Topic: Virus on Client Workstations caused flood of spam

[Smitro]

A number of my users send mail out using my server. They connect via SMTPS. I have had 2 users in the last week get a virus on their machine which has grabbed their username and password, and spread it across the world causing other servers to connect in send spam via my server. The first they knew about it was when they received thousands of return emails from the server to say the address was not found. The spam contained links for Viagra etc.

Is there a way at a server level I can prevent this? I have the spam and antivirus scanning on email enabled. Does this not pick up outgoing email?

I'm not sure how they get the virus, hopefully not through incoming email. I'd love to reduce the risk of this reoccurring.

[janet]

Smitro

You do need to ascertain the viral source, was a virus found & removed from your users computers ? No point trying to lay blame where it does not belong.

Do they have a current release of an anti virus program installed on their computer ? Is it (the virus definition) updated daily? Do they have the Resident Shield (or real time scanning) function enabled ? Do they have web site links & page scanning enabled ? Do they have removeable media scanning enabled ? Do they have email scanning (send & receive) enabled ?
All the above are necessary to protect a computer from viruses apart from whatever happens on a server.

On the server the theory nowadays is to disable the smtp proxy (which used to be enabled on sme7), & configure all users for secure & authenticated access to your sme server. That way the virus mail engine is unable to send as it does not have authentication details.

You cannot stop correctly addressed return mail.
The source of the addresses may have been someone elses infected computer, and the virus harvested the address of your users from someone elses address book.

Do you have executable content blocking for attachments enabled (including zip files) on the server ?

To stop your users (who are on your LAN using your sme server as gateway) from visiting bad web sites that contain viruses etc, install Dansguardian & configure it to block appropriately by score and enable real time virus scanning of requested web sites.

[Smitro]

Mary, I agree. But would be nice to block a lot of this at a server level as well.

The users were using free antivirus solutions. One was Avira, the other Avast. The programs found the virus, only after a full scan. From the way I read the logs I could see the user authenticating and sending these emails. But it looked like the connections were coming from different IP addresses each time. So my guess is the virus got a hold of their password and sent it out to other machines to carry on. They were coming in via SMTPS - Port 465.

To fix the problem I reset their passwords, and got them to clean their machines. Machines were cleaned, passwords changed. All fixed. I'm now on a couple of black lists which I'm trying to plead my case to get off of. So, all fixed, until the next user does it.

I have now added blocking of all executables, but don't want to block zip because I use them legitimately.

I understand that by doing anything like what I'm asking I could block legitimate outgoing emails, and I don't really want to do that. Is there some sort of flood control that I might be able to put in place, where we can detect bucket loads of outgoing emails?

[janet]

Smitro

So there was a virus infection on each of their computers. You still have not discovered where that came from. It does not sound like the free scanners were doing their job well enough, or not configured correctly (ie real time resident shield not enabled) or virus was obtained from a website and there is no protection enabled for web site accesses. Get a better scanner or improve the functionality.

Do your users really have authentication enabled for the Outgoing Mail Server option in their email clients to allow access to the smtp server to send outgoing mail ?

If they do, then report a bug or ask for a NFR to improve this situation, if possible.

I would keep zip1 enabled (blocked) in server manager as many viruses use zip1, and only allow zip2 format (if you must). Use zip2 or rar format for file compression, rar is much safer alternative & commonly used nowadays.

I think you have to get your ISP to monitor traffic flow re flood control implementation, AFAIK sme does not have that feature.

You really need to investigate where your users got the virus from (ie email, web, USB ???), in order to better block that weakness.

[Smitro]

To be honest. Users are going to be users. We can't trust them to look after their own machines. I'd like protection at a server level. The users are not on the LAN, so I can't control everything.

My users do have to Authenticate to send mail. My guess is that the virus has spread this information to other infected machines. I'm not sure what I would be asking for in a bug report.

I will try blocking zip1 and see how that goes. RAR is not a format that everyone is familiar with, and you have to pay for winrar.

