Problems with Spam, possible virus infestation.

[Albion]

I think I am having problems with a virus or some sort of malware sending out Spam. The reason I know something is sending something is because spamcop.net and a few others have added my companies IP to their database. My corporate anti-virus (TrendMicro OfficeScan) says that my workstations (WinXPsp2) are good, but something seems to be amiss. Is there some software I can use to find out which workstation the problem is coming from?

Any help would be appreciated.

Thanks

-Al

 

[trollacious]

There's a good chance that the spam isn't coming from your servers, but that your domain name is being spoofed by the spammers. There's not an awful lot you can do about that, though you could set up your email server with an account to catch all email with invalid email addresses for your domain (which is a typical trick used by spammers) and then look at the message to see if you can find out the real originating IP. I'm not sure what you could do with that info after that, though.

Lee

 

[Grenage]

Are you sure that your server is not an open relay?


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[Albion]

I am sure the spam is coming from my network cause spamcop is showing my IP as the sources. And I am sure my server isn't an open relay.

-Al

 

[segment]

Snoop your network and see what is happening. Do you have any wireless access points unguarded? Workers bringing in their own laptops?

perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-7),oct(104),10,oct(101));'

 

[Albion]

I am pretty sure it's one of my workstations infested with some malware that's using it as a spam gateway. I think I have found the workstation, but I am afraid that the worm may have migrated to some of my other machines. Since my anti-virus and anti-malware software didn't find it I am afraid it might be other places on my network.

Unfortunatly I know nothing about sniffers or packets or that kinda data, so any type of sniffer or snooper I might get would have to be pretty user friendly, like telling me "Workstation XXX is sending buko traffic to server YYY over port 25." Anything other then that and I'd be completely lost.

Thanks.

-Al

 

[segment]

Wireshark is as user friendly as it gets

http://www.wireshark.org/

perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-7),oct(104),10,oct(101));'

 

[GVN]

spamcop.net wouldn't have you listed unless there is spam coming from your domain. Try this:


C:\>telnet your_mail_server.your_domain.com 25

HELO your_domain.com

MAIL FROM: fake_address@example.com

RCPT TO: MyEmailAddress@your_domain.com

DATA

Subject:Test!!!

This is a test e-mail.

QUIT

If the e-mail is accepted and goes through without errors, then your e-mail server is indeed an open relay.

GVN

 

[segment]

GVN: Depending on his network setup, if he is using NAT with one outbound address (whether internally is dynamic, PAT, etc.) Spamcop will only see his one address.

perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-7),oct(104),10,oct(101));'

 

[GVN]

Sorry Albion, just read the updated thread. I had started writing my response at around 10 am CST, but have been away from my desk most of the day and just finished it and sent it. These guys are right on this thread, probably one of your workstations is sending spam out via the SMTP server service built into Windows 2000 and newer OS's. You could go around and disable all SMTP services on all the workstations, as none of them need it on except a dedicated e-mail server.

GVN

 

[GVN]

Or, if you have a virus on any of them it may have it's own built-in smtp server as part of the virus, which is sending out the stuff. You could block all outbound port 25 traffic on your corporate firewall from everything except the dedicated e-mail server too. The workstations do not need to use port 25 (SMTP) for anything legitimate.

GVN

 

[Albion]

I think that one machine was my problem as Spamcop is showing no activity in the last 24 hours and that machine has been off the network.

So now that leaves me questions. I am pretty diligent in keeping up to date with my security software (Trend Micro - Scanmail and Officescan). How did this malware get through and go unnoticed? How can I trust my AV/AS software if the only way I can detect this stuff is when my guys start geting e-mail bounces from their important customers?

Maybe it's time to start looking for a replacement for TrendMicro. Anyone have any suggestions?

-Al

 

[GVN]

TrendMicro is good for AV. Spyware/malware is super-hard to keep off computers and I know of no solution that is keeping it off computers 100%.

 

[segment]

I hate making recommendations, but I've been fortunate (or unfortunate depending on how one view's the dot com boom/bust) to have worked with some of the top products, CA, McAfee, TrendMicro, Norton, etc., and one product I swear by is Kaspersky's product lines (

http://www.kaspersky.com/).

They're quick with updates. Other products' companies have become too enflamed with "security" as a whole, they've seemed to lose sight of what their core focus was.

perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-7),oct(104),10,oct(101));'

 

[RCorrigan]

I will echo Grenage et al ..... CHECK and CHECK AGAIN for an open relay ...... happened to a client of mine just last week ..... it was a legit forward at the time and not taken off when no longer needed !!!!!!!!

<Do I need A Signature or will an X do?>

 

[cmeagan656]

Use this site to test for an open relay on your mail server:

http://www.rbl.jp/svcheck.php.

Cheers.

 

[Albion]

According to that site, I do not have an open relay.

-Al