How to determine the source of spam or virus email

Hi Experts,

We have an Exchange 2003 server and Barracuda email filtering system internally.  One of our IP addresses has been listed in CBL list.  We got a message from CBL organization as attached below.  How can we find out the source of spam email?

Your help is very appreciated.

EN

CBL Lookup Utility
________________________________________
IP Address 50.193.X.X is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2013-10-07 18:00 GMT (+/- 30 minutes), approximately 23 hours ago.
This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef. More information can be found from Wikipedia. It is most often used for bitcoin mining or click fraud, but as it contains a downloader portion, it can do anything.
REMEMBER: ZeroAccess is NOT primarily an Email spamming tool.
Norton Power Eraser is known to be able to remove ZeroAccess.
________________________________________
WARNING: If you continually delist 50.193.X.X without fixing the problem, the CBL will eventually stop allowing the delisting of 50.193.X.X.
If you have resolved the problem shown above and delisted the IP yourself, there is no need to contact us.
Click on this link to delist 50.193.X.X
EnjoyNetAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

R--RCommented:
Enable the SMTP log and check the IP which is consistently hitting the server.
Block 25 port for the the machines/server execpt Exchange server. Only exchange server should have access to 25 on firewall.
0
Giovanni HewardCommented:
To clarify the above recommendation, you should block all outbound 25/TCP traffic on your firewall, except for your exchange server.  In addition, I'd recommend blocking all outbound 53/UDP and 53/TCP traffic except for your DNS server, which is only permitted to connect to OpenDNS servers (as a forwarder).

To determine the source from a recipient perspective, you need to view the email source and trace the headers.  Using a tool such as http://www.ip2location.com/free/email-tracer will help considerably.

Additionally, you should verify your exchange server is not configured to be an open relay.  You may use the Microsoft Remote Connectivity Analyzer tool to confirm.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
EnjoyNetAuthor Commented:
Thank you for quick responses.

We did block 25 and 53.  However it looks like the email with virus or click fraud uses email server as relay.  We don't know which email contains virus or click fraud.  Actually our Barracuda scans each email sent out, but didn't catch the bad one.  We can not trace email source by header since we don't know which email is bad.  

Does anyone know how to use Wireshark to trace it?  

Thank you again.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Giovanni HewardCommented:
One of the primary advantages to using OpenDNS is the ability to identify malicious host resolution requests (i.e. malware requests name resolution of relay server, etc.); by forcing all internal hosts to use internal DNS servers, you can enable debug logging on those servers to identify which internal host(s) are infected.

In other words, an infected host ( exposed.domain.local) is infected with the malware, the malware requests name resolution for a relay server ( badhost.example.com ) which is forwarded to your internal DNS server, your internal DNS server forwards this request to OpenDNS which then flags and identifies your DNS server as attempting to resolve a malicious host ( badhost.example.com ); once you receive this notice from them, you now have the malicious host name which you can scan against your DNS server logs to determine that the original request came from exposed.domain.local; this machine can then be isolated and disinfected, etc.
0
Simon Butler (Sembee)ConsultantCommented:
This is a very hot topic right now - that is three questions I have seen about this.
The BOT is sending out HTTP traffic - you need to watch the logs for hits to odd IP addresses.
It looks like CBL are blocking hosts that have the bot and it is being detected in other ways.

Simon.
0
Giovanni HewardCommented:
Regarding wireshark, you're going to need additional information for a packet capture to be effective.  Such as the internal infected host IP or external malicious destination IP, or some type of signature to check for.  Being Zero Access you really have more to worry about then sending spam.  Your infected machine(s) could be initiating reverse shells (for example) to an external attacker, thereby giving them access to your entire internal network.

This is why extrusion/egress detection/prevention is so important.
0
EnjoyNetAuthor Commented:
Have you used Norton Power Eraser to remove Zero Access?  I scanned a server and found three risks, but the Fix button is grey out.  

How can we deal with this hot issue? Do we need to hire security consultant to do the job?

We have SEP but we don't know if it can help to protect our network.  

Thanks
0
Simon Butler (Sembee)ConsultantCommented:
I don't allow anything from Symantec near my networks - so I haven't used Norton. The AV software on the client's system found it and removed it. I just had to follow the traffic trail to find the machine.

It looks like stopping it from accessing the internet allows the AV to remove it. The workstation in question was also rebooted and the user was just a user, not an admin so its hooks weren't that deep.

Simon.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.