I'm sending spam, help me!

rettiseert
rettiseert used Ask the Experts™
on
Hello

I have a windows 2003 server running hmailserver, and about 120 windows XP/vista/7 users are sending email through it using SMTP. Seems in the past few days we have been infected with something 'cos now we are in spam blacklists and the hmailserver logs indicate that we are sending messages with typical spam subjects from non existing accounts.

This is a very serious problem to us, so I'm thinking of two posibilities:

1- Install some kind of snifferl in all the 120 desktop clients in order to detect (and fix) whose of them are using SMTP protocols intensively.

or

2- Get some kind of antispam software for the server (hmailserver on Windows 2003), one that not only filters incoming messages, but most importantly, one that may prevent our server from sending messages that seems to be spam.

I think that the best would be to do both things, but I do not know what programs to use. It would be great if you suggest some software capable of doing this (I mean, generate log files about desktop SMTP protocol use, and also prevent the server from processing outgoing spam messages). I would be even better if you can suggest something free.

Also, do you know what else can I do to solve this problem?

Thank you!!!

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hello,

Does your server allow relaying without authentication? If so, turn authentication on and configure your clients to use authentication.

JJ
Hi,

Do you have a copy of a spam that was sent out? It might be worth looking at the full headers to see if the 'from' address is just being impersonated. The spam sending script will be authenticating with your sever in some way, and so will have hijacked someones (or more?) machines and using their credentials. Might be worth seeing if there is a pattern in the times of the emails as well, always out of hours for example.

I'd recommend sending out a spamassasin and malwarebytes install to all clients to try and stem the flow for now though...

Thanks
AdministratorTools_Net
Just looked at a few more options from http://www.hmailserver.com/index.php?page=functionality. Looks like by default it's preconfigured to accept authentication and no relay settings. I'd follow the guide to re-enable these settings and thus stop the issues.

Then install malwarebytes and spamassasin as per my first comment

Thanks
AdministratorTools_Net
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
Hello jjmck, what do you mean with authentication? My servers asks for a user name and pwd. Do you mean ssl authentication? if so, I do not know how to do it. Do I need to buy some kind of certificate?

Author

Commented:
Hi AdministratorTools_Net, the spam our server is sending is from many random/unknown/non-existing accounts/names, the problem is not the email address but the IP of our server
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Please have a read through my FAQ for this sort of problem - it might be of some use:
http://www.it-eye.co.uk/faqs/readQuestion.php?qid=4 

Author

Commented:
thanks alanhardisty, but we do not use ms exchange
Alan HardistyCo-Owner
Top Expert 2011
Commented:
Ah - sorry.  Small oversight!
You should be able to install and use Wireshark to identify the rogue machines and then use MalwareBytes (as previously recommended) to clean up.
www.wireshark.org
www.malwarebytes.com
 
Small point to note with wireshark - It will crash after 2GB logfiles! It will still monitor, but it will not output to a logfile any more.
Commented:
After you clean your infected computers, rescan your MX record (http://www.mxtoolbox.com/blacklists.aspx) and if it's still listed, you may need to fill a de-listing form and wait for some time.

1) You need to review the FW's policies and deny and outbound connection to port 25 from all clients except mail server(s) / antispam appliance.

2) AV products are not perfect, and any zero-day worm/virus can bypass it easily without any problem.

3) You need to submit any suspicious samples to your antivirus vendor for analysis and build a new definitions if they are needed.

4) The following checklist is your best friend to fight spam-bots and keep your MX record away from blacklists:

1) Authorized servers only: Allow your authorized mail server or anti-spam solution (ex. ironmail/ironport/barracuda..etc) to send SMTP (tcp/25) traffic outside your network. Otherwise, you'll face the blacklisting penalty and it would take a while to clear your IP.

2) Don't leave the Wifi LAN un-firewalled: I found many customers who got blacklisted because they forgot to secure the Wifi LAN and allowed Any traffic to leave. They didn't calculated the risk of infected laptops. Start with allowing common protocols such as HTTP/HTTPS/POP3/, turn on AV scanning, DPI (Deep Packet Inspection), Web Filtering (ex. SurfControl).

3) Know your traffic: You should be aware of every inbound/outbound bit in your network. There are a lot of solutions which will sniff and study the type of generated traffic on the wire, so you can get a full picture of what's going on at the moment. Check the following vendors and their solutions:

http://www.arbornetworks.com/
http://www.genienrm.com/
http://www.narus.com/
http://www.lancope.com/
http://www.flukenetworks.com/

4) MX reputation monitoring: This is a very nice way for early warning before they blacklist your IP. These monitoring services will evaluate the "reputation" level and warn you. For instance, http://www.mxtoolbox.com/services_servermonitoring.aspx

5) Antivirus & HIPS: I don't need to discuss too much about this point. Many MX blacklisting incidents happened due to a computer left without installing antivirus scanner. So, always scan your network and push the AV client.  Don't allow untrusted laptops to use your network unless they are protected and clean. Some companies follow the rule of: keep your laptop off, we will give your ours !. HIPS is an excellent layer of defense that complements the AV scanner.

6) FW/Router Logs: You need to enable logging of any rule that allow outbound SMTP traffic, so you can later check the source of any suspicious spam traffic from inside-to-outside.

You should use a combination of sniffers and port scanners to detect spam bots, Check the following:

1) Wireshark, download it from (http://www.wireshark.org/download.html)

You need to connect it to a managed switch with the support of monitoring port (Cisco calls it SPAN). Or use a Hub. The last option is to use a network TAP (http://en.wikipedia.org/wiki/Network_tap) from some vendor like NetOptics (http://www.netoptics.com/products/product_family.asp?cid=1).


2) Another sniffing tool is Tcpick (linux based), download it from (https://sourceforge.net/projects/tcpick/).

Here how to sniff port 25:

#tcpick -i eth0 -C -bCU -T1 "port 25"

3) Nmap is the best port scanning tool, download it from (http://nmap.org/download.html)

here how to scan for port 25 (change 202.21.192.1/24 with your network range)

#nmap -sS 202.21.192.1/24 -p 25

4) TCPDump is another good sniffer, download it from (http://www.tcpdump.org/)

Here how to sniff port 25

#tcpdump -i eth0 port 25

Author

Commented:
Hello

My spam issue is solved, the main problem was in a php mail script in our website that was being used by spamers to send email using our server.

However I learned form your suggestions.

Thanks

Author

Commented:
I didn't know that spamers could use a php page to send email in our server, hope somebody would mention that in order to figure out the reason sooner.

Commented:
Great news and thanks for the points :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial