Avatar of EnjoyNet
EnjoyNetFlag for United States of America asked on

How to determine the source of spam or virus email

Hi Experts,

We have an Exchange 2003 server and Barracuda email filtering system internally.  One of our IP addresses has been listed in CBL list.  We got a message from CBL organization as attached below.  How can we find out the source of spam email?

Your help is very appreciated.

EN

CBL Lookup Utility
________________________________________
IP Address 50.193.X.X is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2013-10-07 18:00 GMT (+/- 30 minutes), approximately 23 hours ago.
This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef. More information can be found from Wikipedia. It is most often used for bitcoin mining or click fraud, but as it contains a downloader portion, it can do anything.
REMEMBER: ZeroAccess is NOT primarily an Email spamming tool.
Norton Power Eraser is known to be able to remove ZeroAccess.
________________________________________
WARNING: If you continually delist 50.193.X.X without fixing the problem, the CBL will eventually stop allowing the delisting of 50.193.X.X.
If you have resolved the problem shown above and delisted the IP yourself, there is no need to contact us.
Click on this link to delist 50.193.X.X
Anti-Virus AppsExchangeAntiSpam

Avatar of undefined
Last Comment
Simon Butler (Sembee)

8/22/2022 - Mon
SOLUTION
R--R

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER CERTIFIED SOLUTION
Giovanni

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
EnjoyNet

Thank you for quick responses.

We did block 25 and 53.  However it looks like the email with virus or click fraud uses email server as relay.  We don't know which email contains virus or click fraud.  Actually our Barracuda scans each email sent out, but didn't catch the bad one.  We can not trace email source by header since we don't know which email is bad.  

Does anyone know how to use Wireshark to trace it?  

Thank you again.
Giovanni

One of the primary advantages to using OpenDNS is the ability to identify malicious host resolution requests (i.e. malware requests name resolution of relay server, etc.); by forcing all internal hosts to use internal DNS servers, you can enable debug logging on those servers to identify which internal host(s) are infected.

In other words, an infected host ( exposed.domain.local) is infected with the malware, the malware requests name resolution for a relay server ( badhost.example.com ) which is forwarded to your internal DNS server, your internal DNS server forwards this request to OpenDNS which then flags and identifies your DNS server as attempting to resolve a malicious host ( badhost.example.com ); once you receive this notice from them, you now have the malicious host name which you can scan against your DNS server logs to determine that the original request came from exposed.domain.local; this machine can then be isolated and disinfected, etc.
Simon Butler (Sembee)

This is a very hot topic right now - that is three questions I have seen about this.
The BOT is sending out HTTP traffic - you need to watch the logs for hits to odd IP addresses.
It looks like CBL are blocking hosts that have the bot and it is being detected in other ways.

Simon.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Giovanni

Regarding wireshark, you're going to need additional information for a packet capture to be effective.  Such as the internal infected host IP or external malicious destination IP, or some type of signature to check for.  Being Zero Access you really have more to worry about then sending spam.  Your infected machine(s) could be initiating reverse shells (for example) to an external attacker, thereby giving them access to your entire internal network.

This is why extrusion/egress detection/prevention is so important.
ASKER
EnjoyNet

Have you used Norton Power Eraser to remove Zero Access?  I scanned a server and found three risks, but the Fix button is grey out.  

How can we deal with this hot issue? Do we need to hire security consultant to do the job?

We have SEP but we don't know if it can help to protect our network.  

Thanks
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.