BOT SCANNER FOR SBS 2011

Have a LAN consisting of an SBS 2011 standard server and some windows 7 pro domain joined work stations.
They are using Outlook 2007.  The Outlook 2007 users all have a pop3 email account ( through go-daddy) in addition to the exchange account.  The users mainly use the pop3 account to send email, they hardly use the exchange account.

Our IP address keeps getting blacklisted recently.  One of the blacklists - CBL keeps saying there is a spamming bot in the network.  I've ran AV, Malwarebytes scans on the work stations  - nothing found.  I've also ran Norton Power Eraser on the work stations as recommended by the CBL blacklist site - nothing found.

Norton Power Eraser won't work on SBS 2011.

Is there another tool or recommendation to check the SBS 2011 server for bots?
vledAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Use WireShark or CommView to do packet scans for the outbound mail port. If the pop email account uses port 465 or 587 to send, also scan for (and potentially block) port 25 as the spam may be using port 25.
0
vledAuthor Commented:
I'm not experienced at doing this and on a time crunch.  I assume  you want me to run this on each work station.  Starting with the pop3 accounts, if they use port 465 or 587, what am i actually looking for when I run the software that identifies that there might be a bot using those ports or other ports.  Could you please give me more explanation.  Thanks.
0
JohnBusiness Consultant (Owner)Commented:
If you have a good router you can block port 25 with it. You should be able to put a packet scanner on your server to scan for port usage.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

JohnBusiness Consultant (Owner)Commented:
You may also be able to enable logging on the router and look for port 25 usage.
0
David AtkinTechnical DirectorCommented:
Use mxtoolbox to confirm that you're not an open relay if you have port 25 open to your server - It could be a configuration issue.

What router do you have?  some routers allow you to view current NAT sessions (look for use on port 25).  If your router is unable to do this then run 'netstat -a' on the PCs and look for use on port 25 to the foreign address (this will make sense when you run the command)

Don't keep removing your self from the blacklist until you are happy that the issue has been resolved.  It will make it more difficult for you to get removed in the future if you keep getting re-added.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
vledAuthor Commented:
Thanks.  I have checked for open relays using mxtoolbox and dnsgoodies, there are none.
I will try the netstat command.

One of the blacklisting companies did state that it is not an issue with open relays or dns pointers
0
vledAuthor Commented:
What I've done so far:

1.    Ran scans with AVG AV, malwarebytes, Norton eraser tool. and mrt in both normal and safe mode  on all work stations - no threats found.

2.    Run additional scans of SBS 2011 server using the installed AVG and msert.exe  - no threats found.

3.    Run netstat a, netstat -b netstat -5 on the work stations and server.  I have not observed any established connections using port 25 or any other established connections that seem rouge - at least that I can interpret.  I saw several connections to ip addresses on other ports that I did not recognize at first but turned out to belong to AVG cloudcare services, HP, and Google.

4.    I created an SPF record with our external DNS to see if that might help.

5.    I've enabled NAT logging on the SOHO router ( it is a Linksys N600 - Model E2500-NP) but have not observed any suspicious traffic yet, have not seen anything yet going out on port 25

6.    I've reset all passwords in case OWA is being exploited.  

7.    Checked with the ISP to see if there is an IP conflict - there is none.

8.    I went ahead and sent an email to CBL@CBL.abuseat.org to see what info or help they can provide.  They are the ones claiming there is a spam bot in our network
0
David AtkinTechnical DirectorCommented:
You've done everything that I would have done here.   Have you been added to the black list since the last removal?

Can you confirm if its your domain that is going onto the blacklist or your external IP Address?

My next step here would be to route my emails through a third party Email Filter like Spambrella.  You can then configure your server to send emails via the service (smarthost).  If you're IP is the only thing being black listed then it should resolve the problem providing that the 'spambot' isn't using your exchange server to send emails.

If you haven't already I would suggest looking at your Message Tracking Logs in Exchange to confirm that nothing else is routing mail through it.
0
vledAuthor Commented:
I have not done a manual removal of our ip address since the tests were run.  Trying to find the cause first.  Waiting to hear from CBL.  Will re-examine Exchange tracking logs.
0
David AtkinTechnical DirectorCommented:
I wouldn't count on CBL being very helpful.  In my past experiences they're not.

Email Filtering Services is a valid option.
0
vledAuthor Commented:
Heard back from the CBL folks.  Mail flow is working now but I still need to investigate this further  or re-listing might happen again. This is what the CBL folks  said:

The CBL attempts to detect compromised machines in a number of ways
based upon the email that the CBL's mail servers receive.

During this it tries distinguish whether the connections represent
real mail servers by ensuring that each connection is claiming a
plausible machine name for itself, and not listing any IP that
corresponds to a real mail server (or several mail servers if the IP
address is a NAT firewall with multiple mail servers behind it).

(the blacklisted ip address) was found to be using several different HELO/EHLO names during
multiple connections on or about:

2015:04:03 ~15:00 UTC+/- 15 minutes (approximately 5 days, 8 hours, 15 minutes ago)

The names seen included:

gdkfbkadbkabbaae, gdkfbkadbkabbbjj, gdkfbkadbkabbdbg, gdkfbkadbkabbeaj, gdkfbkadbkabbfcj, gdkfbkadbkabbfjd, gdkfbkadbkabbjgd

At least one of which is invalid according to the RFC2821 SMTP mail
protocol standards. RFC2821 requires that the machines claim names
that are a fully qualified domain names.

To resolve this you need to identify whether these are real names
of your machines. If not:

- you have an open proxy used for spamming on that IP, or
- you have a NAT firewall, and one or more machines behind it
have an open proxy used for spamming.

If they are real names, you need to consider whether one or more
of these machines are supposed to be sending email to the Internet (this
implies that (the blacklisted ip address) is a NAT firewall.)

If not, one or more machines on your internal network has an open
proxy used for spamming.

And finally, if these are real names corresponding to real mail
servers behind a NAT firewall, we strongly suggest that you configure
your machines to have consistent fully qualified domain names, like:

mail01.<your domain>, mail02.<your domain> etc.

This is usually done by setting the machine's node name to be one
of the above, but sometimes it's a configuration parameter for the
mail server.

Furthermore, if (the blacklisted ip address) is a NAT firewall, we STRONGLY recommend that you
configure it to prevent machines (except your real mail servers) on your
local network connecting to the Internet on port 25 (SMTP/email). In
this way you can contain any insecure machines (either by open
proxy/spam trojan or emailing worm like Netsky) from attacking others on
the Internet.

I've removed the entry from the list.

It may take a few hours to propagate to the public nameservers.

WARNING: the CBL WILL relist this IP if the underlying issues are not
resolved, and the CBL detects the same thing again.
0
David AtkinTechnical DirectorCommented:
(approximately 5 days, 8 hours, 15 minutes ago)

This is a good sign.  Your IP hasn't been reported in nearly a week.

Do you have any laptops that have left site and not returned since then?
0
vledAuthor Commented:
Checking.  If they had one, it would have been using the wireless connection, I did change the security pass phrase for the wireless.  I will be going on-site on Monday after hours to do more investigating.
0
David AtkinTechnical DirectorCommented:
Ok, keep us updated and good luck.
0
vledAuthor Commented:
Email flow is working ok so far.  I was not able to make it on-site yet.  Customer wants me to do that Thursday night this week instead.  Sorry about the delay but I will keep you posted.
0
David AtkinTechnical DirectorCommented:
No worries.  If you've not been re-added by now thats a really good sign.  Just remember to check the laptops leaving the network.  The last thing you want is for them to bring an infected laptop back.
0
vledAuthor Commented:
No additional issues found on the LAN.  Not on any black lists anymore . I'm considering this closed
Thanks all for the help.
0
JohnBusiness Consultant (Owner)Commented:
@vled - Thanks, and I was happy to help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.