Cleansing an infected mail server

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize.

There are countless articles on how to prevent e-mail virus infections, but almost nobody talks about how to clean up a massive infection. Of course, you want to update your server's file-level and Exchange-level antivirus software, and make sure all users have up-to-date antivirus applications running on their desktops.

But sometimes these steps are not enough. If your server is heavily infected, the sheer volume of infected messages can overwhelm the machine and your antivirus software may not be able to keep pace with the server. If you find yourself in a situation like this, here are the steps you need to take.

Stop the flow of SMTP traffic

First, cut off communications between your mail server and the Internet. This will prevent your server from spewing infected messages to the outside world and stop any new messages from arriving until you've recovered from the infection.

One way of stopping the flow of SMTP traffic is to configure your organization's SMTP connector to not deliver mail:

While you are at it, you might also consider disabling the SMTP virtual server:

Keep users out of Exchange

In some cases, you may also need to keep the users out of the Exchange server while you disinfect it. The easiest way to do this is to unplug the network cable from the server. This will guarantee that nobody can send or receive anything until you are ready for them to do so.

Freeze your message queues

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Exchange Security Tips How file-level antivirus software can harm your Exchange Server Understanding Exchange Server 2007 SP1 mobile security settings Which ActiveSync authentication method is best for your mobile device? Why you should secure Exchange 2007 using administrative policies Microsoft Exchange Server security dos and don'ts Create a journal rule in Exchange 2007 to secure journaling mailboxes How to protect an Exchange journaling mailbox from email spoofing Lock down Microsoft Outlook 2007 to prevent .PST file access Using Exchange Server journaling as an email-archiving solution Use the OWA Admin tool to 'segment' Outlook Web Access 2003 features Antivirus Software and Virus Protection How file-level antivirus software can harm your Exchange Server Troubleshooting Outlook Web Access issues on a 64-bit system Microsoft Exchange Server security dos and don'ts How effective is tracking the IP address of an email hacker? Minimize remote and mobile Outlook Web Access (OWA) security risks Secure Edge Transport servers using the Security Configuration Wizard The six-layered secret of effective Exchange Server email filtering Microsoft Outlook and Exchange Server 2003 Email Security Guide How to install and configure an Edge Transport server for Exchange 2007 Process, compress and block Microsoft Outlook email attachments

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary greylist  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

>

Now it is time to begin cleaning out the message queues. To do so, you must freeze the queues and then delete the undesirable messages.

If you want to freeze all the queues, simply click the Disable Outbound Mail button (click Enable Outbound Mail to re-enable mail flow).

Locate and remove infected messages

To locate infected messages and remove them from the queues:

Even after all of the queues have been disinfected, there is a very good chance that some of the mailboxes on your server contain infected messages. Exchange doesn't offer any easy mechanism for manually disinfecting everyone's mailboxes. Your best option is to scan the mailboxes with an Exchange aware antivirus program. You should do this prior to allowing the users back onto the server.

Return Exchange to a functional state

The last step in the process is to bring the server back to a functional state:

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Reference Center: Exchange virus protection

---

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.