[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 594
  • Last Modified:

Tracking SPAM on network

Hey fellahs,

We're having a small spamming issue here.  I tried seeing if we could do SMTP filtering through our ISP, but it's a service they no longer do because of legal issues.  Is there a way of tracking spam.  I'm trying to find out which workstation it is coming from.

Also, what software do you all recommend for spam blocking.
0
warriorfan808
Asked:
warriorfan808
  • 6
  • 6
  • 4
  • +1
3 Solutions
 
ECNSSMTCommented:
if you are implying that the spam is coming from a workstation interna to your network, you've got a little bit more in problems than just spam.  You may have the added issue of compromised PCs, virus, trojans, etc.

If you are looking at external sources as I assume from your post; you are better off investing the time and effort getting a good anti-spam product.  I recommend looking at www.gfi.com.  

The tracking is easy enough.  Just take a look at the internet headers associated with each email (not the display name seen on the top of every email ).

However, finding out where they come from; Russia, Korea, known associates (victims of malicious intent themselves), or well known spam sites  does not entirely solve your problem.  Knowing the immediate source will at least enable you to notify the immediate source that they are a source of spam.  Leaving the rest to the source email admins to solve this issue.

Just in case; www.dnstuff.com has a utility that may help "Spam Database lookup" to see if you are being spam from an identified site.

Note that many anti-spam apps uses blacklist sites to block spam with an updated list of known spam sites.

Regards,
0
 
warriorfan808Author Commented:
I believe it's an internal thing.  I have antivirus running on all the workstations and configured them to update and run once a day.  I probably need to get some type of program that can monitor the AV so I know if it has found anything.  I'm using AVG Network Edition.
0
 
aseusaincCommented:
My suggestion would be to monitor your network for port 25 traffic and see where it's coming from that way.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
aseusaincCommented:
Oh yeah, something to accomplish said task might be helpful as well:  http://www.ethereal.com

If your entire network is switched, the easiest thing to do would be to hub a PC along with your router.


    Internet
         |
         |
     Router
         |
         |
       HUB
    |-------|
  LAN      PC running Ethereal
0
 
warriorfan808Author Commented:
Thanks man.  I actually have a copy of Knoppix STD that I can use.  I also contacted Grisfoft (they own AVG ) to see what I can do about SPAM.

Truthfully, I don't get any SPAM at all.  In fact, I don't know anyone here that does.  The owner gets a crap load of Spam and thinks that we're transmitting the stuff.  He's a really smart guy, so I'll look into something if he says to.  Personally, I think he might have some viruses on his laptop.  I guess I'll find out for sure after running ethereal.

0
 
ECNSSMTCommented:
so what are the symptoms?  

sadly the quickest way to stop the spread of the this malware; it may be best to quarantine the suspect PCs and try to isolate the program that is sending out email.  

I'm surprised that the local Anti-virus didn't catch it, but try this online anti-virus http://housecall.trendmicro.com/

(The ethereal product is a pretty good sniffer; if your switches can do port mirroring; it can save you from putting in a hub)

Regards,
0
 
ECNSSMTCommented:
actually reading your last post; I am beginning to suspect that it may be external after all.  

If only one person is getting the these emails and no one else is; its counter to the idea of a site being infected.  Instead, there is the possibility that your boss may have (in the best case scenario) left his email address at legitimate businesses and those businesses may have farmed out his email address to "everyone and their relatives".    In the worse case scenario, your boss could have gone to one questionable website and/or download something that is just subjecting your boss's PC to many unsolicited emails.

I am now suspecting that this is a small enough operation that may have its email hosted by an ISP.  If this is so, I'm surprised by the above comment that the ISP doesn't at least block SPAM by blacklists; many of the residential ISPs are doing so.  If this is the case, after you isolate the issue; you may want your boss to change email address as it may be on some list somewhere in the world.  Something like johndoe@yahoo.com to johnbdoe@yahoo.com.

(oh, if its only one computer that's infected and you still want to play around with ethereal; I'd say just install it on the suspect computer provided your boss gives his consent to do so)

Of I'm wrong and you are supporting your own email server, you may want to look at an anti-spam product.

Regards
0
 
warriorfan808Author Commented:
We're getting our email server hosted by Media Temple.  I called up Road Runner to see if I they did do any SMTP filtering and they said that it was a service they offered but due to legal issues, they stopped doing it.  I do know that there are ISPs that still do it though.  In our office in Washington, I had to configure their clients to use the ISPs SMTP instead of Media Temples.  Wasn't a big deal.  How many people are actually going to read the header anyway?  I was hoping to do the same with Road Runner, but I guess it's not an option.

