How do I identify which computer on my network is sending spam?
Hi. Recently my client has been unable to send email to certain recipients. Found out they are on several blacklists. I'm having a heck of a time trying to identify what is causing this though. There are 12 computers on the network. They all send mail through their ISP's smtp server. I need to know what the best practice is to locate the computer sending out spam. All computers are running AVG 9.0 Internet Security and i've scanned using ESET online scanner and Spybot. All scans brought up a few spyware items, which i've removed, but this problem seems to be hanging around. HELP!!
Are you sure the SPAM is not coming from the ISP? The email cold be coming from another web site hosted by the ISP. Does the block contain a reange of IP addresses?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm not sure how to check that. The process I took to establish I was on a blacklist was to:
1) Went to www.ipchicken.com from within the network and got my external IP
2) Went to http://www.mxtoolbox.com/blacklists.aspx and plugged that IP address in. I came up on 6 blacklists.
How would I know if an IP range is listed?
Thanks for your quick response.
1) Went to www.ipchicken.com from within the network and got my external IP
2) Went to http://www.mxtoolbox.com/blacklists.aspx and plugged that IP address in. I came up on 6 blacklists.
How would I know if an IP range is listed?
Thanks for your quick response.
ASKER
Hi tkasunic81. I took a look at pfsense. I've seen other sorts of products like this before. Is it difficult to configure. The existing network as 12 computers, an SBS server and a Linksys router. I'm sure this solution would allow me to locate the culprit machine, but can I do that relatively simple? I don't really want to add any unnecessary complexity to the network. Thanks
Hi.
For onetime solution you may ask log's from ISP's server and easily see infected box;)
For onetime solution you may ask log's from ISP's server and easily see infected box;)
ASKER
Hi Sage444. I tried that already and they said they couldn't give me that information.
One easy but takes more time way it's run sniffer on all boxes. I like Wireshark.org. But you may use some other and look at connection on 25 port.
And right way is use firewall and save logs of all network activity some time
And right way is use firewall and save logs of all network activity some time
Can the ISP verify the SPAM is coming from inside the site? That may save you some time.
partekitsolutions,
You are correct. Pfsense can be combersome for new users, and it does add some "complexity" to the network. I have found that it also adds a layer of security and ability to troubleshoot that over time will save you time and money in the long run. If you want to have control over that network, install some type of firewall with logging / port blacking capabilities.
You are correct. Pfsense can be combersome for new users, and it does add some "complexity" to the network. I have found that it also adds a layer of security and ability to troubleshoot that over time will save you time and money in the long run. If you want to have control over that network, install some type of firewall with logging / port blacking capabilities.
Hello partekitsolutions,
If you have a Linksys router in place and all the clients uses there ISP to sends the email out and I believe they are using some kind of web interface to send the email out. Just like gmail, hotmail, yahoo etc. So you could block the access to the port 25 on your router.
Also you mentioned that you use ISP server to send the email out then also check the if your router is acting a open relay and anyone can come in and send the email out using your router. And I think that's the major issue which should be tackled first. Use the following websites to see if your server, our router is acting as open relay:
http://www.abuse.net/relay.html
http://www.mxtoolbox.com/diagnostic.aspx
http://www.spamhelp.org/shopenrelay/
http://www.checkor.com/
Hope that would help
Regards,
Sudeep
If you have a Linksys router in place and all the clients uses there ISP to sends the email out and I believe they are using some kind of web interface to send the email out. Just like gmail, hotmail, yahoo etc. So you could block the access to the port 25 on your router.
Also you mentioned that you use ISP server to send the email out then also check the if your router is acting a open relay and anyone can come in and send the email out using your router. And I think that's the major issue which should be tackled first. Use the following websites to see if your server, our router is acting as open relay:
http://www.abuse.net/relay.html
http://www.mxtoolbox.com/diagnostic.aspx
http://www.spamhelp.org/shopenrelay/
http://www.checkor.com/
Hope that would help
Regards,
Sudeep
ASKER
Hi SSharma. Thanks for your reply. They are using Outlook to send email out, not a web interface, so I can't block port 25 on the router, or no one would be able to send normal email. We have an SBS box but are not yet using exchange on it, so we don't have a mail server onsite. I'm not sure if i can test the router to act as open relay as when i test with IP address on those tools they all tell me the connection timed out or was refused.
Tkasunic81: IN response to your comment. Would the pfsense have to replace my Linksys router, or can i set it up in a way that just logs outgoing traffic to monitor that port (25)?
Tkasunic81: IN response to your comment. Would the pfsense have to replace my Linksys router, or can i set it up in a way that just logs outgoing traffic to monitor that port (25)?
partekitsolutions:
I would set your router to block port 25 until you can track down if it's an internal problem or not. If it's possible to log port 25 traffic I would do that also. You can also use a 'sniffer' loaded onto each PC to log port 25 traffic. This can be very useful in identify which one of the PC's is sending the SPAM. This can be challenging as the RuStock (?) malware may infect several machines, generating the messages on one and using another to do the actual transmission.
Here's something that can often go undetected with the ISP. Unless you have a static IP, the ISP may change your assigned IP from time to time. You may be assigned an IP from a prior leasee of the IP that truly had the issue. When the prior leasee complains, they are just issued a new IP and their old one goes into the pool of available IP's to be assigned. I've had this happen at 2 client sites over the last year or so.
I would set your router to block port 25 until you can track down if it's an internal problem or not. If it's possible to log port 25 traffic I would do that also. You can also use a 'sniffer' loaded onto each PC to log port 25 traffic. This can be very useful in identify which one of the PC's is sending the SPAM. This can be challenging as the RuStock (?) malware may infect several machines, generating the messages on one and using another to do the actual transmission.
Here's something that can often go undetected with the ISP. Unless you have a static IP, the ISP may change your assigned IP from time to time. You may be assigned an IP from a prior leasee of the IP that truly had the issue. When the prior leasee complains, they are just issued a new IP and their old one goes into the pool of available IP's to be assigned. I've had this happen at 2 client sites over the last year or so.
ASKER
Hi Aiello. I will be applying a variety of the solutions listed above, including installing a sniffer on each machine to log port 25 traffic. I can't block port 25 traffic at this point on the router as the client still needs to be able to send mail, and currently they are able to to some addresses. The client has a static IP address.
If you have a static WAN IP address and the ISP tells you have a SPAM issue then you'll have to monitor the traffic to determine which computer is sending SPAM.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've chosen several solutions here. Thanks to everyone for their help. I've gone ahead and blocked port 25 on the linksys router for outgoing traffic, and then setup Outlook to send through port 587. Thanks for Barrulus for that suggestion. I've also used NETSTAT on each machine to locate the offender. For future use i've gone ahead and downloaded pfsense to monitor outgoing traffic. Thanks for the tip on that tkasunic81.
No problem, glad me and the other poeple on here could help.
Based on this (and I cannot remember myself) http://exchangepedia.com/blog/2007/01/exchange-2007-content-filter-whitelist.html I think you may not be able to whitelist a domain.
You can however try to whitelist the IP addresses of their MX entries.
Use nslookup to find the MX hosts.
nslookup
set q=mx
domainname.com
you can then get thier IP's with a normal lookup.
As this is not particularly reliable, I would get the message into the users mailbox and view the headers from there and add the correct IP's into the IP whitelist.
You can however try to whitelist the IP addresses of their MX entries.
Use nslookup to find the MX hosts.
nslookup
set q=mx
domainname.com
you can then get thier IP's with a normal lookup.
As this is not particularly reliable, I would get the message into the users mailbox and view the headers from there and add the correct IP's into the IP whitelist.
my apologies - wrong window :)