No announcement yet.

Exchange 2003 - Virus Help!

  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2003 - Virus Help!

    Hi all,

    Our email filter is constantly deleting outbound emails with a virus attached to multiple email addresses;

    "Virus Mal/ObfJS-B was detected in apply.html in message [email protected]"

    "Failed to disinfect apply.html from message, deleted message."

    We didnt have any issues from the 24th Dec to 3rd Jan which leads me to believe its a trojan or virus on a users computer.

    I've tried using a network sniffer to find any computers constantly communicationg with Exchange, to no avail. I've also looked through our Anti Virus console but that isn't picking up any computers with viruses.

    How am i best finding this PC? Presuming it is one thats sending emails out. I've done a few checks and were not an open relay.

  • #2
    Re: Exchange 2003 - Virus Help!

    that message ID can be used to find it in the message tracking console
    which should then tell you which account sent it.
    you could also enable SMTP logging, and then find the same message ID in the smtp log, which should give you an IP of the connecting client.
    Please do show your appreciation to those who assist you by leaving Rep Point


    • #3
      Re: Exchange 2003 - Virus Help!

      Also you want to make sure on your firewall that Exchange is the only machine that is allowed to send out on port 25.
      CCNA, CCNA-Security, CCNP
      CCIE Security (In Progress)


      • #4
        Re: Exchange 2003 - Virus Help!

        how many machines are you working with?

        Id run microsoft security scanner and malware bytes on random machines- could be exhaustive, but it should work.


        • #5
          Re: Exchange 2003 - Virus Help!

          Hi all,

          Thanks for the replys.

          I've come in this morning to 10,000 emails in the mail queue trying to send out.

          Would it be a user's machine sending these, if the emails are all in the Exchange queue?!

          Also, if the emails are in the Exchange queue, would blocking port 25 to all other machines have any effect?

          If someone could confirm the above i'll have to start going round each machine, I'm working with approx 60 of them.

          Many thanks,


          • #6
            Re: Exchange 2003 - Virus Help!

            From one of the Blacklists;

            06.01.2012 22:19 (CET) (date of processing):
            Return-Path: <[email protected]>
            X-Original-To: [email protected]D
            Received: from ( [myipaddress])
            by (Spamtrap) with ESMTP
            for [email protected]D; Fri, 06 Jan 2012 22:19:39 +0100 (CET)
            thread-index: AczMuOUlQ8S5LVHdRhWZU3mr6hRqCw==
            Received: from User ([]) by with Microsoft SMTPSVC(6.0.3790.4675); Fri, 6 Jan 2012 21:19:37 +0000
            Content-Class: urn:content-classes:message
            Importance: normal
            Priority: normal
            Reply-To: <[email protected]>
            From: "ECONOMICS AND FINANCIAL CRIMES COMMISSION." <[email protected]>
            Subject: HAPPY NEW YEAR..........RE: FRAUD ALERT!!
            Date: Fri, 6 Jan 2012 16:20:36 -0500
            MIME-Version: 1.0
            Content-Type: text/html;
            Content-Transfer-Encoding: 7bit
            X-Priority: 3
            X-MSMail-Priority: Normal
            X-Mailer: Microsoft Outlook Express 6.00.2600.0000
            X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913
            Return-Path: <[email protected]>
            Message-ID: <[email protected] >
            X-OriginalArrivalTime: 06 Jan 2012 21:19:37.0721 (UTC) FILETIME=[E522BE90:01CCCCB8]
            X-NiX-Spam-Hash2: 476d369f6687470399bf6573d5a542b3
            X-NiX-Spam-Source-IP: myipaddress
            X-NiX-Spam-Listed: yes


            • #7
              Re: Exchange 2003 - Virus Help!

              Don't waste your time looking at workstations.
              This is as old as the hills...

              A blog posting of mine from almost four years ago:

              A two year old blog posting:

              Authenticated user and/or NDR attack.

              Simon Butler
              Exchange MVP

              More Exchange Content:
              Exchange Resources List:
              In the UK? Hire me:

              Sembee is a registered trademark, used here with permission.