Something else weird, the logs say that emails are being checked for viruses, but then I run a full virus scan on the machine each Saturday, and it picks up viruses in people's junkmail folder. I'm wondering why does it not pick it up earlier. Is there a way I can prove it's working.

[CharlieBrady]

I have had 2 users in the last week get a virus on their machine which has grabbed their username and password, and spread it across the world causing other servers to connect in send spam via my server.

What is your evidence that this is what occurred?

[Smitro]

What is your evidence that this is what occurred?

I would be greatful for someone more knowledgeable than me to check this. Here is an except from /var/log/sqpsmtpd

Hopefully this is what you need. I have replaced personal details with name_of_user@mydomain.com

Code: [Select]

2012-10-22 11:40:00.741281500 30713 Accepted connection 2/10 from 62.149.130.58 / webs3048.aruba.it
2012-10-22 11:40:00.741416500 30713 Connection from webs3048.aruba.it [62.149.130.58]
2012-10-22 11:40:00.741896500 30713 in config(plugins)
2012-10-22 11:40:00.757695500 30713 in config(peers/0)
2012-10-22 11:40:00.757785500 30713 config(peers/0) returning (logging/logterse tls ssl/cert.pem ssl/cert.pem ssl/cert.pem auth/auth_cvm_unix_local cvm_socket /var/lib/cvm/cvm-unix-local.socket enable_smtp yes enable_ssmtp yes check_earlytalker count_unrecognized_commands 4 check_relay check_norelay require_resolvable_fromhost check_basicheaders check_badmailfrom check_badrcptto_patterns check_badrcptto check_spamhelo check_goodrcptto extn - rcpt_ok virus/pattern_filter check=patterns action=deny tnef2mime spamassassin reject_threshold 10 munge_subject_threshold 5 virus/clamav clamscan_path=/usr/bin/clamdscan action=reject max_size=25000000 queue/qmail-queue) from cache
2012-10-22 11:40:00.757844500 30713 in config(plugin_dirs)
2012-10-22 11:40:00.757871500 30713 config(plugin_dirs) returning (/usr/share/qpsmtpd/plugins) from cache
2012-10-22 11:40:00.757934500 30713 in config(peers/0)
2012-10-22 11:40:00.757980500 30713 config(peers/0) returning (logging/logterse tls ssl/cert.pem ssl/cert.pem ssl/cert.pem auth/auth_cvm_unix_local cvm_socket /var/lib/cvm/cvm-unix-local.socket enable_smtp yes enable_ssmtp yes check_earlytalker count_unrecognized_commands 4 check_relay check_norelay require_resolvable_fromhost check_basicheaders check_badmailfrom check_badrcptto_patterns check_badrcptto check_spamhelo check_goodrcptto extn - rcpt_ok virus/pattern_filter check=patterns action=deny tnef2mime spamassassin reject_threshold 10 munge_subject_threshold 5 virus/clamav clamscan_path=/usr/bin/clamdscan action=reject max_size=25000000 queue/qmail-queue) from cache

