[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4162
  • Last Modified:

Sonicwall : Find infected machine(s) causing us to be blacklisted

We have started to get a lot of undelivered emails. I notice that we are blacklisted on a couple of blacklist servers.

We have a Sonicwall TZ210 at the edge of our network.

I am trying to get to the bottom of the problem by tracing which machines are sending out spam on the network. The blacklist website provided the following details to assist me.

Can someone explain how I can use the sonicwall to find which machine(s) is infected.

Thanks

***********************************************************************
IP Address *.*.*.* is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2014-04-03 11:00 GMT (+/- 30 minutes), approximately 2 hours, 30 minutes ago.

This IP address is infected with, or is NATting for a machine infected with a Trojan called Win32/Zbot (Microsoft), also known as "ZeuS" or "WSNPoem".

In this particular case, this host is infected with ZeuSv3, one of the most recent versions of ZeuS that is using peer-to-peer (P2P) command and control mechanisms. This version of Zeus is also known as "P2P ZeuS" or "Gameover malware".

ZeuSv3 takes advantage of P2P techniques by communicating with other nodes (=infected computers) on high ports (UDP and TCP).

To find an infected computer on a NATted network you will have to search through your firewall logs for connections from/to UDP port 82.165.38.206. However, any process or host sending/receiving large numbers of UDP or TCP packets on high ports (10,000 and higher) should be looked at closely.
***********************************************************************
0
roy_batty
Asked:
roy_batty
  • 9
  • 5
  • 5
  • +1
2 Solutions
 
KorbusCommented:
You can examine a trace log, to see what IP addresses are attempting to send traffic on port 25- which is what email uses for SMTP communication between severs.

I would also suggest you use the sonicwall to close down all port 25 traffic from any local source other than your email server's IP address.

Note: regardless of all that crazy peer to peer stuff the trojan is doing, to get blacklisted, something on your network is send out spam on port 25.
0
 
roy_battyAuthor Commented:
OK.

First how do I examine the trace log. I cant see it under logs.
0
 
carlmdCommented:
On the Sonicwall you can go to System -> Diagnostics and then under Diagnostic Tolls select the Connections Monitor. Look for any ip that is sending a large amount of traffic.

You should also check the Sonicwall logs for a large amount of traffic on a high number UDP or TCP port as indicated in the advice you received.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
PerarduaadastraCommented:
To prevent the spam flowing while you investigate, block port 25 traffic for every device on the LAN except for your mail server.

This will also make it easier to find which machine has been compromised, as the Sonicwall logs will show which LAN IP is generating the traffic.
0
 
roy_battyAuthor Commented:
I thought that a firewall would deny any kind of traffic unless I specifically allow it.

Is that correct ?

Or do I need to add a deny all item at the bottom?
0
 
PerarduaadastraCommented:
The default for most firewalls is to deny incoming traffic inititated from outside the LAN and to allow traffic out that's been initiated from inside the LAN.

What I suggested was to block outgoing SMTP traffic that comes from any device on the LAN except your mail server. I'm sorry I wasn't clearer.
0
 
carlmdCommented:
Chances are you set up an smtp service on the Sonicwall using the wizard. If so, and depending upon how you answered the questions, any pc on you network may be able to send email directly, and hence spam. If you have a mail server (like exchange) then the pc's on your network should be directing email to it. If so, then you can add two rules to the Sonicwall. One is a permit rule for the ip address of the mail server tothe  smtp service. The other is a deny rule for all traffic from anywhere on the LAN to the smtp service. Make sure the permit rule appears above the deny rule in the rule's list.

By doing this you will be preventing any system other than your mail server from directly sending email. Typically a virus sending spam will addres its outgoing mail to port 25 on the default gateway, which is typically the firewall or a switch leading to it. Adding these rules will stop spam from being sent directly to your firewall, and out.
0
 
roy_battyAuthor Commented:
@Perarduaadastra - no you were very clear, just me getting things wrong.

Any way I have comfigured the 2 rules as suggested and that should prevent us being re-blacklisted.

I now just need to find the problem machine now. Will give that a try tomorrow.
0
 
roy_battyAuthor Commented:
We are still seem to be having a problem this morning.

I have configured the Connections monitor as per the attached screenshot.

Interface X1 is our Wan connected interface. 192.168.2.2 is our exchange server.

I see there is a line that says traffic with a source port of 32851 is going out. What is this.

I presume this filter would show any traffic on port 25 going out from any PC/server.

So if something shows up here it could be the infected device.
sonic-screenshot.docx
0
 
carlmdCommented:
Please elaborate on what you mean still having the problem?

It is normal to see traffic from 192.168.2.2 on port 25, as this is your mail server. You should not see traffic from anywhere else on port 25. Is there any such thing on the balance of the connections monitor? Any high number port is an ephemeral port. That is a port used by any service for a short period of time. If you are seeing a large amount of packet data from this connection, then it is suspect, otherwise you can ignore it.

Did you check the Sonicwall logs for any block messages?

Finally, if the fact that you may still appear on RBL lists is what you are using to determine that you are still having the problem, then you may not really still have one. Once you appear on a block list it may take days to be removed, and typically you must request removal and complete whatever procedure each RBL list site demands of you. There is no shortcut to this. If you previously requested to be removed, then continued to send spam, they may refuse to remove your domain.

Use this site to check your status.

http://mxtoolbox.com/blacklists.aspx
0
 
PerarduaadastraCommented:
The information you're looking for will be in the logs, rather than on the diagnostics page.

Carlmd's points are well made; in particular, you must block the flow of spam before requesting the removal of your IP from the RBL hosts' lists that you currently appear in, as you'll get short shrift from them if spam continues to be generated from your address after applying for its removal.
0
 
roy_battyAuthor Commented:
OK I think I have stopped the spam leaving the network onto the internet, I have scanned the mail server for malware and it came up clean.

I looked in the log and I can see outgoing smtp traffic being blocked from a PC on the LAN. Gonna get it removed tomorrow and see how things go.
0
 
roy_battyAuthor Commented:
Everytime I request a delisting from the blacklists, sometime later we get added again. I presume that this suggests that we are still having an issue with something sending out emails on our network.

What am I missing here?
0
 
PerarduaadastraCommented:
Are your Exchange queues full of messages that can't be resent? You may be a victim of backscatter.

See this link for a full explanation of backscatter:

http://en.wikipedia.org/wiki/Backscatter_%28email%29

and an answered EE question on the problem here:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26888149.html

I mention this because if your mail server is sending out vast numbers of NDRs then that will guarantee your IP address's appearance on RBLs and won't show in the Sonicwall logs.
0
 
roy_battyAuthor Commented:
There is not a hugh amount of message in the queue. Somemail is getting sent but some is not and keeps retrying. Currently 10 messages retrying.

We do have Symantec mail security for exchange. We use the Premium Anti-spam function. I presume that this picks up mail before it reaches the exchange server.
0
 
carlmdCommented:
I would look at the reasons the messages are not being sent. If they have been in the queue for a while I would delete them.

When you say you are being listed again on the RBL, do you mean after you added the rules to the Sonicwall and removed the infected pc? If so, again look at a rejected message for more details, just to be sure it is the same problem and not something else.

Be carefule to note the times of rejections verses when you made the corrections. Please note that each time you request removal from an RBL, then get listed again, it gets harder to get removed.
0
 
KorbusCommented:
Some of the blacklists provide additional information on WHY they added you to the list.  

Once we found out that an email list a client purchased included an address that was a "honeypot":  which is basically a fake addresses setup purely to detect spammers.   There was no actual issue with spam going out, it was just a single bad recipient address that did it.

That's just an example, but the point is there are several reasons your may have been blacklisted again- see if you can find out more from the blacklists themselves.
0
 
roy_battyAuthor Commented:
I'm am getting a little lost now.

I have blocked port 25 LAN to WAN except for the exchange server.

The reason I think that our problems are being caused by blaclisting is that we do not have a load of emails stuck in the exchange queue but there are messages to certain domains that are getting stuck.

I have checked on MXToolbox.com and I can see our domain being listed, then being removed as a result of my manual request. Later on it is blacklisted again.

A link on the mxtoolbox site took me to the blacklist sites (spamhaus and cbl). They provided the details of exactly what is causing the blacklisting which I mention in my original message. This suggests it is caused my malware sending out spam.

The fact that we continue to be re-listed to me suggests that problem traffic is going out on a port(s) other than 25.

Either that or it is the mailserver itself which is infected.

Am I making sense here?
0
 
PerarduaadastraCommented:
Have you made sure that your mail server isn't acting as a relay?

Going back to your original post, the information given there suggests that malware is using P2P methods for its activities and that significant traffic on high ports should be viewed with suspicion. If the information you're getting now is essentially the same as it was at the outset, then perhaps attention has been so focused on email that other threats have been overlooked.

Check the logs for references to traffic to or from the IP addresses given by the RBL host in their response to your query, and see which of the computers on your network is in sending to or receiving from those addresses. This will reveal which of them has been compromised.
0
 
carlmdCommented:
Use the following to test you mail server for open relay and more...

http://mxtoolbox.com/diagnostic.aspx

email can also be sent using port 587, so block this port as well on the Sonicwall if you think it is suspect.

Here is a complete list of ports for email....

Port       Properties
25       Standard. Support Insecure SMTP and SMTP over TLS
80       Open on most firewalls* because this port is used for talking to web servers to get web pages. Supports insecure SMTP and SMTP over TLS
465       Standard port for SMTP over SSL. (How is SSL different from TLS?)
587       Standard port open on most firewalls. Supports insecure SMTP and SMTP over TLS. Also performs sender IP address masking and outbound email processing (e.g. automatic email encryption and other services).
2025       Nonstandard port open on most firewalls. Supports insecure SMTP and SMTP over TLS
6025       Nonstandard port open on most firewalls. Supports insecure SMTP and SMTP over TLS. Also performs sender IP address masking and outbound email processing (e.g. automatic email encryption and other services).
6465       Nonstandard port open on most firewalls. Supports SMTP over SSL. Also performs sender IP address masking and outbound email processing.

Did you identify any virus or malware on any of your pc's that you have investigated. If so, looking up the specifics of that infection may provide help in identifying how it works.
0
 
KorbusCommented:
Hmm, I think I would do a "sanity check" at this point:  probably want to do this test after hours-  request removal from the RBL, then disconnect your internet.  If you continue to get listed, we fail the sanity check and need to look at something else.  You can try some variations of this as well, slowly reconnect different parts of the network to the internet, waiting each time to see if you get re-added to the list.
Be careful though:  you don't want to request removal and get re-listed too often (varies per RBL), or they will stop de-listing you.
 
Alternatives:  There are companies out there in the cloud that provide email gateway services.  This usually comes in two parts, one: for inbound- it scans all your email and only forwards non-spam to your email server.  The second part is for outbound email:  it will scan all your outbound messages for viruses, and message with high spam scores, and only then send it out to the recipient.   It is up to THEM to prevent the sending address from being blacklisted, and that's what they do all day, so they are really good at it.  With this setup you would configure your firewall to only allow outbound SMTP to be sent to the provider's IP address.
0
 
roy_battyAuthor Commented:
This was a tricky on to get to the bottom of. I think the issue was primarily related to backscatter as suggested. Once I had disabled the spam filter we stopped getting blacklisted.

I will now configure the spam filter in a way that prevents this occurring again.

There was one PC on the LAN that was sending out mail on port 25 but I don't think that was the main reason for continued re-blacklisting.

Thanks for the help guys.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 9
  • 5
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now