Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Our router keeps sending spam 2

Status
Not open for further replies.
msworld

msworld

MIS
Jun 28, 2005
534
0
0
US
One of our clients has a spam issue. Their ISP told them that their router keeps sending spam to the Internet. If they don't stop it, the ISP will stop the services. Where should we start to troubleshoot it?

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on
 
Sort by date Sort by votes
I sincerely doubt it's their router. I'd guess that your client's router is performing NAT for a non-routeable address space on your client's network. Your client probably has virus-infected or zombified machines that are sending out email, and after the NAT operation going through the router to the internet every one of those packets look like they're coming from an IP address at the router.

I would block all SMTP outgoing except from your mail server. I would also start sniffing the network to see which machines are sending out the SMTP traffic.

Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
Hello,

Forgot to give more details. There are only one Windows 2000 server as DC and two other workstaions. The server is running TS for 20 users to access. The server also run FT and IIS. No Exchange or any mail server running.

1. If the server is not mail server, can it be used as an open reply?
2. Should they block SMTP outgoing even they don't have mail server?
3. I can have them to turn off the wortstaions to test it.

Thank you.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on
 
Upvote 0 Downvote
Hi Bob - I agree w/sleipnir214, I doubt it is the router. For an ISP to contact a client, they must be seeing a ton of traffic. More then likely your client is running some form of NAT so all outbound (including SMTP) traffic will appear to be from the router vs an individual computer. IMHO Sounds like one of the PCs have been compromised. Couple suggestions:

Sniffer
If you can get on their network w/a sniffer you'd be able to capture data packets pretty quick to see which machine is sending SMTP traffic.

Visually - confirm at the switch
I know this sounds ol'school, but it can help sometimes. If you have access to their switch, and they have LEDs that show activity, usually any PC that is sending tons of traffic will show their LED with almost a continuous blink/on status. Could help you track down the PC.

OpenRelay - SMTP engines
Many virus/Malware come with their very own built-in SMTP engines. If one of those PCs are infected (including the server), first thing those virus do is attempt to propagate to the internet - it may have its own address book or try to copy the PCs address book.

5 by 5
You could turn 5 PC off at a time, and see if the SMTP traffic stops. However, without a monitor it would kinda be hard to tell if the SMTP traffic has actually stopped.

At the PC -
While at the PC, I would ensure each has the latest AV definitions and AnitSPAM/Adware definitions and do a full sweep/scan. Also Ctrl+Alt+Del to see if there's anything odd running in the processes. Usually SMTP engines will load here and can be identified.

Disable outbound SMTP
As sleipnir214 suggested you could turn this port off at the router. This could be helpful and may suffice to keep the ISP happy while you discover exactly where the issue is originating inside that network.

Good luck.
 
Upvote 0 Downvote
1. Which sniffer do you recommend?
2. There are only two computers, one is server for TS access and another is workstation.
3. They use symantec anti-virus. So far no virus found.
4. They have Netgear TR314 router. I am not sure we can close the Port. If we do close the outbound SMTP, can the users send email using Outlook express?
Thank you.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on
 
Upvote 0 Downvote
If there are only 2 machines & there's enough traffic for the ISP to be concerned, you should be able to easily 'see' which machine it is by looking at the lights on the router.
 
Upvote 0 Downvote
Which sniffer do you recommend?
Click to expand...
ethereal is good, and is free under the GPL.

You'd just tell it to capture traffic, and any SMTP packets that aren't from your email server are a sure sign.

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first
 
Upvote 0 Downvote
Hi again Bob - I'm sorry, when I seen 20 users I assumed 20 PCs. In answer to your questions:
1 - I agree w/Chip. Grab Ethereal for your sniffer.
2 - Unplug one and watch the lights. If one is still blinking like crazy, there's the culprit.
3 - Good.
4 - Here's a quick link that details how ports/rules are created and edited w/that NetGear 4 port router: (look towards the bottom of the page) >> HERE <<
-- and yes, if outbound SMTP is blocked at the router, no email will exit their system.

Good Luck.
 
Upvote 0 Downvote
The ability to selectively block traffic based on the machine sending it is one reason to buy commercial-grade routers. The consumer-grade ones typically are all-or-nothing (if even that!)

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first
 
Upvote 0 Downvote
I work at an ISP and we shut down one user who then sent his two computers router and cable modem to us to check. Turned out his router was multicasting. We plugged it into the network with no computers connected to it and within 10 minutes the traffic out of it was causing major issues again.
It was a no name brand router (i did not get to see exactly what make or model but was not one of the bigger names). The computers had trojans which we cleaned off but a router can cause some major traffic if something goes wrong with it.
 
Upvote 0 Downvote
If you're running IIS then you have SMTP installed on the server! It's part of the install process, at least in Win2000. It's also possible that your website has been hijacked for sending spam, if you have an unsecured e-mail feedback form that users fill out. Did you make sure the entire IIS server isn't in the router's DMZ? If so then it might be an open relay.

If the ISP truly said Spam, then that means e-mail. Routers don't do that. Multicasting oor something could certainly cause problems for the ISP, but that wouldn't get out to the internet, just to the ISP.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
42
brownmab53
brownmab53
intel233
  • Locked
  • Question
XCS 770R Spam Filter
Replies
0
Views
31
intel233
intel233
technome
  • Locked
  • Question
Linksys router vulnerability
Replies
0
Views
27
technome
technome
smalltownguy
  • Locked
  • Question
WAP connected to TZ-100 keeps having to be power cycled
Replies
0
Views
25
smalltownguy
smalltownguy
kjv1611
  • Locked
  • News
Asus Router Vulnerability Exploited
Replies
0
Views
33
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top