<SNIPPED>

2012-10-22 11:40:00.764776500 30713 running plugin (connect): tls
2012-10-22 11:40:02.150707500 30713 tls plugin (connect): Connected via SMTPS
2012-10-22 11:40:02.150785500 30713 Plugin tls, hook connect returned DECLINED,
2012-10-22 11:40:02.150853500 30713 running plugin (connect): check_earlytalker
2012-10-22 11:40:03.151376500 30713 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2012-10-22 11:40:03.151470500 30713 Plugin check_earlytalker, hook connect returned DECLINED,
2012-10-22 11:40:03.151504500 30713 running plugin (connect): count_unrecognized_commands
2012-10-22 11:40:03.151609500 30713 Plugin count_unrecognized_commands, hook connect returned DECLINED,
2012-10-22 11:40:03.151636500 30713 running plugin (connect): check_relay
2012-10-22 11:40:03.151713500 30713 in config(relayclients)
2012-10-22 11:40:03.151744500 30713 config(relayclients): hook returned (0, )
2012-10-22 11:40:03.151788500 30713 trying to get config for relayclients
2012-10-22 11:40:03.175172500 30713 setting _config_cache for relayclients to [127.0.0. 192.168.1.254] from get_qmail_config and returning it
2012-10-22 11:40:03.175173500 30713 in config(morerelayclients)
2012-10-22 11:40:03.175174500 30713 config(morerelayclients): hook returned (0, )
2012-10-22 11:40:03.175175500 30713 trying to get config for morerelayclients
2012-10-22 11:40:03.175176500 30713 setting _config_cache for morerelayclients to [HASH(0x112e30a0)] from get_qmail_config and returning it
2012-10-22 11:40:03.175177500 30713 Plugin check_relay, hook connect returned DECLINED,
2012-10-22 11:40:03.175182500 30713 running plugin (connect): check_norelay
2012-10-22 11:40:03.175182500 30713 in config(norelayclients)
2012-10-22 11:40:03.175183500 30713 config(norelayclients): hook returned (0, )
2012-10-22 11:40:03.175184500 30713 trying to get config for norelayclients
2012-10-22 11:40:03.175185500 30713 setting _config_cache for norelayclients to [192.168.1.2] from get_qmail_config and returning it
2012-10-22 11:40:03.175187500 30713 Plugin check_norelay, hook connect returned DECLINED,
2012-10-22 11:40:03.175190500 30713 in config(smtpgreeting)
2012-10-22 11:40:03.175191500 30713 config(smtpgreeting): hook returned (0, )
2012-10-22 11:40:03.175192500 30713 trying to get config for smtpgreeting
2012-10-22 11:40:03.175192500 30713 setting _config_cache for smtpgreeting to [box1.mydomain.com] from get_qmail_config and returning it
2012-10-22 11:40:03.175194500 30713 220 box1.mydomain.com ESMTP
2012-10-22 11:40:03.175195500 30713 in config(timeoutsmtpd)
2012-10-22 11:40:03.175201500 30713 config(timeoutsmtpd): hook returned (0, )
2012-10-22 11:40:03.175202500 30713 trying to get config for timeoutsmtpd
2012-10-22 11:40:03.175203500 30713 setting _config_cache for timeoutsmtpd to [120] from get_qmail_config and returning it
2012-10-22 11:40:03.509421500 30713 dispatching EHLO [192.168.0.7]
2012-10-22 11:40:03.509739500 30713 running plugin (ehlo): tls
2012-10-22 11:40:03.509923500 30713 Plugin tls, hook ehlo returned DECLINED,
2012-10-22 11:40:03.509959500 30713 running plugin (ehlo): check_spamhelo
2012-10-22 11:40:03.510015500 30713 in config(badhelo)
2012-10-22 11:40:03.510045500 30713 config(badhelo): hook returned (0, )
2012-10-22 11:40:03.510073500 30713 trying to get config for badhelo
2012-10-22 11:40:03.510368500 30713 setting _config_cache for badhelo to [aol.com yahoo.com] from get_qmail_config and returning it
2012-10-22 11:40:03.510442500 30713 Plugin check_spamhelo, hook ehlo returned DECLINED,
2012-10-22 11:40:03.510605500 30713 in config(tls_before_auth)
2012-10-22 11:40:03.510632500 30713 config(tls_before_auth): hook returned (0, )
2012-10-22 11:40:03.510654500 30713 trying to get config for tls_before_auth
2012-10-22 11:40:03.510858500 30713 setting _config_cache for tls_before_auth to [1] from get_qmail_config and returning it
2012-10-22 11:40:03.510885500 30713 in config(tls_before_auth)
2012-10-22 11:40:03.510912500 30713 config(tls_before_auth) returning (1) from cache
2012-10-22 11:40:03.510962500 30713 in config(me)
2012-10-22 11:40:03.510987500 30713 config(me): hook returned (0, )
2012-10-22 11:40:03.511008500 30713 trying to get config for me
2012-10-22 11:40:03.511124500 30713 setting _config_cache for me to [mydomain.com] from get_qmail_config and returning it
