Question

  • Creator
    Topic
  • #2260022

    tools to locate spam server

    Locked

    by ken wolf ·

    OK, so you suspect that somewhere on your network there is a compromised pc that is acting as a spam server. What tools can you use to locate the rouge spammer? We are using MS Exchange 2003 all users are running Outlook for e-mail client.
    I have tried using packet capturing like Wireshark (Ethereal). I can identify out going as SMTP mail, but it has a <> sender field. I have tried to find relevant packets going to the Exchange server to determine what pc sent the message. But it is impossible to read packets going to the server, obviously not plain text.

    Has anyone else been successful in flushing out a rouge spam server and what tools did you use?

All Answers

  • Author
    Replies
    • #2523679

      Clarifications

      by ken wolf ·

      In reply to tools to locate spam server

      Clarifications

    • #2523676

      Down and dirty

      by mjd420nova ·

      In reply to tools to locate spam server

      I’ve found one way that is pretty simple. Disable the internet servers connection to the web, then do a reset of each machine, one at a time. The offender will exhibit some very strange activity and eventually come up with a load of errors with some rather cryptic errors and numbers that don’t make any sense.

      • #2522459

        re:Down and dirty

        by ken wolf ·

        In reply to Down and dirty

        mjd420nova:
        Thanks for the suggestion. This may work if all workstations were located in one place and were able to shut down all workstations and servers at one time. However, we have 16 remote sales offices plus our corporate location. Not that many workstation only about 130 or so. The sales offices are open seven days a week.
        What I need is a tool that would be able to either scan all machines or “watch” what is being transmitted to the Exchange server.

    • #2523568

      well…

      by chris_atb ·

      In reply to tools to locate spam server

      there is the more harrowing task of checking system processes and services for unusual names running, and even this technique can be tricked if the offending program is bound to a common process (bloody trojans)

      always worth running msconfig and looking for it, then you can find out where it is in the registry and delete the entry 😉

    • #2522445

      open ports?

      by mford66215 ·

      In reply to tools to locate spam server

      1. You’ve scanned for open ports on your workstations I take it?

      2. Set your packet capture to monitor inbound/outbound traffice to the exchange server only- then look for your offender. Do this after everyone’s gone home to limit the traffic.

      3. Lock the exchange server down to only accept mail from authorized clients, and monitor it’s logs after hours for cpu’s that keep trying anyway.

      • #2522224

        open ports?

        by ken wolf ·

        In reply to open ports?

        mford:
        thanks for the reply! I have blocked port 25 outbound on the firewall for all except the Exchange server. No clients are able to communicate via SMTP (port 25) to the outside. I have verified that the port is blocked by using telnet to try to connect to other e-mail servers on the internet from my workstation. It fails.
        I have not specifically scanned for open ports on the workstations (I am guessing you are referring to port 25?). The packet capturing I peformed over this weekend pretty much confirmed I have no workstation communicating on port 25.
        I have been able to actually catch the spam going out the Exchange server on port 25 but the sender address only has < > but no name. I have tried to find the incoming (to the Exchange server) packets but as I mentioned before, they are not readable at least no by humans 🙂 As the clients do not communicate with Exchange via SMTP, I have found it impossible to pick out any clear text to locate the offending packets and trace it back to a workstation.

        • #2522149

          ohh this sounds like fun! Sam Spade?

          by sgt_shultz ·

          In reply to open ports?

          I have heard of a tool callled sam spade for finding spammers. but i don’t use it or understand it well enuf yet to suggest it might work for what you want.
          http://www.SamSpade.org

        • #2522581

          not easily read, that’s true

          by mford66215 ·

          In reply to open ports?

          but the info’s in there…most packet captures will at least give you a MAC address to chase down…

          Here’s a MS link on exchange that may also give you some ideas….

          Is there a time of day that has more spam than not? Has there been a time since this started when there wasn’t any spam (and what else was going on then?) – try to find some commonality.

        • #2522578

          Forgot the link!!

          by mford66215 ·

          In reply to not easily read, that’s true

          http://support.microsoft.com/kb/823019/en-us

          To Configure IP Address Restrictions
          To configure IP address restrictions: 1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
          2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
          3. Expand SMTP, right-click Default SMTP Virtual Server, and then click Properties.
          4. Click the Access tab, and then click Connection.
          5. In the Connection dialog box, click Only the list below.

          This indicates that only the IP addresses and the domains that are in the list are permitted to connect to the SMTP virtual server.
          6. Click Add, and then do one of the following to add a single computer, a group of computers, or a domain, as appropriate to your situation: ? To add a single computer, click Single Computer, type the IP address of the e-mail messaging server of your Internet service provider (ISP) in the IP address box, and then click OK.

          Alternatively, click DNS Lookup, type a host name, and then click OK.
          ? To add a group of computers, click Group of computers, type the subnet address and the subnet mask of the group in the corresponding boxes, and then click OK.

          Microsoft recommends this option if your ISP has a tendency to change the IP address of their e-mail messaging server without warning.
          ? To add a domain, click Domain, type the domain name that you want in the Name box, and then click OK.

          Note that this option requires a DNS reverse lookup on each incoming connection. This requirement may adversely affect the performance of the Exchange server. For more information, see the Troubleshoot section later in this article.

Viewing 3 reply threads