We help IT Professionals succeed at work.

Help! Sending spam from network!

nextdigital
nextdigital asked
on
5,585 Views
Last Modified: 2013-12-09
I have a client who continues to get blacklisted. Their ISP is getting complaints that spam is originating from their IP. I have scanned all computers on the network and the server with nultiple AV and spyware scanners to no avail. I have followed all suggestions in the excellent article at http://www.amset.info/exchange/spam-cleanup.asp by Sembee. There is nothing in the queues when I delay delivery. The only thing I am seeing is firewall logs that tell me there is outgoing traffic TCP from the internal IP of my server on random ports to WAN IPs on port 80. Is it possible this spam is coming from my server to port 80? If so how do I find what is doing it and how do I stop it?
Comment
Watch Question

Expert of the Year 2007
Expert of the Year 2006

Commented:
Do you send email out via a smart host? If so then you will not see the messages in the queues. You will have to turn that off to see if the server is being abused. The most common reason though is a workstation is being abused and blocking port 25 on the firewall will show which client that is.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.

Commented:
I know this is crazy but it is common for isp's to not read the headers to a message right first have the isp send you the headers of one of the messages they are having problems with this will give us some more info of timestamps and other valuable info that we can use to track it down.  Please post the headers of look them over and see if it is actualy an ip of one of your locations before you stress your self out we can find it it just take a little info first.

Author

Commented:
Thanks for the suggestions guys. The email is not coming out of port 25. It's definately coming from the server and destined for port 80. The headers from the ISP show my WAN IP and and Reverse DNS entry.

Commented:
You might stop IIS and see if it continues IIS is known for not problems, make sure you update your system...
Expert of the Year 2007
Expert of the Year 2006

Commented:
If the traffic is going to port 80 then that would tend to indicate the machine has been compromised. If you have port 80 open to the internet then that was probably the start of the problem.
As already suggested, stop IIS and see if something is still responding on port 80, but I am afraid that the only sure fire way to remove any compromise is to wipe the system. Updating the server, scanning for viruses etc is useless - like changing the locks after the thief is inside. You have to wipe the machine to get rid of it.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.

Author

Commented:
On further examination, the traffic coming from the server on port 80 was legitimate. However it appears that there is a computer on the network that is sending traffic from a random port to WAN IPs on port 110. There should be no POP whatsoever on the network. Could this be my spammer?
Expert of the Year 2007
Expert of the Year 2006

Commented:
Port 110 is POP3 server, so that could be something looking for a POP3 server to attack. It wouldn't be sending the messages out. The only way that messages go out and be delivered is on port 25 as that is what SMTP uses.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.