I doubt I'll get a shot at installing ethereal on his laptop.  I mean, I hardly ever go on that thing.  It's the only workstation on the network that I don't work on.  He's a really smart guy and I think he'd rather do it himself.  He's got an EE and an MBA, along with a whole bunch of other stuff that I wish I had.  Good thing I'm on the same Switch as him.  I should be able to do this on a switch right?  

I'm glad we don't host an Exchange Server.  I took some classes in Exchange Server 2003 and even ran my own server from home, but that's a little too much responsibility to put on my plate.  Well, until I finally graduate from college, then who knows.

Glad I ran into this site.  Good to see so many knowledgeble people helping each other.  I originally came on here to get help with my programming assignments, but now I get to use it to help me with work too.
0
 
ECNSSMTCommented:
if its a managed switch, there's a good chance it has port mirroring capabilities.  You'll just have to find the docs on it (and if you don't mind posting the brand and model number; I like to see myself)

But now knowing that its all being done offsite; I doubt you will find malicious traffic on your network related to this issue.  It sounds like he is the only user on the Media Temple hosting service per your domain name that is having this issue...  

Can I doublely verify that YOU and your associates (with the exception of your boss) are not recieving spam on your hosted email service?

(But just in case I'm wrong, and ethereal is fun to play with, you can set up ethereal and see the traffic flow)

Next biggest thing will be working with Media Temple to see what kind of fix can be put in place.  If your boss's email address is on some list out there in the world and talking to Temple Media doesn't pan out; it may just be easier to change his email address like I stated above; if you boss has not objections to that.

Regards
0
 
NetAdmin2436Commented:
Is his email posted ANYWHERE on a website? possibly a forum/blog...ect....

A LARGE (mindblowing)  percentage of spam comes from an email address posted to a website. If it is....remove it quickly and/or encode the email address  in the web page.

Spammers have automated programs that will search the internet for email addresses and add it to there database. If so, it is next to impossible to stop the spam (without a good antispam program like GFI or UTM device like watchgaurd or sonic gaurd with antispam).

Hope this helps
0
 
NetAdmin2436Commented:
BTW-
I have both GFI and watchgaurds X500. We get probably 4K spam emails a day.....99 percent or better (haven't really had the need to verify the absolute number) are blocked by the X500 or GFI.

we USED to have a few email addresses posted on our website (uncoded).....the emails we DID have posted recieve BY FAR recieve the most spam that I see in the log files, which is now automatically deleted.
0
 
warriorfan808Author Commented:

Thanks for all the help guys.  I want to distribute the points now, but I really want to work on this with you guys some more.  It's not everyday I got guys that know their stuff to get advise from.

Could you give me an example of an automated program?  I really want to show the owners, which all have spam problems but none as much as the owner, exactly why and how they are being spammed.

Also, how do I know whether or not the email address is encoded?  Is this sort of like href in HTML?

To answer ECN, it seems all the guys that would post their email online have problems.  Namely our four top guys.  I do know that a few of them have written articles in many newspapers and their email address was there in plain site.  No one else seems to get SPAM.

As for ethereal, yeah I love using that thing.  First started using it in my TCP/IP class.  We had to go through the packet: read the frame; header; etc...  Later we started using ethereal and were like, "why in the hell did we go through all this when this was out there for us?".  I guess it's a good thing we went through it because it gave me a strong idea on how a packet travels through a network.

0
 
aseusaincCommented:
Warriorfan:

Just making sure I understand the scenario properly...

Boss man who uses a laptop complains to you that he is getting a lot of spam.  He also notes to you that HE believes it's coming from INSIDE your own network?

You are currently using an ISP that does not allow port 25 traffic in or out other than via their own SMTP server?

If this is the correct scenario, the odds are that the spam is not coming from inside.  The reason being is that

A) Even if you had an open relay, noone could get to it as the ISP is locking down port 25.
B) If it were a virus of sort, they primarily use their own SMTP engine to send mail directly.

