[Dshield] Problems with email

Doug White doug at clickdoug.com
Fri Oct 3 23:28:03 GMT 2003

Your description sounds like the "customer" infected himself and then started
pumping out all the email cached on his local machine.  Also apparently the ISP
does not have an anti-virus solution on the server, and perhaps it, too is now
infected.  There could be multiple infections within their customer base, but it
looks more like the server itself or a machine networked to the server.

Alternatively, there is a corruption of program files in the Queue manager
portion of the server, where if is not deleting messages after they are sent,
but looping over them over and over again.  The cause may well be related to a
drive going bad.

If they have a backup recent enough to be just before the problem showed up,
then perhaps shutting down the mail server, restore the backup (just to restore
server program files that may have become corrupt) and then restart it.  It the
problem persists, then it is time to take it offline and to a rebuild on the
server.  Unfortunately either of these scenarios will cause not only the loss of
the repeated mail, but any new mail which may be included in the queue.

Were I the administrator of that server, this is where I would go.

Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "Deb Hale" <haled at pionet.net>
To: "'General DShield Discussion List'" <list at dshield.org>
Sent: Friday, October 03, 2003 4:27 PM
Subject: RE: [Dshield] Problems with email

| /SNIP/
| If the past two or three year's worth of email is suddenly being resent, or
| otherwise reappearing this sounds like something entirely internal to these
| two ISP's.
| This is only happening on one of the ISP's. I am asking them to explain to
| me how this is happening and why copies of email in and out is being held.
| They can't (or Won't) explain it to me. (As usual).   :(
| Anyway, the other one is just getting overloaded with emails that appear to
| be the same group of emails (from yesterday) being sent over and over again.
| They thought they had it cleaned up last night and it started happening
| again this morning. This one runs on a UNIX box. They are totally puzzled
| and ready to shut the whole thing down until they can get it to stop.
| They had a user click on the "Microsoft Update" attachment on Monday. Then
| most of their customers started getting the same email from that user as
| well as others. It started building up steam on Tuesday and Wednesday and
| the average number received per day was 20 to 25. Then yesterday all H...
| Broke loose and it is still loose. It is like they are overwhelmed with
| spam????? But it is the same group of emails being sent over and over again.
| (I know it doesn't make sense).
| I can tell you this ISP is one of the best in the area. They are extremely
| security conscientous and apply patches to the OS's as soon as they know
| about them and have had an opportunity to insure no negative impact (unlike
| the other ISP noted above who only patches after they get hit). While they
| are evaluating they are monitoring closely. They have closed down all of the
| open relays and the amount of spam dropped from several hundred a week to 3
| or 4 a week.  These guys have been in the business a long, long time so I
| have a lot of confidence and respect for their knowledge and ability. They
| have been very proactive rather than reactive.
| I am beginning to feel for them, they are about at their wits end.
| Any thoughts?
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:

More information about the list mailing list