The Simple Monitor that Caught a Virus Outbreak

From a user standpoint, the most noticeable and widely used system in any company is email.  Stop email flow and the production of many employees will grind to a halt.  Consequently, a simple email monitor is far and away the most common type of monitor that System Lifeline is engaged for.

How does it work?

Mail Flow Monitor

Mail Flow Monitor

 

Email generated from SLL to Company X

Automated Response received from Company X within X minutes = All is well

It was just such a scenario that recently triggered an alert with a client, causing our technician to reach out to the company contact (waking them up, unfortunately) to report the issue.

After shaking out the cobwebs, the diagnostic process started:

  • Was the company SMTP banner available?  – Yes
  • Are the Exchange services available?  – Yes
  • Is the company MX record publicly available?  – Yes
  • Is incoming mail is being received by the organization?  – Yes
  • Are there errors when sending a new message?  – No, but the message is delayed by upwards of 10 minutes.
  • Check the Exchange queues… thousands of queued messages and NDR reports!

Our simple mail flow monitor alerted us to the symptom (delayed email).  We had found the reason (a huge backup in the mail queues), but what was the cause?

Opening a command prompt on the Exchange server, we checked the active SMTP connections.  Hundreds of connections coming from 1 internal IP address.

Armed with this new information the company technician was able to shut down the offending PC and clear the Exchange queues.  Further analysis later revealed that the PC itself had been infected with a virus that was attempting to use the Exchange server as a conduit for sending spam messages.

Thanks to the simple email monitor put in place by a network administrator overtaxed with day-to-day workload, the company email was ready for business the next morning AND a virus outbreak that had compromised a workstation was brought under control.