2012-10-22 11:40:03.511165500 30713 in config(databytes)
2012-10-22 11:40:03.511190500 30713 config(databytes): hook returned (0, )
2012-10-22 11:40:03.511211500 30713 trying to get config for databytes
2012-10-22 11:40:03.511330500 30713 setting _config_cache for databytes to [30000000] from get_qmail_config and returning it
2012-10-22 11:40:03.511357500 30713 in config(databytes)
2012-10-22 11:40:03.511383500 30713 config(databytes) returning (30000000) from cache
2012-10-22 11:40:03.511451500 30713 250-mydomain.com Hi webs3048.aruba.it [62.149.130.58]
2012-10-22 11:40:03.511477500 30713 250-PIPELINING
2012-10-22 11:40:03.511501500 30713 250-8BITMIME
2012-10-22 11:40:03.511526500 30713 250-SIZE 30000000
2012-10-22 11:40:03.511550500 30713 250 AUTH PLAIN LOGIN
2012-10-22 11:40:03.868817500 30713 dispatching AUTH LOGIN
2012-10-22 11:40:03.869024500 30713 in config(tls_before_auth)
2012-10-22 11:40:03.869056500 30713 config(tls_before_auth) returning (1) from cache
2012-10-22 11:40:03.869201500 30713 334 VXNlcm5hbWU6
2012-10-22 11:40:04.224149500 30713 334 UGFzc3dvcmQ6
2012-10-22 11:40:04.579681500 30713 running plugin (auth-login): auth::auth_cvm_unix_local
2012-10-22 11:40:04.579780500 30713 auth::auth_cvm_unix_local plugin (auth-login): authcvm/login authentication attempt for: name_of_user
2012-10-22 11:40:04.580968500 30713 Plugin auth::auth_cvm_unix_local, hook auth-login returned OK, authcvm/login
2012-10-22 11:40:04.581095500 30713 235 Authentication successful for name_of_user - authcvm/login
2012-10-22 11:40:04.581294500 30713 Authentication successful for name_of_user - authcvm/login
2012-10-22 11:40:04.581385500 30713 running plugin (valid_auth): peers
2012-10-22 11:40:04.581529500 30713 in config(peers/local)
2012-10-22 11:40:04.581560500 30713 config(peers/local): hook returned (0, )
2012-10-22 11:40:04.581593500 30713 trying to get config for peers/local
2012-10-22 11:40:04.582120500 30713 setting _config_cache for peers/local to [logging/logterse tls ssl/cert.pem ssl/cert.pem ssl/cert.pem auth/auth_cvm_unix_local cvm_socket /var/lib/cvm/cvm-unix-local.socket enable_smtp yes enable_ssmtp yes check_relay check_norelay check_badmailfrom check_badrcptto_patterns check_badrcptto check_spamhelo check_goodrcptto extn - rcpt_ok virus/pattern_filter check=patterns action=deny tnef2mime virus/clamav clamscan_path=/usr/bin/clamdscan action=reject max_size=25000000 queue/qmail-queue] from get_qmail_config and returning it
2012-10-22 11:40:04.582183500 30713 in config(plugin_dirs)
2012-10-22 11:40:04.582212500 30713 config(plugin_dirs) returning (/usr/share/qpsmtpd/plugins) from cache
2012-10-22 11:40:04.582317500 30713 in config(peers/local)
2012-10-22 11:40:04.582356500 30713 config(peers/local) returning (logging/logterse tls ssl/cert.pem ssl/cert.pem ssl/cert.pem auth/auth_cvm_unix_local cvm_socket /var/lib/cvm/cvm-unix-local.socket enable_smtp yes enable_ssmtp yes check_relay check_norelay check_badmailfrom check_badrcptto_patterns check_badrcptto check_spamhelo check_goodrcptto extn - rcpt_ok virus/pattern_filter check=patterns action=deny tnef2mime virus/clamav clamscan_path=/usr/bin/clamdscan action=reject max_size=25000000 queue/qmail-queue) from cache
2012-10-22 11:40:04.582403500 30713 in config(plugin_dirs)
2012-10-22 11:40:04.582430500 30713 config(plugin_dirs) returning (/usr/share/qpsmtpd/plugins) from cache
2012-10-22 11:40:04.582782500 30713 peers hooking valid_auth
2012-10-22 11:40:04.582840500 30713 peers hooking set_hooks
2012-10-22 11:40:04.582987500 30713 in config(plugin_dirs)
2012-10-22 11:40:04.583014500 30713 config(plugin_dirs) returning (/usr/share/qpsmtpd/plugins) from cache
2012-10-22 11:40:04.583197500 30713 logging::logterse hooking queue
2012-10-22 11:40:04.583276500 30713 logging::logterse hooking deny
2012-10-22 11:40:04.583342500 30713 in config(plugin_dirs)
2012-10-22 11:40:04.583368500 30713 config(plugin_dirs) returning (/usr/share/qpsmtpd/plugins) from cache
2012-10-22 11:40:04.583497500 30713 in config(tls_ciphers)
2012-10-22 11:40:04.583525500 30713 config(tls_ciphers) returning (ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM) from cache
2012-10-22 11:40:04.583570500 30713 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

<SNIPPED>

2012-10-22 11:40:04.589036500 30713 Plugin peers, hook valid_auth returned DECLINED,
2012-10-22 11:40:04.936940500 30713 dispatching MAIL FROM:<name_of_user@mydomain.com> SIZE=487
2012-10-22 11:40:04.937160500 30713 full from_parameter: FROM:<name_of_user@mydomain.com> SIZE=487
2012-10-22 11:40:04.937420500 30713 from email address : [<name_of_user@mydomain.com>]
2012-10-22 11:40:04.937930500 30713 running plugin (mail): tls
2012-10-22 11:40:04.938024500 30713 Plugin tls, hook mail returned DECLINED,
2012-10-22 11:40:04.938054500 30713 running plugin (mail): check_badmailfrom
2012-10-22 11:40:04.938119500 30713 in config(badmailfrom)
2012-10-22 11:40:04.938149500 30713 config(badmailfrom): hook returned (0, )
2012-10-22 11:40:04.938175500 30713 trying to get config for badmailfrom
2012-10-22 11:40:04.938485500 30713 Plugin check_badmailfrom, hook mail returned DECLINED,
2012-10-22 11:40:04.938578500 30713 getting mail from <name_of_user@mydomain.com>
2012-10-22 11:40:04.938639500 30713 250 <name_of_user@mydomain.com>, sender OK - how exciting to get mail from you!
2012-10-22 11:40:05.294940500 30713 dispatching RCPT TO:<1szyszka@wp.pl>
2012-10-22 11:40:05.295219500 30713 to email address : [<1szyszka@wp.pl>]
2012-10-22 11:40:05.295373500 30713 running plugin (rcpt): tls
2012-10-22 11:40:05.295462500 30713 Plugin tls, hook rcpt returned DECLINED,
2012-10-22 11:40:05.295490500 30713 running plugin (rcpt): check_badmailfrom
2012-10-22 11:40:05.295567500 30713 Plugin check_badmailfrom, hook rcpt returned DECLINED,
2012-10-22 11:40:05.295593500 30713 running plugin (rcpt): check_badrcptto_patterns
2012-10-22 11:40:05.295658500 30713 Plugin check_badrcptto_patterns, hook rcpt returned DECLINED,
2012-10-22 11:40:05.295683500 30713 running plugin (rcpt): check_badrcptto
2012-10-22 11:40:05.295743500 30713 Plugin check_badrcptto, hook rcpt returned DECLINED,
2012-10-22 11:40:05.295769500 30713 running plugin (rcpt): check_goodrcptto
2012-10-22 11:40:05.295828500 30713 Plugin check_goodrcptto, hook rcpt returned DECLINED,
2012-10-22 11:40:05.295853500 30713 running plugin (rcpt): rcpt_ok
2012-10-22 11:40:05.295924500 30713 in config(me)
2012-10-22 11:40:05.295961500 30713 config(me) returning (mydomain.com) from cache
2012-10-22 11:40:05.295984500 30713 in config(rcpthosts)
2012-10-22 11:40:05.296012500 30713 config(rcpthosts): hook returned (0, )
2012-10-22 11:40:05.296038500 30713 trying to get config for rcpthosts
2012-10-22 11:40:05.296541500 30713 setting _config_cache for rcpthosts to [<REMOVED PERSONAL INFO HERE>] from get_qmail_config and returning it
2012-10-22 11:40:05.296741500 30713 in config(morercpthosts)
2012-10-22 11:40:05.296768500 30713 config(morercpthosts): hook returned (0, )
2012-10-22 11:40:05.296790500 30713 trying to get config for morercpthosts
2012-10-22 11:40:05.296864500 30713 setting _config_cache for morercpthosts to [HASH(0x11312710)] from get_qmail_config and returning it
2012-10-22 11:40:05.296947500 30713 Plugin rcpt_ok, hook rcpt returned OK,
2012-10-22 11:40:05.297061500 30713 250 <1szyszka@wp.pl>, recipient ok
2012-10-22 11:40:05.653166500 30713 dispatching DATA
2012-10-22 11:40:05.653310500 30713 running plugin (data): tls
