Check the sent items folder to see if the user replied to a phishing email. You might have 1000's of emails to go through to find but it might be there, unless they gave the user id and password to a web site. We've seen very similar things here. Massive spam in the sent folder but just before all the spam was a reply with user id and password. Also check for auto reply rules. Saw those on one account.
-----Original Message----- From: Osborne, Richard [mailto:[email protected]] Sent: Monday, August 02, 2010 1:47 PM To: NT System Admin Issues Subject: malware that creates Outlook rules Has anyone seen malware that creates an Outlook rule that moves all new mail to Deleted Items and then sends out a bunch of spam? I have a few users that have been hit with something I can't find. I scanned the PCs with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find anything. Then I turned off the PCs and something is still accessing their mailboxes. I scanned the Exchange server also. I am not seeing anything in Exchange User Monitor or Windows Security logs and our network guys say they don't see any unusual traffic to our Exchange server. Google finds a couple of people reporting the same thing but no resolution. Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003 SP2 on Server 2003 SP1. Thanks for any ideas. Richard Osborne Information Systems Jackson-Madison County General Hospital NOTICE: (1) The foregoing is not intended to be a legally binding or legally effective electronic signature. (2) This message may contain legally privileged or confidential information. If you are not the intended recipient of this message, please so notify me, disregard the foregoing message, and delete the message immediately. I apologize for any inconvenience this may have caused. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
