Stuff Posing As Meat problem 1

[acent]

Hello,

I got a Stuff Posing As Meat (SPAM) problem. Our domain has been reported by Spam blacklists as one that sends out spam email and I have been tasked with finding out who is sending it out.

Is there a way to find out the total messages sent by user over the course of a 24 hour period? We do have both TrendMicro and Spybot S&D on our computers.

Thanks in advnace.


"If it's stupid but works, it isn't stupid."
-Murphy's Military Laws

 

[markdmac]

Check the engines that have reported you as spammers. Often they will have some "proof" that will help you isolate the offender.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[acent]

Will take a look. Thanks.

"If it's stupid but works, it isn't stupid."
-Murphy's Military Laws

 

[Zelandakh]

It is usually a client that has been compromised (deny outbound port 25 except from Exchange servers) or a server sending SMTP alerts (reconfigure to smarthost out).

 

[wahnula]

It is usually a client that has been compromised (deny outbound port 25 except from Exchange servers)

If a client has been compromised, would it not be using the Exchange server (and port 25) to send out the toxic mail? I'm not challenging you Zelandakh, just trying to learn your reasoning.

Tony

Users helping Users...

 

[Zelandakh]

Outlook can send out via other places than Exchange.

 

[markdmac]

A client also does not require using outlook to send out email. Using CDO you can send out email without a mail client. Most companies have not locked down their SMTP servers as well as they should. If you check yours you will likely find that it is configured to allow any authenticated client to relay.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[acent]

Thanks for the comments! I did check the relaying and, yes, any authenticated client can relay off the Exchange. I figured that the malware would be coded to use CDO, VB, Java, etc, to send the email out.

However, if a client is relaying, would I not see a number of sent messages for a specific user in the exchange system manager? One of the beauties of working at a small company is that there isn't an infinite number of mail boxes. I checked every user and did not find thousands of emails being sent....

Thanks for the input.

"If it's stupid but works, it isn't stupid."
-Murphy's Military Laws

 

[wahnula]

Outlook can send out via other places than Exchange.

Thanks for the clarification!

Tony

Users helping Users...

 

[Zelandakh]

Using CDO to relay via the Exchange server won't put emails through the system manager as it will route them straight to the SMTP relay.

 

[xmsre]

Check your reverse DNS entries as well. If it doesn't check out, that can also get you blacklisted.