2012-10-22 11:40:05.653430500 30713 Plugin tls, hook data returned DECLINED,
2012-10-22 11:40:05.653579500 30713 354 go ahead
2012-10-22 11:40:05.653726500 30713 in config(databytes)
2012-10-22 11:40:05.653761500 30713 config(databytes) returning (30000000) from cache
2012-10-22 11:40:05.653795500 30713 max_size: 30000000 / size: 0
2012-10-22 11:40:05.653965500 30713 in config(timeout)
2012-10-22 11:40:05.653996500 30713 config(timeout): hook returned (0, )
2012-10-22 11:40:05.654022500 30713 trying to get config for timeout
2012-10-22 11:40:05.654239500 30713 setting _config_cache for timeout to [120] from get_qmail_config and returning it
2012-10-22 11:40:06.009706500 30713 spooling message to disk
2012-10-22 11:40:06.012098500 30713 max_size: 30000000 / size: 477
2012-10-22 11:40:06.012293500 30713 in config(me)
2012-10-22 11:40:06.012325500 30713 config(me) returning (mydomain.com) from cache
2012-10-22 11:40:06.012680500 30713 running plugin (data_post): virus::pattern_filter
2012-10-22 11:40:06.012731500 30713 in config(pattern_filter)
2012-10-22 11:40:06.012761500 30713 config(pattern_filter): hook returned (0, )
2012-10-22 11:40:06.012789500 30713 trying to get config for pattern_filter
2012-10-22 11:40:06.012935500 30713 in config(signatures_patterns)
2012-10-22 11:40:06.012964500 30713 config(signatures_patterns): hook returned (0, )
2012-10-22 11:40:06.012987500 30713 trying to get config for signatures_patterns
2012-10-22 11:40:06.013282500 30713 setting _config_cache for signatures_patterns to [AHhIYW5k AHhUYXgg AMkgICAg AMlIbDk5Lm R0lGODlhaAA7APcAAP///+rp6puSp6GZrDUjUUc6Zn53mFJMdbGvvVtXh2xre8bF1x8cU4yLprOy] from get_qmail_config and returning it
2012-10-22 11:40:06.013567500 30713 Plugin virus::pattern_filter, hook data_post returned DECLINED,
2012-10-22 11:40:06.013597500 30713 running plugin (data_post): tnef2mime
2012-10-22 11:40:06.021902500 30713 Plugin tnef2mime, hook data_post returned DECLINED,
2012-10-22 11:40:06.021939500 30713 running plugin (data_post): virus::clamav
2012-10-22 11:40:06.022035500 30713 virus::clamav plugin (data_post): Changing permissions on file to permit scanner access
2012-10-22 11:40:06.022085500 30713 virus::clamav plugin (data_post): Running: /usr/bin/clamdscan --stdout  --config-file=/etc/clamd.conf --no-summary /var/spool/qpsmtpd/1350870006:30713:0 2>&1
2012-10-22 11:40:06.028139500 30713 virus::clamav plugin (data_post): clamscan results: /var/spool/qpsmtpd/1350870006:30713:0: OK
2012-10-22 11:40:06.028284500 30713 in config(me)
2012-10-22 11:40:06.028333500 30713 config(me) returning (mydomain.com) from cache
2012-10-22 11:40:06.028922500 30713 Plugin virus::clamav, hook data_post returned DECLINED,
2012-10-22 11:40:06.029279500 30713 running plugin (queue): logging::logterse
2012-10-22 11:40:06.029758500 30713 logging::logterse plugin (queue): ` 62.149.130.58 webs3048.aruba.it [192.168.0.7] <name_of_user@mydomain.com> <1szyszka@wp.pl> queued <513473402.20121022033011@mydomain.com>
2012-10-22 11:40:06.029814500 30713 Plugin logging::logterse, hook queue returned DECLINED,
2012-10-22 11:40:06.029841500 30713 running plugin (queue): queue::qmail_2dqueue (I had to cut it short to post).

