Many unexpected pop-up messages from the client email plugin appear
|Article:TECH122425|||||Created: 2010-01-14|||||Updated: 2013-11-15|||||Article URL http://www.symantec.com/docs/TECH122425|
A Symantec Antivirus (SAV) or Symantec Endpoint Protection (SEP) client which has the optional Email tools installed suddenly begins to display many pop-up warnings or errors about messages that could not be sent. This occurs even when the user has not sent any mail from the email client (Outlook, Thunderbird, or similar).
Pop-up messages will be similar to:
- Your email message was unable to be sent because your mail server rejected the recipient:: 554 Too many recipients
- Your email message was unable to be sent because your mail server rejected the message: 554 5.7.1 Message rejected under the suspicion of SPAM (1003,11)
- Your email message was unable to be sent because your mail server rejected the message: 571 Message Refused
- Your email message was unable to be sent because your mail server rejected the message: 551 5.7.1
- "Your email message to [email address of recipient] with the subject [email subject] was unable to be sent . . ." (1003,9)
- Symantec Endpoint Protection 11.x or 12.1.x
- Symantec AntiVirus 10.x
Spam is often sent from botnets of compromised computers. If large numbers of the errors listed above are appearing, it is highly likely that the computer have been infected by an undetected threat and is being used to send unwanted commercial email (UCE).
- If subject lines and recipients are displayed, examine them to determine if mails were intentionally sent from the mail client.
- If not, isolate the computer from the network and follow best practice to determine if a currently undetected threat is operating on this computer. Checking what program is using common mail ports (performing a netstat -ao from the command line to learn what process is communicating on port 25) is often the best first step.
The articles cross-referenced below will help to identify and remove an undetected threat.
Article URL http://www.symantec.com/docs/TECH122425