Many unexpected pop-up messages from the client email plugin appear

Article:TECH122425  |  Created: 2010-01-14  |  Updated: 2013-11-15  |  Article URL http://www.symantec.com/docs/TECH122425
Article Type
Technical Solution


Issue



A Symantec Antivirus (SAV) or Symantec Endpoint Protection (SEP) client which has the optional Email tools installed suddenly begins to display many pop-up warnings or errors about messages that could not be sent. This occurs even when the user has not sent any mail from the email client (Outlook, Thunderbird, or similar).


Error



Symptoms

Pop-up messages will be similar to:

  • Your email message was unable to be sent because your mail server rejected the recipient:: 554 Too many recipients
  • Your email message was unable to be sent because your mail server rejected the message: 554 5.7.1 Message rejected under the suspicion of SPAM (1003,11)
  • Your email message was unable to be sent because your mail server rejected the message: 571 Message Refused
  • Your email message was unable to be sent because your mail server rejected the message: 551 5.7.1 
  • "Your email message to [email address of recipient] with the subject [email subject] was unable to be sent . . ." (1003,9) 

Environment



  • Symantec Endpoint Protection 11.x or 12.1.x
  • Symantec AntiVirus 10.x

Cause



Spam is often sent from botnets of compromised computers. If large numbers of the errors listed above are appearing, it is highly likely that the computer have been infected by an undetected threat and is being used to send unwanted commercial email (UCE).


Solution



  • If subject lines and recipients are displayed, examine them to determine if mails were intentionally sent from the mail client.
  • If not, isolate the computer from the network and follow best practice to determine if a currently undetected threat is operating on this computer. Checking what program is using common mail ports (performing a netstat -ao from the command line to learn what process is communicating on port 25) is often the best first step.


References:
The articles cross-referenced below will help to identify and remove an undetected threat.




Legacy ID



2010011410001948


Article URL http://www.symantec.com/docs/TECH122425


Terms of use for this information are found in Legal Notices