Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

my IP is sending Spam

Status
Not open for further replies.

SteadySystems

IS-IT--Management
Feb 14, 2003
169
US

I was recently notified from Spamcop that one of the computers on my network is sending spam. We have about 10 computers here and I emailed him back and asked how I find the problem PC and he said to use netstat -a but I have no clue what I am looking for when I use that cmd or how to detect it. Can anyone help?

Here is the pasted conversation from Spamcop:

Spamcop: "If you watch, you'll see a machine that is behaving anomalously; it'll be sending way more packets than it needs for what it's actually supposed to be doing."

Me: "I went to one of the machines, typed netstat -a and it just says listening, established. There is no visible activity (anything moving). How do I detect?"

Original email from SpamCop:

*****************************
This IP is sending spam. Please see the partial headers I have pasted
below.

If this is your IP/server, then there are several possible causes.

Your network may be infected by a virus, worm, trojan, spyware or
other malware. You need to find the compromised machine, disconnect it,
and disinfect it.
Your network may have an insecure server being used by spammers
(often called an open relay).
Your network may have a server exploit such as an insecure cgi or
PHP script.
Your network may have an open proxy, or an SMTP AUTH issue, where
the spammer has cracked a name/password pair.

Be aware that some exploits and infections may install their own SMTP
software and send spam without using the local mailserver. Because of
the variety of ways that spammers exploit vulnerable networks, you
cannot depend on your mailserver logs to determine the source of the spam.

If this IP/server belongs to your ISP/hosting company, then you must
contact them for help. The people responsible for the server are the
only people who can find the problem and make the spam stop.

Received: from unicomglobal.com ([71.103.246.136])
by [trap servername] with ESMTP; 06 Oct 2008 19:xx:xx -0700
Date: Mon, 6 Oct 2008 18:xx:xx -0800
From: =?koi8-r?B?IuzAxM3JzMEi?= <x@x>
Subject: =?koi8-r?B?7MDCz8UgwsXa1c3T1NfPIMnT0M/MzsXOzyDaxMXT2A==?=

 
Do you have any e-mail servers on site? If not, close port 25 on your router or firewall. If so, close port 25 for all but your e-mail server and make sure it is not an "open relay". Then proceed to look for the problem computer. If you have a firewall or router with any sophistication whatsoever, you should be able to find the source of the traffic. netstat -a is not a good tool for this problem.
 

No we do not have any email servers on site. We just use pop3 email, etc.

Are you saying I need to block port 25? Isn't that a standard port for sending/recieving emails? Won't that affect internal computers trying to use email?

where do I look for this activity on my router? I have a standard linksys router.
 
If you are POPing mail, you are probably using POP3 and IMAP. If your mail is hosted with an ISP, then you should talk to them about your spam problem. Port 25 (SMTP) is probably not necessary, but you can verify that by checking in your Outlook Profile properties for your Incoming and Outgoing servers.

It's going to depend on your router model, but if you go to your Linksys web interface (probably the IP of your default gateway from "ipconfig"), there should be a tab there where you can allow/disallow certain ports and it may have a simple firewall built in as well.
 

Yes it is hosted with Verizon.

All our computers use outlook, thunderbird and have smtp set to port 25
 


oops, sorry.. our ISP is with Verizon.

We have several different email accounts here, each with different hosts. And they all use port 25 to send smtp.

Not sure how to locate the problem PC that is sending out spam

 
start perfmon.msc, press strg E, that will create a new collection set, right click the lower right windowpart, choose add indikators, under objekt choose network, choose all bytes/s in the left and ur nic in the right and select add. do that for each pc in question, close that window and run it for the day.
check wich pc has the highest max average, that should be the one spamming
 
This could give false positives and ultimately leave a trojan/virus on your network. You need to be looking at the ports from a firewall/router or sniffer. You could have multiple infected computers. You may think you've found it on one computer only to have the virus/trojan still active on your network.

What model Linksys router do you have?
 


Linksys BEFSR41 ver 2

We have AVG on all computers and have used CCleaner.com to clean all registries and temps, etc


One question I have is how to run perfmon on Windows 98?
 
The Help menu might be a place to start.

Load the program and start some network activity (surfing, downloading or uploading) and click on the tabs at the top of the window. Look under "Established" as well as the other tabs.

See how it goes on the other machines or the machine you suspect the most.

Play with it for a while.

If it doesn't help you, uninstall it.
 

Thats all fine and dandy but I still have no clue what suspicious activity looks like or how to detect if spam is being sent.
 
Suspicious activity is Network activity that can not be explained. For example, the sending of information not generated by user action. It helps to bring up the Status window available when you right-click on your usual Connection icon (near the clock, not the Port Explorer one). From there you can see "action" under the Activity section and watch the bytes or packets moving.

Port Explorer FAQ


Have you thoroughly checked your machine for malware, including running some of the online virus scanners?

Try downloading SpyBot Search and destroy
and run that.

SUPERAntiSpyware

Do the same with Hijack This, you can post the log here if you like.
 


We use AVG antivirus and they are all updated. In addition we are using Windows Firewall and Security Updates. Ccleaner for cleaning up registry and temp files. And yes, have used spybot search and destroy. Along with Lavasoft.
 
It seems to be you are either clean, and it is a false warning, or you have missed something along the malware path?

Have you fathomed out how to use the available logging in Port Explorer?

Not picking on 98, but how about running Hijack This on 98 and posting the log. Better still, run it on all your machines, but don't post all the logs here (not at once anyway) and use the self analysis site, as a guide, and only a rough guide at that, to see what it has to say.

HijackThis log file analysis
 
I am no expert on interpreting Hijack This logs, I have read the logs (via the analysis), and I notice several complain of no antivirus software running, you may like to look into this.

The good thing about Hijack This is that it saves a backup of whatever you allow it to remove, so you can always restore it if you remove something that you shouldn't.

All I can advise is that you double check the items flagged, make sure they are unnecessary (via Google etc., and your own knowledge of the systems) and then, if you are sure, proceed with the removal. You do have some Trojans listed on some machines.

These seem to be the worst machines from a malware point of view.

espie, evelyn, michelle, sionie, cecile, nelia, with minor hits on some of the others.

If your time allows you this malware removal course comes highly recommended.

Malware Removal University
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top