Question

Locked

tools to locate spam server

By Ken Wolf ·
OK, so you suspect that somewhere on your network there is a compromised pc that is acting as a spam server. What tools can you use to locate the rouge spammer? We are using MS Exchange 2003 all users are running Outlook for e-mail client.
I have tried using packet capturing like Wireshark (Ethereal). I can identify out going as SMTP mail, but it has a <> sender field. I have tried to find relevant packets going to the Exchange server to determine what pc sent the message. But it is impossible to read packets going to the server, obviously not plain text.

Has anyone else been successful in flushing out a rouge spam server and what tools did you use?

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Down and dirty

by mjd420nova In reply to tools to locate spam serv ...

I've found one way that is pretty simple. Disable the internet servers connection to the web, then do a reset of each machine, one at a time. The offender will exhibit some very strange activity and eventually come up with a load of errors with some rather cryptic errors and numbers that don't make any sense.

Collapse -

re:Down and dirty

by Ken Wolf In reply to Down and dirty

mjd420nova:
Thanks for the suggestion. This may work if all workstations were located in one place and were able to shut down all workstations and servers at one time. However, we have 16 remote sales offices plus our corporate location. Not that many workstation only about 130 or so. The sales offices are open seven days a week.
What I need is a tool that would be able to either scan all machines or "watch" what is being transmitted to the Exchange server.

Collapse -

well...

by chris_atb In reply to tools to locate spam serv ...

there is the more harrowing task of checking system processes and services for unusual names running, and even this technique can be tricked if the offending program is bound to a common process (bloody trojans)

always worth running msconfig and looking for it, then you can find out where it is in the registry and delete the entry

Collapse -

open ports?

by mford66215 In reply to tools to locate spam serv ...

1. You've scanned for open ports on your workstations I take it?

2. Set your packet capture to monitor inbound/outbound traffice to the exchange server only- then look for your offender. Do this after everyone's gone home to limit the traffic.

3. Lock the exchange server down to only accept mail from authorized clients, and monitor it's logs after hours for cpu's that keep trying anyway.

Collapse -

open ports?

by Ken Wolf In reply to open ports?

mford:
thanks for the reply! I have blocked port 25 outbound on the firewall for all except the Exchange server. No clients are able to communicate via SMTP (port 25) to the outside. I have verified that the port is blocked by using telnet to try to connect to other e-mail servers on the internet from my workstation. It fails.
I have not specifically scanned for open ports on the workstations (I am guessing you are referring to port 25?). The packet capturing I peformed over this weekend pretty much confirmed I have no workstation communicating on port 25.
I have been able to actually catch the spam going out the Exchange server on port 25 but the sender address only has < > but no name. I have tried to find the incoming (to the Exchange server) packets but as I mentioned before, they are not readable at least no by humans :-) As the clients do not communicate with Exchange via SMTP, I have found it impossible to pick out any clear text to locate the offending packets and trace it back to a workstation.

Collapse -

ohh this sounds like fun! Sam Spade?

by sgt_shultz In reply to open ports?

I have heard of a tool callled sam spade for finding spammers. but i don't use it or understand it well enuf yet to suggest it might work for what you want.
www.SamSpade.org

Collapse -

not easily read, that's true

by mford66215 In reply to open ports?

but the info's in there...most packet captures will at least give you a MAC address to chase down...

Here's a MS link on exchange that may also give you some ideas....

Is there a time of day that has more spam than not? Has there been a time since this started when there wasn't any spam (and what else was going on then?) - try to find some commonality.

Collapse -

Forgot the link!!

by mford66215 In reply to not easily read, that's t ...

http://support.microsoft.com/kb/823019/en-us

To Configure IP Address Restrictions
To configure IP address restrictions: 1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
3. Expand SMTP, right-click Default SMTP Virtual Server, and then click Properties.
4. Click the Access tab, and then click Connection.
5. In the Connection dialog box, click Only the list below.

This indicates that only the IP addresses and the domains that are in the list are permitted to connect to the SMTP virtual server.
6. Click Add, and then do one of the following to add a single computer, a group of computers, or a domain, as appropriate to your situation: ? To add a single computer, click Single Computer, type the IP address of the e-mail messaging server of your Internet service provider (ISP) in the IP address box, and then click OK.

Alternatively, click DNS Lookup, type a host name, and then click OK.
? To add a group of computers, click Group of computers, type the subnet address and the subnet mask of the group in the corresponding boxes, and then click OK.

Microsoft recommends this option if your ISP has a tendency to change the IP address of their e-mail messaging server without warning.
? To add a domain, click Domain, type the domain name that you want in the Name box, and then click OK.

Note that this option requires a DNS reverse lookup on each incoming connection. This requirement may adversely affect the performance of the Exchange server. For more information, see the Troubleshoot section later in this article.

Back to Networks Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums