my IP is sending Spam

[SteadySystems]

I was recently notified from Spamcop that one of the computers on my network is sending spam. We have about 10 computers here and I emailed him back and asked how I find the problem PC and he said to use netstat -a but I have no clue what I am looking for when I use that cmd or how to detect it. Can anyone help?

Here is the pasted conversation from Spamcop:

Spamcop: "If you watch, you'll see a machine that is behaving anomalously; it'll be sending way more packets than it needs for what it's actually supposed to be doing."

Me: "I went to one of the machines, typed netstat -a and it just says listening, established. There is no visible activity (anything moving). How do I detect?"

Original email from SpamCop:

*****************************
This IP is sending spam. Please see the partial headers I have pasted
below.

If this is your IP/server, then there are several possible causes.

Your network may be infected by a virus, worm, trojan, spyware or
other malware. You need to find the compromised machine, disconnect it,
and disinfect it.
Your network may have an insecure server being used by spammers
(often called an open relay).
Your network may have a server exploit such as an insecure cgi or
PHP script.
Your network may have an open proxy, or an SMTP AUTH issue, where
the spammer has cracked a name/password pair.

Be aware that some exploits and infections may install their own SMTP
software and send spam without using the local mailserver. Because of
the variety of ways that spammers exploit vulnerable networks, you
cannot depend on your mailserver logs to determine the source of the spam.

If this IP/server belongs to your ISP/hosting company, then you must
contact them for help. The people responsible for the server are the
only people who can find the problem and make the spam stop.

Received: from unicomglobal.com ([71.103.246.136])
by [trap servername] with ESMTP; 06 Oct 2008 19:xx:xx -0700
Date: Mon, 6 Oct 2008 18:xx:xx -0800
From: =?koi8-r?B?IuzAxM3JzMEi?= <x@x>
Subject: =?koi8-r?B?7MDCz8UgwsXa1c3T1NfPIMnT0M/MzsXOzyDaxMXT2A==?=

 

[chipk]

Do you have any e-mail servers on site? If not, close port 25 on your router or firewall. If so, close port 25 for all but your e-mail server and make sure it is not an "open relay". Then proceed to look for the problem computer. If you have a firewall or router with any sophistication whatsoever, you should be able to find the source of the traffic. netstat -a is not a good tool for this problem.

 

[SteadySystems]

No we do not have any email servers on site. We just use pop3 email, etc.

Are you saying I need to block port 25? Isn't that a standard port for sending/recieving emails? Won't that affect internal computers trying to use email?

where do I look for this activity on my router? I have a standard linksys router.

 

[chipk]

If you are POPing mail, you are probably using POP3 and IMAP. If your mail is hosted with an ISP, then you should talk to them about your spam problem. Port 25 (SMTP) is probably not necessary, but you can verify that by checking in your Outlook Profile properties for your Incoming and Outgoing servers.

It's going to depend on your router model, but if you go to your Linksys web interface (probably the IP of your default gateway from "ipconfig"), there should be a tab there where you can allow/disallow certain ports and it may have a simple firewall built in as well.

 

[SteadySystems]

Yes it is hosted with Verizon.

All our computers use outlook, thunderbird and have smtp set to port 25

 

[SteadySystems]

oops, sorry.. our ISP is with Verizon.

We have several different email accounts here, each with different hosts. And they all use port 25 to send smtp.

Not sure how to locate the problem PC that is sending out spam

 

[Lemon13]

start perfmon.msc, press strg E, that will create a new collection set, right click the lower right windowpart, choose add indikators, under objekt choose network, choose all bytes/s in the left and ur nic in the right and select add. do that for each pc in question, close that window and run it for the day.
check wich pc has the highest max average, that should be the one spamming

 

[SteadySystems]

That's pretty sweet! Think this will work?

 

[chipk]

This could give false positives and ultimately leave a trojan/virus on your network. You need to be looking at the ports from a firewall/router or sniffer. You could have multiple infected computers. You may think you've found it on one computer only to have the virus/trojan still active on your network.

What model Linksys router do you have?

 

[SteadySystems]

Linksys BEFSR41 ver 2

We have AVG on all computers and have used CCleaner.com to clean all registries and temps, etc


One question I have is how to run perfmon on Windows 98?

 

[linney]

See if this program is of any use to you for both 98 and XP, and to a certain extent Vista?

Port Explorer

http://www.diamondcs.com.au/portexplorer/

 

[SteadySystems]

installed, now what? no clue what I am looking for.

 

[linney]

The Help menu might be a place to start.

Load the program and start some network activity (surfing, downloading or uploading) and click on the tabs at the top of the window. Look under "Established" as well as the other tabs.

See how it goes on the other machines or the machine you suspect the most.

Play with it for a while.

If it doesn't help you, uninstall it.

 

[SteadySystems]

Thats all fine and dandy but I still have no clue what suspicious activity looks like or how to detect if spam is being sent.

 

[linney]

Suspicious activity is Network activity that can not be explained. For example, the sending of information not generated by user action. It helps to bring up the Status window available when you right-click on your usual Connection icon (near the clock, not the Port Explorer one). From there you can see "action" under the Activity section and watch the bytes or packets moving.

Port Explorer FAQ

http://www.diamondcs.com.au/help/faq-pe.php

Have you thoroughly checked your machine for malware, including running some of the online virus scanners?

http://www.google.com/search?q=online+virus+scanners&rls=com.microsoft:

Try downloading SpyBot Search and destroy
and run that.

http://www.safer-networking.org/index2.html

SUPERAntiSpyware

http://www.superantispyware.com/

Do the same with Hijack This, you can post the log here if you like.

http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

 

[SteadySystems]

We use AVG antivirus and they are all updated. In addition we are using Windows Firewall and Security Updates. Ccleaner for cleaning up registry and temp files. And yes, have used spybot search and destroy. Along with Lavasoft.

 

[linney]

It seems to be you are either clean, and it is a false warning, or you have missed something along the malware path?

Have you fathomed out how to use the available logging in Port Explorer?

Not picking on 98, but how about running Hijack This on 98 and posting the log. Better still, run it on all your machines, but don't post all the logs here (not at once anyway) and use the self analysis site, as a guide, and only a rough guide at that, to see what it has to say.

HijackThis log file analysis

http://www.hijackthis.de/index.php

 

[SteadySystems]

here are the results from the computers, let me know if I should be using hijackthis program to fix or do it manually, etc

I have attached the text files, zipped. Please review.

 

[linney]

I am no expert on interpreting Hijack This logs, I have read the logs (via the analysis), and I notice several complain of no antivirus software running, you may like to look into this.

The good thing about Hijack This is that it saves a backup of whatever you allow it to remove, so you can always restore it if you remove something that you shouldn't.

All I can advise is that you double check the items flagged, make sure they are unnecessary (via Google etc., and your own knowledge of the systems) and then, if you are sure, proceed with the removal. You do have some Trojans listed on some machines.

These seem to be the worst machines from a malware point of view.

espie, evelyn, michelle, sionie, cecile, nelia, with minor hits on some of the others.

If your time allows you this malware removal course comes highly recommended.

Malware Removal University

http://www.malwareremoval.com/university.php

 

[SteadySystems]

Thanks.