The first thing you want to do is take a look at a handful of these mails and check the headers and truely see where it is coming from.  I'm guessing this guy just got his address put on a bunch of sold lists.  As for being able to sniff across a switch, only if it's a managed switch.  For me, my infrastructure was built before I was hired, and thus we dont have managed switches, therefore, I just use a cheapo netgear hub and tie things together where I need to do some sniffing, do what I need to, then put it back on the switch.  If you have a firewall, you MAY be able to see what you need to see in it's logs.


If this is really the case, and it's just a bunch of spam from internet spammers, you may be stuck in your current configuration.  Your ISP is handling your mail, and they dont do any sort of filtering.  There are products that will filter mail for POP3 clients, and it may be your only choice.

The other avenue is to see if the ISP offers upgrade to business class, which will allow port 25 traffic.  Get an intermediary like GFI and run an Exchange server.  It's not nearly as daunting as you think.

As for spam filters, I've used the plugin for WatchGuard firewalls AND GFI both at the same time and it still doesn't hold a candle to what I'm using now...SonicWall (formerly sold as Mail Frontier).

To put spam in perspective for you, my top 3 recipients who have more than likely used their work email address all over the internet, have had over 3 MILLION spams stopped since 1/1/06.
0
 
ECNSSMTCommented:
There are many ways to harvest email addresses; the easiest is just taking it off of websites that freely give it out; so these guys are victims of there own willingness to give out their email addresses.  In light of how public these addresses are; these users may consider obtaining a 2nd "private" account which will be given to specifc individuals instead of the world.

(Note Yahoo in light of many more involved email harvesting techniques have reconciled to partially hide any correspondence's address; instead of johndoe@yahoo.com it may be j...@yahoo.com.  And that is just the visible precaution)

email address encoding??  Could you clarify that?  The standard is to have a fqdn email (fully qualified domain name email e.g. johnd1234@yahoo.com) and a display name (e.g. Doe, Johnnie ) that can be used by the mail clients to personalize the address to something that this more understandable by people.

Regards
 
0
 
NetAdmin2436Commented:
Here's a little basic chart about spam and where it comes from.
http://www.cdt.org/speech/spam/figure1.gif

As far as the encoding... here is what i'm talking about http://www.wbwip.com/wbw/emailencoder.html
Advanced automated programs have probably cracked stuff like this, but it helps to do this if you must have an email address online.
Here's another...
http://w2.syronex.com/jmr/safemailto/

For the automated programs spammers use, I don't know of the names of any of them personally; however they do exist. I'm sure if you google for them you'll come across a few of them, be very careful searching for stuff like this, viruses may await. These programs are basically "spider" program that searches websites and looks for 'mailto:' or *@*.com.

http://www.private.org.il/harvest.html.

Some more good sites about spam
http://www.mindworkshop.com/alchemy/nospam.html
http://www.stentorian.com/antispam/
http://spamlinks.net/prevent.htm
0
 
warriorfan808Author Commented:
aseu:  Thanks for joining in with the help.  Almost got the whole story, but we don't use our ISPs email server.  We have another company handling this for us.  As for our connection, Road Runner Business Class.  I'm not too worried about running an Exchange Server.  I actually had one running from home for a while.  However, I'm just one guy getting paid peanuts.  Trust me man.  If I told you how much I get paid, you'd laugh your ass off.  Kinda wish I got a job working with someone more experienced so I could learn the tricks of the trade.  Oh well, good thing I hooked up with this site.

ECN and NetAdmin:

Thanks for the help and links, I'm going to try them out now.  Before I make this go longer, maybe I should just make another thread asking someone for those type of programs.  I feel pretty bad, I wish I could give both of you the full 500 points.



0
 
NetAdmin2436Commented:
Glad we could help!

I was in your shoes a few years ago...just out of college and started working for a small company maintaining the network with virtually NO direction and little pay. As long as you are intrigued with computers and are willing to continually learn and research, you'll do just fine.

Don't feel bad about who to give points to on Experts-exchange (EE). I can't speak for everyone, but i just throughly enjoy helping others with what i learned along the way. Your in a community of people that are passionate at what they do on the computer and choose to help others for their personal reasons. Points are just numbers.
0
 
ECNSSMTCommented:
life is cool, I'm having fun...

Regards,
0
 
aseusaincCommented:
Don't sweat it, you know what they say, "experience is the best teacher!"
0
 
warriorfan808Author Commented:
Don't sweat it, you know what they say, "experience is the best teacher!"

Haha... after reading that, I couldn't help but to think of, "Mrs. Robinson"
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 6
  • 6
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now