vled
asked on
BOT SCANNER FOR SBS 2011
Have a LAN consisting of an SBS 2011 standard server and some windows 7 pro domain joined work stations.
They are using Outlook 2007. The Outlook 2007 users all have a pop3 email account ( through go-daddy) in addition to the exchange account. The users mainly use the pop3 account to send email, they hardly use the exchange account.
Our IP address keeps getting blacklisted recently. One of the blacklists - CBL keeps saying there is a spamming bot in the network. I've ran AV, Malwarebytes scans on the work stations - nothing found. I've also ran Norton Power Eraser on the work stations as recommended by the CBL blacklist site - nothing found.
Norton Power Eraser won't work on SBS 2011.
Is there another tool or recommendation to check the SBS 2011 server for bots?
They are using Outlook 2007. The Outlook 2007 users all have a pop3 email account ( through go-daddy) in addition to the exchange account. The users mainly use the pop3 account to send email, they hardly use the exchange account.
Our IP address keeps getting blacklisted recently. One of the blacklists - CBL keeps saying there is a spamming bot in the network. I've ran AV, Malwarebytes scans on the work stations - nothing found. I've also ran Norton Power Eraser on the work stations as recommended by the CBL blacklist site - nothing found.
Norton Power Eraser won't work on SBS 2011.
Is there another tool or recommendation to check the SBS 2011 server for bots?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you have a good router you can block port 25 with it. You should be able to put a packet scanner on your server to scan for port usage.
You may also be able to enable logging on the router and look for port 25 usage.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. I have checked for open relays using mxtoolbox and dnsgoodies, there are none.
I will try the netstat command.
One of the blacklisting companies did state that it is not an issue with open relays or dns pointers
I will try the netstat command.
One of the blacklisting companies did state that it is not an issue with open relays or dns pointers
ASKER
What I've done so far:
1. Ran scans with AVG AV, malwarebytes, Norton eraser tool. and mrt in both normal and safe mode on all work stations - no threats found.
2. Run additional scans of SBS 2011 server using the installed AVG and msert.exe - no threats found.
3. Run netstat a, netstat -b netstat -5 on the work stations and server. I have not observed any established connections using port 25 or any other established connections that seem rouge - at least that I can interpret. I saw several connections to ip addresses on other ports that I did not recognize at first but turned out to belong to AVG cloudcare services, HP, and Google.
4. I created an SPF record with our external DNS to see if that might help.
5. I've enabled NAT logging on the SOHO router ( it is a Linksys N600 - Model E2500-NP) but have not observed any suspicious traffic yet, have not seen anything yet going out on port 25
6. I've reset all passwords in case OWA is being exploited.
7. Checked with the ISP to see if there is an IP conflict - there is none.
8. I went ahead and sent an email to CBL@CBL.abuseat.org to see what info or help they can provide. They are the ones claiming there is a spam bot in our network
1. Ran scans with AVG AV, malwarebytes, Norton eraser tool. and mrt in both normal and safe mode on all work stations - no threats found.
2. Run additional scans of SBS 2011 server using the installed AVG and msert.exe - no threats found.
3. Run netstat a, netstat -b netstat -5 on the work stations and server. I have not observed any established connections using port 25 or any other established connections that seem rouge - at least that I can interpret. I saw several connections to ip addresses on other ports that I did not recognize at first but turned out to belong to AVG cloudcare services, HP, and Google.
4. I created an SPF record with our external DNS to see if that might help.
5. I've enabled NAT logging on the SOHO router ( it is a Linksys N600 - Model E2500-NP) but have not observed any suspicious traffic yet, have not seen anything yet going out on port 25
6. I've reset all passwords in case OWA is being exploited.
7. Checked with the ISP to see if there is an IP conflict - there is none.
8. I went ahead and sent an email to CBL@CBL.abuseat.org to see what info or help they can provide. They are the ones claiming there is a spam bot in our network
You've done everything that I would have done here. Have you been added to the black list since the last removal?
Can you confirm if its your domain that is going onto the blacklist or your external IP Address?
My next step here would be to route my emails through a third party Email Filter like Spambrella. You can then configure your server to send emails via the service (smarthost). If you're IP is the only thing being black listed then it should resolve the problem providing that the 'spambot' isn't using your exchange server to send emails.
If you haven't already I would suggest looking at your Message Tracking Logs in Exchange to confirm that nothing else is routing mail through it.
Can you confirm if its your domain that is going onto the blacklist or your external IP Address?
My next step here would be to route my emails through a third party Email Filter like Spambrella. You can then configure your server to send emails via the service (smarthost). If you're IP is the only thing being black listed then it should resolve the problem providing that the 'spambot' isn't using your exchange server to send emails.
If you haven't already I would suggest looking at your Message Tracking Logs in Exchange to confirm that nothing else is routing mail through it.
ASKER
I have not done a manual removal of our ip address since the tests were run. Trying to find the cause first. Waiting to hear from CBL. Will re-examine Exchange tracking logs.
I wouldn't count on CBL being very helpful. In my past experiences they're not.
Email Filtering Services is a valid option.
Email Filtering Services is a valid option.
ASKER
Heard back from the CBL folks. Mail flow is working now but I still need to investigate this further or re-listing might happen again. This is what the CBL folks said:
The CBL attempts to detect compromised machines in a number of ways
based upon the email that the CBL's mail servers receive.
During this it tries distinguish whether the connections represent
real mail servers by ensuring that each connection is claiming a
plausible machine name for itself, and not listing any IP that
corresponds to a real mail server (or several mail servers if the IP
address is a NAT firewall with multiple mail servers behind it).
(the blacklisted ip address) was found to be using several different HELO/EHLO names during
multiple connections on or about:
2015:04:03 ~15:00 UTC+/- 15 minutes (approximately 5 days, 8 hours, 15 minutes ago)
The names seen included:
gdkfbkadbkabbaae, gdkfbkadbkabbbjj, gdkfbkadbkabbdbg, gdkfbkadbkabbeaj, gdkfbkadbkabbfcj, gdkfbkadbkabbfjd, gdkfbkadbkabbjgd
At least one of which is invalid according to the RFC2821 SMTP mail
protocol standards. RFC2821 requires that the machines claim names
that are a fully qualified domain names.
To resolve this you need to identify whether these are real names
of your machines. If not:
- you have an open proxy used for spamming on that IP, or
- you have a NAT firewall, and one or more machines behind it
have an open proxy used for spamming.
If they are real names, you need to consider whether one or more
of these machines are supposed to be sending email to the Internet (this
implies that (the blacklisted ip address) is a NAT firewall.)
If not, one or more machines on your internal network has an open
proxy used for spamming.
And finally, if these are real names corresponding to real mail
servers behind a NAT firewall, we strongly suggest that you configure
your machines to have consistent fully qualified domain names, like:
mail01.<your domain>, mail02.<your domain> etc.
This is usually done by setting the machine's node name to be one
of the above, but sometimes it's a configuration parameter for the
mail server.
Furthermore, if (the blacklisted ip address) is a NAT firewall, we STRONGLY recommend that you
configure it to prevent machines (except your real mail servers) on your
local network connecting to the Internet on port 25 (SMTP/email). In
this way you can contain any insecure machines (either by open
proxy/spam trojan or emailing worm like Netsky) from attacking others on
the Internet.
I've removed the entry from the list.
It may take a few hours to propagate to the public nameservers.
WARNING: the CBL WILL relist this IP if the underlying issues are not
resolved, and the CBL detects the same thing again.
The CBL attempts to detect compromised machines in a number of ways
based upon the email that the CBL's mail servers receive.
During this it tries distinguish whether the connections represent
real mail servers by ensuring that each connection is claiming a
plausible machine name for itself, and not listing any IP that
corresponds to a real mail server (or several mail servers if the IP
address is a NAT firewall with multiple mail servers behind it).
(the blacklisted ip address) was found to be using several different HELO/EHLO names during
multiple connections on or about:
2015:04:03 ~15:00 UTC+/- 15 minutes (approximately 5 days, 8 hours, 15 minutes ago)
The names seen included:
gdkfbkadbkabbaae, gdkfbkadbkabbbjj, gdkfbkadbkabbdbg, gdkfbkadbkabbeaj, gdkfbkadbkabbfcj, gdkfbkadbkabbfjd, gdkfbkadbkabbjgd
At least one of which is invalid according to the RFC2821 SMTP mail
protocol standards. RFC2821 requires that the machines claim names
that are a fully qualified domain names.
To resolve this you need to identify whether these are real names
of your machines. If not:
- you have an open proxy used for spamming on that IP, or
- you have a NAT firewall, and one or more machines behind it
have an open proxy used for spamming.
If they are real names, you need to consider whether one or more
of these machines are supposed to be sending email to the Internet (this
implies that (the blacklisted ip address) is a NAT firewall.)
If not, one or more machines on your internal network has an open
proxy used for spamming.
And finally, if these are real names corresponding to real mail
servers behind a NAT firewall, we strongly suggest that you configure
your machines to have consistent fully qualified domain names, like:
mail01.<your domain>, mail02.<your domain> etc.
This is usually done by setting the machine's node name to be one
of the above, but sometimes it's a configuration parameter for the
mail server.
Furthermore, if (the blacklisted ip address) is a NAT firewall, we STRONGLY recommend that you
configure it to prevent machines (except your real mail servers) on your
local network connecting to the Internet on port 25 (SMTP/email). In
this way you can contain any insecure machines (either by open
proxy/spam trojan or emailing worm like Netsky) from attacking others on
the Internet.
I've removed the entry from the list.
It may take a few hours to propagate to the public nameservers.
WARNING: the CBL WILL relist this IP if the underlying issues are not
resolved, and the CBL detects the same thing again.
(approximately 5 days, 8 hours, 15 minutes ago)
This is a good sign. Your IP hasn't been reported in nearly a week.
Do you have any laptops that have left site and not returned since then?
ASKER
Checking. If they had one, it would have been using the wireless connection, I did change the security pass phrase for the wireless. I will be going on-site on Monday after hours to do more investigating.
Ok, keep us updated and good luck.
ASKER
Email flow is working ok so far. I was not able to make it on-site yet. Customer wants me to do that Thursday night this week instead. Sorry about the delay but I will keep you posted.
No worries. If you've not been re-added by now thats a really good sign. Just remember to check the laptops leaving the network. The last thing you want is for them to bring an infected laptop back.
ASKER
No additional issues found on the LAN. Not on any black lists anymore . I'm considering this closed
Thanks all for the help.
Thanks all for the help.
@vled - Thanks, and I was happy to help.
ASKER