I am at my wits end....keep getting listed

[Telarin]

If someone is sending mails through your exchange server using an SMTP Auth hack or something of that nature, they would show up in the log files.

Since the emails are not showing up in the log files, either someone has access directly to the server to modifiy the logs, or it is another machine on your network that is compromised.

What kind of firewall/router are you using?

[dbiel]

Subject: Products that can improve you life!

I looked through the logs and found nothing on "products that can improve".

Did not see your edit before posting my previous reply.

I would run the search one more time in case the search is case sensitive, ie products not the same as Products? or try the search on the key words in case there is something wrong with the entire string.

[sesblacklisted]

If someone is sending mails through your exchange server using an SMTP Auth hack or something of that nature, they would show up in the log files.

Since the emails are not showing up in the log files, either someone has access directly to the server to modifiy the logs, or it is another machine on your network that is compromised.

What kind of firewall/router are you using?

At this point I am starting to think the same way, however I did an exhaustive clean of the machines on our network a couple of weeks ago and nothing turned up.

As far as the router, I am uncertain as to why type it is as I can not easily access it. That is the last avenue of investigation I have and have put it off because it's a complete chore to get to. Maybe there is some software firewall I can download on a trial basis to catch this. I will look into it.

[Telarin]

The problem with a software firewall is that it protects one machine, and if the machine is already compromised, it could possibly be circumventable. Since we are not 100% certain that the mail server is even the machine the spam is coming from, I think our next most logical course of action is to monitor port 25 traffic and make absolutlely certain there is no port 25 traffic from any other computers on the network. If you can find out what make/model the firewall is, I will be happy to see what tools are available for traffic monitoring.

[sesblacklisted]

The problem with a software firewall is that it protects one machine, and if the machine is already compromised, it could possibly be circumventable. Since we are not 100% certain that the mail server is even the machine the spam is coming from, I think our next most logical course of action is to monitor port 25 traffic and make absolutlely certain there is no port 25 traffic from any other computers on the network. If you can find out what make/model the firewall is, I will be happy to see what tools are available for traffic monitoring.

We have an ADTRAN total access 608, thanks for the help Telarin!

[Telarin]

Just skimming over the manual briefly that seems to be a pretty full featured piece of equipment. I'm not personally familiar with it, so won't be able to tell you anything other than what can be seen from the manual. What you will want to do is configure it to block outgoing port 25 traffic from all internal IP addresses except the exchange server. If you need more help than that, I can try digging through the manual for specifics, but you or the guys in charge of the firewall should be able to do that without my assistance. Let me know how it goes.

[Paranoid2000]

Another suggestion - re-check the previously compromised machines by booting them from known clean media (e.g. BartPE CD, Winternals Adminpak or a Linux CD) and running a scan. Many trojans now use rootkits to conceal themselves from antivirus scanners so only a clean boot (or a reformat/reinstall) can guarantee to pick them up.

Also AVG and Trend are not top-tier AVs - Kaspersky, McAfee, NOD32 or Symantec provide better detection than AVG according to AV Comparatives and Trend have not allowed their products to be tested, suggesting a lack of confidence in their performance.

The Castlecops Malware Removal and Prevention Guide provides more information on cleaning an infected system.