Virus? Showing up in Exchange mailbox root folder



Courtenay
07-09-2005, 10:49 PM
I have a recurring problem with one user's mailbox. Every few weeks, messages
show up in his Exchange mailbox root folder. He can't see them, and I only
know they are there because they show up as an error on our nightly tape
backup. I have to use the MDBVU utility to delete the problem messages from
the root folder, then it's fine again for a few weeks until the messages come
back.

The problem files look like they contain viruses. (The subject lines are
always different, but along the lines of "FW:", "FW: Account Alert", etc. )
We've scanned the user's system & mailbox numerous times. Changing his PC
hasn't helped either. Any idea why this is happening?

Crouchie1998
07-09-2005, 10:49 PM
Courtenay,

How do you know it isn't someone who has his e-mail address in their address
book that has a mass mailing virus? That way, they would be oblivious to it.
It would explain the FW:, wouldn't it?

Why don't you scan the files when found for viruses? another thing you could
do is get the originating IP address & do a reverse DNS on it. If you
recognise the ISP etc. that may also narrow the person down.

I hope this helps

Crouchie1998
BA (HONS) MCP MCSE

Courtenay
07-09-2005, 10:49 PM
Thanks for the input!

Yes, it's quite possible the messages are coming from someone else with a
virus. The thing that puzzles me is why they go into the mailbox root folder.
I am not sure how I could scan or trace the file if I can only access it
through MDBVU. The only thing I seem to be able to do through that utility is
delete them. I've tried scanning the entire mailbox from our Exchange Server
using Symantec Mail Security for Exchange, but nothing comes up...


"Crouchie1998" wrote:

> Courtenay,
>
> How do you know it isn't someone who has his e-mail address in their address
> book that has a mass mailing virus? That way, they would be oblivious to it.
> It would explain the FW:, wouldn't it?
>
> Why don't you scan the files when found for viruses? another thing you could
> do is get the originating IP address & do a reverse DNS on it. If you
> recognise the ISP etc. that may also narrow the person down.
>
> I hope this helps
>
> Crouchie1998
> BA (HONS) MCP MCSE
>
>
>

Courtenay
07-09-2005, 10:49 PM
Thanks for the input! I agree, these files could be coming from an outside
source. What puzzles me is, why/how are they ending up in this user's mailbox
root folder instead of his Inbox?

Because I can only access the files through MDBVU, I don't know how I could
scan them for viruses or trace the IP address. The only thing I seem to be
able to do is delete them...

"Crouchie1998" wrote:

> Courtenay,
>
> How do you know it isn't someone who has his e-mail address in their address
> book that has a mass mailing virus? That way, they would be oblivious to it.
> It would explain the FW:, wouldn't it?
>
> Why don't you scan the files when found for viruses? another thing you could
> do is get the originating IP address & do a reverse DNS on it. If you
> recognise the ISP etc. that may also narrow the person down.
>
> I hope this helps
>
> Crouchie1998
> BA (HONS) MCP MCSE
>
>
>

David H. Lipman
07-09-2005, 10:49 PM
From: "Courtenay" <Courtenay@discussions.microsoft.com>

| Thanks for the input!
|
| Yes, it's quite possible the messages are coming from someone else with a
| virus. The thing that puzzles me is why they go into the mailbox root folder.
| I am not sure how I could scan or trace the file if I can only access it
| through MDBVU. The only thing I seem to be able to do through that utility is
| delete them. I've tried scanning the entire mailbox from our Exchange Server
| using Symantec Mail Security for Exchange, but nothing comes up...
|
| "Crouchie1998" wrote:
|

Since you indicate that you are using AV software specific to the use on an Exchange Server,
I suggest that you also post the problems in a MS Exchange Server News Group. Mention this
thread in that post.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Courtenay
07-09-2005, 10:49 PM
Thanks for the input! I agree the messages could be coming from an external
source. What puzzles me is, why/how are they ending up in the Root Folder of
the user's mailbox?

I can only see these emails when I use MDBVU, so I don't know how I could
scan them for viruses or trace the IP. All I seem to be able to do through
MDBVU is delete them...

"Crouchie1998" wrote:

> Courtenay,
>
> How do you know it isn't someone who has his e-mail address in their address
> book that has a mass mailing virus? That way, they would be oblivious to it.
> It would explain the FW:, wouldn't it?
>
> Why don't you scan the files when found for viruses? another thing you could
> do is get the originating IP address & do a reverse DNS on it. If you
> recognise the ISP etc. that may also narrow the person down.
>
> I hope this helps
>
> Crouchie1998
> BA (HONS) MCP MCSE
>
>
>

Courtenay
07-09-2005, 10:49 PM
Thanks for the input! I agree the messages could be coming from an external
source. What puzzles me is, why/how are they ending up in the Root Folder of
the user's mailbox, instead of the Inbox?

I can only see these messages when I use MDBVU, so I don't know how I could
scan them for viruses or trace the IP. All I seem to be able to do through
MDBVU is delete them...


"Crouchie1998" wrote:

> Courtenay,
>
> How do you know it isn't someone who has his e-mail address in their address
> book that has a mass mailing virus? That way, they would be oblivious to it.
> It would explain the FW:, wouldn't it?
>
> Why don't you scan the files when found for viruses? another thing you could
> do is get the originating IP address & do a reverse DNS on it. If you
> recognise the ISP etc. that may also narrow the person down.
>
> I hope this helps
>
> Crouchie1998
> BA (HONS) MCP MCSE
>
>
>

Courtenay
07-09-2005, 10:49 PM
Thanks for the input! I agree the messages could be coming from an external
source. What puzzles me is, why / how are they ending up in the Root Folder
of the user's mailbox, instead of the Inbox?

I can only see these messages when I use MDBVU, so I don't know how I could
scan them for viruses or trace the IP. All I seem to be able to do through
MDBVU is delete them...


"Crouchie1998" wrote:

> Courtenay,
>
> How do you know it isn't someone who has his e-mail address in their address
> book that has a mass mailing virus? That way, they would be oblivious to it.
> It would explain the FW:, wouldn't it?
>
> Why don't you scan the files when found for viruses? another thing you could
> do is get the originating IP address & do a reverse DNS on it. If you
> recognise the ISP etc. that may also narrow the person down.
>
> I hope this helps
>
> Crouchie1998
> BA (HONS) MCP MCSE
>
>
>


Virus? Showing up in Exchange mailbox root folder