[CharlieBrady]

I have now added blocking of all executables, but don't want to block zip because I use them legitimately.

There's a good chance that the virus/malware didn't arrive via email, but instead was fetched by a browser from an infected or malicious website.

Your diagnosis looks good, BTW.

[Smitro]

Thanks Charlie.

Looking back I should have got the name of the virus and done a bit of research, but at the time I just wanted it gone.

[CharlieBrady]

Looking back I should have got the name of the virus and done a bit of research, but at the time I just wanted it gone.

I'm a great believer in doing diagnosis first, before making changes.

[Smitro]

This is the part that has been puzzled. Why does my weekly virus scan pick up 8 viruses. All are in users junk mail folders.

There was about 3 different types. Are they not being scanned when they came in?

[janet]

Smitro

Why does my weekly virus scan pick up 8 viruses. All are in users junk mail folders.
There was about 3 different types. Are they not being scanned when they came in?

Read the headers of those messages to see why they were moved to the junkmail folder, then you will start understanding why.

Virus definition databases are not stagnent, they are being added to & updated externally all the time as new viruses or variants are released. It takes time for this process to happen, typically a day or two. Your server updates the virus definition database daily, so when a new virus is released & starts circulating the world you can receive infected email messages BEFORE the virus definition is updated with knowledge of the new virus. Therefore when your incoming emails are scanned, no virus is being found. A few days later when the new virus is now added to the virus definitions & your server now knows about it, and when a weekly system virus scan is done, infected email messages are found.

Probably the reason those email messages are in the junkmail folder, is because the spam filter has indentified them as having suspicious content, scored them appropriately, & moved them to the junkmail folder.

This is why GOOD virus protection is a multi layered approach, & updated & correctly functioning virus scanners on workstations are still an important part of virus protection. If the virus gets through one layer then there is another layer, or two or three layers, that the virus still has to get past & avoid being detected.

If viruses come from bad web sites or URL links, and your workstations DO NOT use sme server as their gateway (eg with Dansguardian installed), then you still need active & functional protection on each workstation, ie each gateway needs its own protection or layers of protection.

[Smitro]

yes, that's fair enough. I thought that would be the case. But it was 3 different viruses. Maybe they fit into the category of the many that are released each day.

[janet]

Smitro

You deleted them (which is a reasonable approach to get rid of the problem quickly), but you did not record them or their names in order to further investigate, so we will never know.