Cleansing an infected mail server

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize.

There are countless articles on how to prevent e-mail virus infections, but almost nobody talks about how to clean up a massive infection. Of course, you want to update your server's file-level and Exchange-level antivirus software, and make sure all users have up-to-date antivirus applications running on their desktops.

But sometimes these steps are not enough. If your server is heavily infected, the sheer volume of infected messages can overwhelm the machine and your antivirus software may not be able to keep pace with the server. If you find yourself in a situation like this, here are the steps you need to take.

Stop the flow of SMTP traffic

First, cut off communications between your mail server and the Internet. This will prevent your server from spewing infected messages to the outside world and stop any new messages from arriving until you've recovered from the infection.

One way of stopping the flow of SMTP traffic is to configure your organization's SMTP connector to not deliver mail:

1. Open Exchange System Manager and navigate through the console tree to Administrative Groups -> your administrative group -> Routing Groups -> First Routing Group -> Connectors -> your SMTP connector.

2. Right click on your SMTP connector and select Properties.

3. Now choose the Delivery Options tab.

4. Pick the Never Run option from the Connection time dropdown list.

While you are at it, you might also consider disabling the SMTP virtual server:

1. Navigate to Administrative Groups -> your administrative group -> Servers -> your server -> Protocols -> SMTP -> Default SMTP Virtual Server.

2. Right click on the Default SMTP Virtual Server object and select the Stop command.

Keep users out of Exchange

In some cases, you may also need to keep the users out of the Exchange server while you disinfect it. The easiest way to do this is to unplug the network cable from the server. This will guarantee that nobody can send or receive anything until you are ready for them to do so.

Freeze your message queues

Now it is time to begin cleaning out the message queues. To do so, you must freeze the queues and then delete the undesirable messages.

1. To freeze a queue, navigate through the Exchange System Manager console to Administrative Groups -> your administrative group -> Servers -> your server -> Queues.

2. The console's detail pane will display a list of the server's queues. Right click on the queue containing the offending messages and select the Freeze command. (Keep in mind that X.400 queues can't be frozen.)

If you want to freeze all the queues, simply click the Disable Outbound Mail button (click Enable Outbound Mail to re-enable mail flow).

Locate and remove infected messages

To locate infected messages and remove them from the queues:

1. Click the Find Messages button.

2. The easiest way to spot an infected message is usually by its subject line. Unfortunately, the Find Messages feature doesn't allow you to search by subject line. Instead, enter a large number (such as 100,000) into the Number of Messages to Be Listed In the Search field.

3. Set the Show Messages Whose State Is option to All Messages and click Find Now.

4. The result is that all of the messages in the queue will be displayed. You can then sort the results by subject line to make finding the infected messages easier.

5. Finally, select and right click on the infected messages and select Delete (No NDR).. The infected messages will be deleted from the queue.

6. Repeat the procedure on the remaining queues.

Even after all of the queues have been disinfected, there is a very good chance that some of the mailboxes on your server contain infected messages. Exchange doesn't offer any easy mechanism for manually disinfecting everyone's mailboxes. Your best option is to scan the mailboxes with an Exchange aware antivirus program. You should do this prior to allowing the users back onto the server.

Return Exchange to a functional state

The last step in the process is to bring the server back to a functional state:

1. Enable mail flow and unfreeze any frozen queues.

2. Enable the SMTP Virtual Server and set the connection time for your SMTP connector back to Always Run.

3. Plug the network cable back in to allow users access Exchange once again.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Reference Center: Exchange virus protection

---

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Exchange Security Tips How to install Forefront Security for Exchange Server Is full email encryption the solution to Exchange security? Lock down direct file access and protect OWA users Controlling spam in Exchange 2007 at the edge transport server level When to use a self-signed certificate with Exchange Server 2007 Obtaining and verifying SSL certificates in Exchange Server How file-level antivirus software can harm your Exchange Server Understanding Exchange Server 2007 SP1 mobile security settings Which ActiveSync authentication method is best for your mobile device? Why you should secure Exchange 2007 using administrative policies Spam and virus protection How to install Forefront Security for Exchange Server Block Web beacons and protect OWA users from spam Controlling spam in Exchange 2007 at the edge transport server level How file-level antivirus software can harm your Exchange Server Problems with email spoofing on SBS 2003 Exchange Insider e-zine Securing your Exchange Server 2007 journaling archives Troubleshooting Outlook Web Access issues on a 64-bit system Microsoft Exchange Server security dos and don'ts Troubleshooting Microsoft Exchange Server Event ID error 6009 Spam and virus protection Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter spam  (SearchExchange.com) greylist  (SearchExchange.com) image spam  (SearchExchange.com) KnujOn  (SearchExchange.com) Sender ID  (SearchExchange.com) spam confidence level  (SearchExchange.com) spamblock  (SearchExchange.com) spim  (SearchExchange.com) tarpitting  (SearchExchange.com) Vouch by Reference (VBR)  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.