Solved

Spam mails from a compromised internal computer

Posted on 2016-11-07
5
27 Views
Last Modified: 2016-11-15
Dear All,

Would like to know your ideas on how to find out if we have a compromised internal computer , responsible for infecting other computers and sending spam.

Are there any methods for monitoring this?

Thanks,
T
0
Comment
Question by:TiazfaD
  • 2
  • 2
5 Comments
 
LVL 16

Accepted Solution

by:
Shaik M. Sajid earned 250 total points
ID: 41876910
you have to monitor netwok through network analyzers and monitor outgoing traffice and SMTP port traffic on the network ...

for ex: http://freenetworkanalyzer.com/
http://www.colasoft.com/capsa/

these tools will give you the comple idea of the network traffic flow...

so follow the installation instruction and monitor the traffic on the machines ... and check the traffic type ..or monitor specific protocol ..i.e smtp... thats it...

just u have to cath the suspect...
0
 

Author Comment

by:TiazfaD
ID: 41876923
Dear Shaikh,

Thanks so much for your input. Will try the same. I was wondering, whether any Anti-virus running on these Pcs would be able to detect or inform any such suspicious behaviour?

Regards,
T
0
 
LVL 16

Assisted Solution

by:Shaik M. Sajid
Shaik M. Sajid earned 250 total points
ID: 41876929
antivirus should have centralized with reporting and monitoring option to monitor this but thats too all the clients should be up to date ... with antivirus updates ... and not in a compramise mode...

antivirus cannot monitor network traffic ....  just it can give you the report of the virus activity ... lets say you are selected a suspicious e-mail as not spam then,,,

so the best is to monitor using the network monitoring tools ... above are graphical tools easy to use and monitor ...

all the best.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 41876935
Commonly it is via the email gateway to trace down the source machine that is sending out SPAM

e.g. Create an ACL on the inside interface of your firewall to only accept port 25 traffic from the IP of your mail server, then monitor hits to the ACL to determine the IP address from which the spam is originating. Also run "netstat" to show you all the open connections on the exchange server.  It'll list the IP address and the computer name of each connection.

Another is one from the ISP "warning"

e.g. You received an alert from ISP that there is a certain pc on your network behind your firewall sending out an lots of spam, which your domain name is in jeopardy of being blacklisted.

As a whole, the norm or more direct practice is
-block anything sending out emails on port 25 apart from the internal email server.
-block smtp to everything but the valid external email server.
-check your firewall logs and look for anything sending out on smtp to places it's not supposed to

See one example -
if your users are using the ISP's SMTP server, you should easily be able to block port 25 traffic vby configuring the users to use SMTP submission on port 587. This is an authenticated session and is FAR better to use anyway than generic SMTP.

I've gone ahead and blocked port 25 on the linksys router for outgoing traffic, and then setup Outlook to send through port 587. Thanks for Barrulus for that suggestion. I've also used NETSTAT on each machine to locate the offender. For future use i've gone ahead and downloaded pfsense to monitor outgoing traffic
https://www.experts-exchange.com/questions/26275359/How-do-I-identify-which-computer-on-my-network-is-sending-spam.html
0
 

Author Closing Comment

by:TiazfaD
ID: 41889106
Dear Shaik and btan,

Thanks again !! Lots of help.

Regards,
T
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now