rule that moves all new
> mail to Deleted Items and then sends out a bunch of spam?  I have a few
> users that have been hit with something I can't find.  I scanned the PCs
> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
> anything.  Then I turned off the PCs and something is still accessing
> their mailboxes.  I scanned the Exchange server also.  I am not seeing
> anything in Exchange User Monitor or Windows Security logs and our
> network guys say they don't see any unusual traffic to our Exchange
> server.
>
> Google finds a couple of people reporting the same thing but no
> resolution.
>
> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
> SP2 on Server 2003 SP1.
>
> Thanks for any ideas.
>
>
>
> Richard Osborne
> Information Systems
> Jackson-Madison County General Hospital
>
> NOTICE:  (1) The foregoing is not intended to be a legally binding or
> legally effective electronic signature. (2) This message may contain
> legally privileged or confidential information.  If you are not the
> intended recipient of this message, please so notify me, disregard the
> foregoing message, and delete the message immediately.  I apologize for
> any inconvenience this may have caused.
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: malware that creates Outlook rules

[Roger Wright]

Have you had the users change their passwords yet?


Die dulci fruere!

Roger Wright
___




On Mon, Aug 2, 2010 at 1:46 PM, Osborne, Richard
 wrote:
> Has anyone seen malware that creates an Outlook rule that moves all new
> mail to Deleted Items and then sends out a bunch of spam?  I have a few
> users that have been hit with something I can't find.  I scanned the PCs
> with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find
> anything.  Then I turned off the PCs and something is still accessing
> their mailboxes.  I scanned the Exchange server also.  I am not seeing
> anything in Exchange User Monitor or Windows Security logs and our
> network guys say they don't see any unusual traffic to our Exchange
> server.
>
> Google finds a couple of people reporting the same thing but no
> resolution.
>
> Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003
> SP2 on Server 2003 SP1.
>
> Thanks for any ideas.
>
>
>
> Richard Osborne
> Information Systems
> Jackson-Madison County General Hospital
>
> NOTICE:  (1) The foregoing is not intended to be a legally binding or
> legally effective electronic signature. (2) This message may contain
> legally privileged or confidential information.  If you are not the
> intended recipient of this message, please so notify me, disregard the
> foregoing message, and delete the message immediately.  I apologize for
> any inconvenience this may have caused.
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~