Link to home
Start Free TrialLog in
Avatar of EnjoyNet
EnjoyNetFlag for United States of America

asked on

How to determine the source of spam or virus email

Hi Experts,

We have an Exchange 2003 server and Barracuda email filtering system internally.  One of our IP addresses has been listed in CBL list.  We got a message from CBL organization as attached below.  How can we find out the source of spam email?

Your help is very appreciated.

EN

CBL Lookup Utility
________________________________________
IP Address 50.193.X.X is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2013-10-07 18:00 GMT (+/- 30 minutes), approximately 23 hours ago.
This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef. More information can be found from Wikipedia. It is most often used for bitcoin mining or click fraud, but as it contains a downloader portion, it can do anything.
REMEMBER: ZeroAccess is NOT primarily an Email spamming tool.
Norton Power Eraser is known to be able to remove ZeroAccess.
________________________________________
WARNING: If you continually delist 50.193.X.X without fixing the problem, the CBL will eventually stop allowing the delisting of 50.193.X.X.
If you have resolved the problem shown above and delisted the IP yourself, there is no need to contact us.
Click on this link to delist 50.193.X.X
SOLUTION
Avatar of R--R
R--R
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of EnjoyNet

ASKER

Thank you for quick responses.

We did block 25 and 53.  However it looks like the email with virus or click fraud uses email server as relay.  We don't know which email contains virus or click fraud.  Actually our Barracuda scans each email sent out, but didn't catch the bad one.  We can not trace email source by header since we don't know which email is bad.  

Does anyone know how to use Wireshark to trace it?  

Thank you again.
One of the primary advantages to using OpenDNS is the ability to identify malicious host resolution requests (i.e. malware requests name resolution of relay server, etc.); by forcing all internal hosts to use internal DNS servers, you can enable debug logging on those servers to identify which internal host(s) are infected.

In other words, an infected host ( exposed.domain.local) is infected with the malware, the malware requests name resolution for a relay server ( badhost.example.com ) which is forwarded to your internal DNS server, your internal DNS server forwards this request to OpenDNS which then flags and identifies your DNS server as attempting to resolve a malicious host ( badhost.example.com ); once you receive this notice from them, you now have the malicious host name which you can scan against your DNS server logs to determine that the original request came from exposed.domain.local; this machine can then be isolated and disinfected, etc.
This is a very hot topic right now - that is three questions I have seen about this.
The BOT is sending out HTTP traffic - you need to watch the logs for hits to odd IP addresses.
It looks like CBL are blocking hosts that have the bot and it is being detected in other ways.

Simon.
Regarding wireshark, you're going to need additional information for a packet capture to be effective.  Such as the internal infected host IP or external malicious destination IP, or some type of signature to check for.  Being Zero Access you really have more to worry about then sending spam.  Your infected machine(s) could be initiating reverse shells (for example) to an external attacker, thereby giving them access to your entire internal network.

This is why extrusion/egress detection/prevention is so important.
Have you used Norton Power Eraser to remove Zero Access?  I scanned a server and found three risks, but the Fix button is grey out.  

How can we deal with this hot issue? Do we need to hire security consultant to do the job?

We have SEP but we don't know if it can help to protect our network.  

Thanks
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial