Mass Mailing Trojan behind nat firewall how do I find the infected system

Posted on 2009-04-23
Last Modified: 2013-11-22
I have a mass mailing trojan in one of my networks workstation.  
Is there somthing I can use to scan for smtp or port 25 usage by ip?  

Question by:criket08
    LVL 3

    Assisted Solution

    Try NMAP or Zenmap (GUI)

    Or Nessus,  - you need to buy the professional version for work.

    If you have access to the firewall, you may be able to write a rule that says drop all SMTP traffic EXCEPT for your mail servers.   Then log all the dropped entries, and hopefully find the IP it is coming from.

    LVL 1

    Expert Comment

    give a try to trojan remover or Spyware Doctor... these tools are professional's choice for hunting backdoor trojans
    LVL 15

    Accepted Solution


    The following checklist is your best friend to fight spam-bots and keep your MX record away from blacklists:

    1) Authorized servers only: Allow your authorized mail server or anti-spam solution (ex. ironmail/ironport/barracuda..etc) to send SMTP (tcp/25) traffic outside your network. Otherwise, you'll face the blacklisting penalty and it would take a while to clear your IP.

    2) Don't leave the Wifi LAN un-firewalled: I found many customers who got blacklisted becuase they forgot to secure the Wifi LAN and allowed Any traffic to leave. They didn't calculated the risk of infected laptops. Start with allowing common protocols such as HTTP/HTTPS/POP3/, turn on AV scanning, DPI (Deep Packet Inspection), Web Filtering (ex. SurfControl).

    3) Know your traffic: You should be aware of every inbound/outbound bit in your network. There are a lot of solutions which will sniff and study the type of generated traffic on the wire, so you can get a full picture of what's going on at the moment. Check the following vendors and their solutions:

    4) MX reputation monitoring: This is a very nice way for early warning before they blacklist your IP. These monitoring services will evaluate the "reputation" level and warn you. For instance,

    5) Antivirus & HIPS: I don't need to discuss too much about this point. Many MX blacklisting incidents happened due to a computer left without installing antivirus scanner. So, always scan your network and push the AV client.  Don't allow untrusted laptops to use your network unless they are protected and clean. Some companies follow the rule of: keep your laptop off, we will give your ours !. HIPS is an excellent layer of defense that complements the AV scanner.

    6) FW/Router Logs: You need to enable logging of any rule that allow outbound SMTP traffic, so you can later check the source of any suspicious spam traffic from inside-to-outside.

    A Symantec Certified Specialist @ your service
    LVL 15

    Expert Comment

    First of all, I would recommend blocking all outbound traffic to port 25 except your mail/antispam servers. Becuase there is no need to leave this big threat open.

    You should use a combination of sniffers and port scanners to detect spam bots, Check the following

    1) Wireshark, download it from (

    You need to connect it to a managed switch with the support of monitoring port (Cisco calls it SPAN). Or use a Hub. The last option is to use a network TAP ( from some vendor like NetOptics (

    2) Another sniffing tool is Tcpick (linux based), download it from (

    Here how to sniff port 25:

    #tcpick -i eth0 -C -bCU -T1 "port 25"

    3) Nmap is the best port scanning tool, download it from (

    here how to scan for port 25 (change with your network range)

    #nmap -sS -p 25

    4) TCPDump is another good sniffer, download it from (

    Here how to sniff port 25

    #tcpdump -i eth0 port 25

    A Symantec Certified Specialist @ your service


    Author Closing Comment

    Thanks for all the help....

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
    For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (, the Zone Advisor for the Virus and …
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now