Question

Locked

Outbound Spam from My cleints IP

By bklan123 ·
So an ISP who's name will not be released has been breathing down my neck for months about spam messages being sent out from one of my clients buildings. The spam emails show an originating IP that matches the external IP of the clients building. So i did some network scanning and tracked it down to a particular computer on the LAN subnet, and ran all sorts of scans on that pc (Malwarebytes, Ad-aware, trendnet, AVG, Spybot, etc etc) and they all came up clean. The only thing I didn't like was a program that was downloading a new wallpaper from the internet every x amount of time. So i removed that.
3 weeks and no complaints.
Now, I receive a phone call from the ISP again saying I have until the 10th to resolve the problem or my clients internet will be shut off. They had another complaint on the 7th. What would you guys do at this point? I can't make an on-site visit, they are a 6 hour drive away and it's not possible with the amount of time I have. All I can do is remote sessions with logmeinrescue. What can I try?

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

OFF THE NETWORK

by shasca In reply to Outbound Spam from My cle ...

You need to get that PC shutdown/disconnected. You will more than likey need a total rebuild as you weren't successful at eliminating the culprit remotely. I would have them ship it to you for immediate scrubbing. If that Domain gets Blacklisted, your world will get a lot more complicated than it is now.

Collapse -

Well....

by bklan123 In reply to OFF THE NETWORK

It's not actually blacklisting a domain, just an IP. And they do not use any email IN the facility, they use RDP to get into my network here. Blacklisting wouldn't be a as bad, i'd take that over them shutting down the whole connection.
I need to know if there is some sort of network tests to run so i can actually be sure it's this PC as well. I'm thinking a software firewall.

Collapse -

How about something like Wireshark

by OH Smeg In reply to Well....

To see what that particular computer is doing.

http://www.wireshark.org/download.html

But I really think you'll need to delete the System and run Boot & Nuke over it before reloading it if it actually the problem.

Col

Collapse -

*HAD* same problem

by C F USA In reply to Outbound Spam from My cle ...

Take the machine offline till you can get on site. If you are sure that is the machine, that is what you should do.

We had a similiar issue, nothing came up with scans as well. When *that* machine was off the network, no problems, plug it in, there were problems.

I wiped it, installed, and rescanned it before and after updates. No problems since.

Good Luck

Collapse -

Got no choice

by bklan123 In reply to *HAD* same problem

I'm gonna have to do this it looks like. I'm showing a particular LAN IP with A LOT of outbound smtp connections and multiple MX record requests in a matter of 10 seconds. Thanks for this guys, I'll let you know how it goes.

Collapse -

I would

by Jacky Howe In reply to Outbound Spam from My cle ...

run this Rootkit Revealer GMer
http://www.gmer.net/index.php

FAQ
http://www.gmer.net/faq.php

Back to Hardware Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums