Solved

Spyware VS Spambots

Posted on 2011-02-13
19
1,046 Views
Last Modified: 2013-11-22
Hi All,

Our companies network seems to have been hit by a spambot, in other words, something is using our mail server as an SMTP relay and spoofing mail, which is clogging our mail server.

We are able to resolve the issue but it seems to reoccur.

We run Eset Nod32 Antivirus 4 and it has not been able to pickup the offending pc/server. (yes it has the latest definition). In the user manual, it says it detects and treats viruses and spyware....are spambots spyware or viruses or are they classified as its own threat? In other words, do I need a software that specialises in spybots?

I called Eset tech support and the guy was clueless, so I am hoping someone here can lend some assistance.

Regards
0
Comment
Question by:Network_Padawan
  • 11
  • 5
  • 2
  • +1
19 Comments
 
LVL 9

Assisted Solution

by:dauman
dauman earned 60 total points
ID: 34885215
i hope you have a small network instead of a large one.
either your problem is coming from 1 or 2 computers inside your netowrk (probably) or it is someone from the outside using your smtp server as an relay.

step 1) on your (im assuming exchange) exchange server enable logging.
http://www.msexchange.org/tutorials/Exchange-2003-Message-Tracking-Logging.html
keep in mind, logging can take up some space so make sure you have 10-20 gig available for that.

step 2) disable smtp relay
http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm


step 3) examine the logs to find out what IP/cpu is doing the spamming. (unless you already know)

once you identify the problem computer or computers.
i would run combofix and tdsskiller on them. until they read clean.
also i would run superantispyware on them just to be on the safe side.

0
 

Author Comment

by:Network_Padawan
ID: 34885319
hi dauman,

Do you the exchange 2007 version of this?

Also, do I really want to stop relaying? Dont I want the local lan and 127.0.0.1 to be able to relay mail?
0
 

Author Comment

by:Network_Padawan
ID: 34885330
Also, in the receive connector, which is (from what Ive read) where the relay happens....

This is the configuration....

Use these local IP to receive mail

All available IPV4 address 587

Receive mail from remote servers that have these IP addressess

0.0.0.0 - 255.255.255.255

Should I lock this down the local lan only and 127.0.0.1?
0
 

Author Comment

by:Network_Padawan
ID: 34885377
Also, ive enabled verbose logging for both send and receive connectors...will this show me from which IP SMTP mail is being routed from? I would like to see the source IP's of whose connecting to see which has the most connections (in this way during attacks I can see which IP is doing this)
0
 
LVL 2

Expert Comment

by:AmbientIT
ID: 34885543
Depending on your network and what firewall you have I like to disable outbound port 25 for all IP's except for the mailserver and any other servers/devices that are supposed to send mail outside the network. Your firewall logs may help as well.
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 34892459
Check if the IP of your exchange server is open relay

http://www.checkor.com/

Sudeep
0
 

Author Comment

by:Network_Padawan
ID: 34892509
Hi Ambient, but what if some spambot is using the mail server as a relay to send mail....surely that means the rule you just suggested on the firewall would be void.
0
 
LVL 2

Expert Comment

by:AmbientIT
ID: 34892582
Correct. It would only help if another server/computer was being used as the relay or spambot.
0
 

Author Comment

by:Network_Padawan
ID: 34892728
Well Im really stuck...Ive checked the firewall logs and I see outside IP's connecting into our mail server, obviously using it as a relay.

The smtp server is configured to only allow the LOCAL LAN and 127.0.0.1 to relay mail....so how are these people able to route mail?

Im confused....
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 34892757
So did you checked for the open relay.

Sudeep
0
 

Author Comment

by:Network_Padawan
ID: 34892931
Hi Ssharma,

Did you read my post above yours? We use mail daemon, not exchange. On mail daemon, we only allow local lan IP and 127.0.0.1 to relay. That's it.
0
 
LVL 2

Accepted Solution

by:
AmbientIT earned 190 total points
ID: 34892964
Like SSharma said have you verified that you are an open relay using?
MXToolbox
http://mxtoolbox.com/diagnostic.aspx

Manually with some instructions on how to deal with it if you are:
http://www.amset.info/exchange/smtp-openrelay.asp

Here are instructions how to set your server up to relay, this might help you understand the process a little better and verify what settings ALLOW relaying.
http://www.petri.co.il/authenticated-or-anonymous-smtp-relay-with-exchange-2007.htm
0
 

Author Comment

by:Network_Padawan
ID: 34893385
These are the results


smtp:mail.nepeangroup.com     smtp    
220 nepeaneng.com.au ESMTP MDaemon 7.1.2; Tue, 15 Feb 2011 12:32:30 +1100


 OK - 165.228.143.254 resolves to nepean19.lnk.telstra.net
 Warning - Reverse DNS does not match SMTP Banner
 0 seconds - Good on Connection time
Not an open relay.
1.154 seconds - Good on Transaction time

Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 nepeaneng.com.au Hello please-read-policy.mxtoolbox.com, pleased to meet you [187 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 <supertool@mxtoolbox.com>, Sender ok [187 ms]
RCPT TO: <test@example.com>
550 <test@example.com>, Recipient unknown [203 ms]


See it says NOT an open relay....
0
 

Author Comment

by:Network_Padawan
ID: 34901986
Any update guys?
0
 
LVL 2

Expert Comment

by:AmbientIT
ID: 34902059
We are able to resolve the issue but it seems to reoccur. Tell me what you do to stop it at least temporarily?

Are you using Exchange 2007 in conjunction with MDaemon?

I don't have a clear picture of what server software you are using and how you have come to the conclusion that your server is indeed being used to send out spam.
0
 

Author Comment

by:Network_Padawan
ID: 34903687
Hi Ambient,

Ok, mail comes into Mail Daemon, that email is there forwards to exchange 2007. People connect via imap to exchange for their mail.

This was a legacy setup. We are soon going to get rid of mail demon, but for now I need to fix this.

What I am seeing is the following:

Spoof email addresses clogging the mailq in mail demon, sending emails to external unknown email accounts. I see a remote IP connection of foreign Ips, I go into the router and see that EXACT IP making connections to our mail server on port 25.

When I block these IPs on the mail daemon software, the problem goes away for a few hours then we are attacked by different IP's. So I am contantly managing mail, and during the morning I find over 90,000 non-legitimate mail which I need to clean up, weed out legit from non-legit mail.

I thought it might be an internal spambot on some device, however seeing this external IP tells me differently. This is the 7th day of this crap and I just want it to end, I have tried everything I know, even cleaning every pc on the domain.

Any advise on something I am missing would be appreciated.

Regards



0
 

Author Closing Comment

by:Network_Padawan
ID: 34939253
I was able to stop the spamming by blocking over 50 specific IP's. Still don't understand how anyone was able to relay off the mail server considering only Internal Ips were allow to use the server to send mail.

Either way I am allocating points, but if Ambient IT is able to comment one last time on my last post, I would be grateful.

Thanks
0
 
LVL 2

Expert Comment

by:AmbientIT
ID: 34939348
Sorry, my wife had a baby this week so things got a little hectic.

If you aren't an open relay the only other option that I can think of is that they have a username and password that allows them to send mail. I am not sure what tools you have or log files you could look through to determine this. Not sure if all your users can authenticate to use the Mail Daemon in some way, but if they are one of them might have a weak password that has been cracked, or possibly a system account?
0
 

Author Comment

by:Network_Padawan
ID: 34939537
Congratulations! Sorry I didn't know.

Thanks anyways, its working that the main thing.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now