Spam Bot on network

polizei11
polizei11 used Ask the Experts™
on
So recently my client has been listed on a couple of Blacklists including Spamhaus and CBL.

CBL informs us that it looks like we have the Storm Spam Bot on our network.

I've done some searching and have taken a couple of intial steps. MY firewall/router is set to block all outbound SMTP Traffic not coming from our Exchange Server's IP. (My router is a Netgear UTM10)

The logs do not show any firewall activity that is being blocked by the firewall (making me think the SpamBot is on the exchange server.

What other software can I use to find this bot and remove it (or the machihe)

Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Do a netstat -n on your Exchange server and see if there are a lot of connections from one particular host.
Co-Owner
Top Expert 2011
Commented:
lease have a read of my article about messages in your queues that you did not send.  You could be an authenticated relay and mya rticle will help you identify the acount(s) that have been abused:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html 

Author

Commented:
Did netstat -n

all of the connections that are on our local subnet are showing the internal IP of the exchange server (there are a couple from other IP mostly servers)

The rest are external IPs but none that show up all over the place
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Commented:
Run a thorough virus scan on your Exchange server.

Author

Commented:
I have ran a LOT of virus scans on ALL machines over the weekend, did find some viruses (pulling the machines today) but nothing on the exchange server

Author

Commented:
Ok did netstat again (without the -n so I could use interval) and I saw more results, one computer has about 7 connections to the exchange server, is this abnormal?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Have you read my comment or are you just conversing with mattvmotas?

Author

Commented:
Yes I read your comment you are the only one who has mentioned netstat so my last post was a question to you

Author

Commented:
alanhardisty Just following up on the netstat question, is 7-8 connections abnormal?

Also Ir ead your aticle you posted, lookin in my queue it does look like we are suffereing from an Authenticated Relay attack, however I am using Exchange 2010 and cannot find the Diagnostics Logging tab.

Could you please assist
Alan HardistyCo-Owner
Top Expert 2011

Commented:
I have not mentioned netstat.  I mentioned about being an authenticated relay and pointed you to my article to see if that is the problem.
Have you got messages in your queues that your users did not send and are not from Postmaster?

Author

Commented:
Sorry Alan, long day got confused!

Yes there are messages my users did not send and or not from postmaster but address such as 784510267@(mydomain).org
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Okay - missed the Exchange 2010 part.  Sorry.  Diagnostic logging won't be as per my article.
MalwareBytes - www.malwarebytes.org is a good tool and should detect the Storm Bot, but Microsoft suggest using the Malicious Software Removal Tool:
http://www.microsoft.com/security/malwareremove/default.aspx 
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Long day - tell me about it ; )
Ah! In that case, please install a trial of Vamsoft ORF - www.vamsoft.com and when configuring, set the logs to record all details.
Once active, it should show the inbound mail-flow from authenticated users. You can use the date / time of the logon to cross-reference the Security Logs and identify the abused email account that is being used to send out spam.
Change the password for that account and then restart the Transport Service.

Author

Commented:
I ran Malware Bytes on the exchange server, it did not find anything.

Is there a way in Exchange 2010 that I can find the account that this attack is abusing?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Your last question was answered by my last post - we are crossing posts : )

Author

Commented:
Hate it when that happens :)

Installing ORF now will post results

Author

Commented:
SO ORF is installed and recording now, but one thing you said confused me a little,

 "it should show the inbound mail-flow"

is this only going to check the inbound mail?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Nope - it records everything in and out.
The logs are brilliant and easy to filter / sort.

Author

Commented:
I must have done something wrong then, becuase I just sent mail from here to somewhere else and it did not show up in the log only the stuff coming in
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Have you refreshed the logs (Press F5)?

Author

Commented:
Yes sir

Author

Commented:
the number of messages are increasing, it is showing in real-time, just only showing inbound
Alan HardistyCo-Owner
Top Expert 2011

Commented:
If you filter the logs on the "Filtering Point = Non-Filtering" (View, Filter, Add Rule), then you should see the outbound emails.

Author

Commented:
The only filtering options I see are for Before arrival and upon Arrival. I just cannot seem to find what you are having me look for! :)
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Here is what I see on my copy of Vamsoft:
Filtering-Point.jpg

Author

Commented:
Thanks for the screenshot, from that I found out that I needed to filter AFTER i ran the log.

Thanks I'll use this to monitor over the next day and I'll post my findings.

Alan HardistyCo-Owner
Top Expert 2011

Commented:
Ah good.  Keep an eye on the sender column and if you have Non-Filtering mail with senders not on your domain, that will be the spammer.
Look for the first entry in the log and then see if the account is listed.  If not, check your security logs for the same date / time and see which AD account is being abused.

Author

Commented:
Found the account and subsequent computer!
I was able to suspend all suspicous email in the queue, and overnight no suspicous mail was sent or stuck in the queue! We have also been delisted from the major blacklist as well.

Thank you for all your help!

One other question before I award you the solution (only because then no one can respond!) I have suspended the bad email in the queue, but it will not let me delete the messages from the queue, any sugesstions?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
There should not be a reason for not being able to delete the bad mail.  You should be able to easily get rid of it, but you may see more come in before it all goes.
You can add a smarthost to your default SMTP Connector and put the smart-host as [99.99.99.99] which means the mail will go nowhere, then change the SMTP Virtual Server retry intervals (all of them) to 1 minute, whcih should timeout the emails fairly quickly.
If you can tell everyone to stop sending mail for a while until the queues empty, then put back the retry intervals to default settings, remove the smart-host and let your users loose on email again.
f you have frozen the queue, you will have to unfreeze it to be able to delete it.
Any problems - please shout.
Alan

Author

Commented:
Thanks I got the queue clean (I think it still shows some of the domains but no messages) So I think were ok, I did see some that showed bad mail from this morning (which worries me that I did not get rid of the bot) but we'll see.

Thanks for all your help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial