Solved

Spam mails from a compromised internal computer

Posted on 2016-11-07
5
64 Views
Last Modified: 2016-11-15
Dear All,

Would like to know your ideas on how to find out if we have a compromised internal computer , responsible for infecting other computers and sending spam.

Are there any methods for monitoring this?

Thanks,
T
0
Comment
Question by:TiazfaD
  • 2
  • 2
5 Comments
 
LVL 16

Accepted Solution

by:
Shaik M. Sajid earned 250 total points
ID: 41876910
you have to monitor netwok through network analyzers and monitor outgoing traffice and SMTP port traffic on the network ...

for ex: http://freenetworkanalyzer.com/
http://www.colasoft.com/capsa/

these tools will give you the comple idea of the network traffic flow...

so follow the installation instruction and monitor the traffic on the machines ... and check the traffic type ..or monitor specific protocol ..i.e smtp... thats it...

just u have to cath the suspect...
0
 

Author Comment

by:TiazfaD
ID: 41876923
Dear Shaikh,

Thanks so much for your input. Will try the same. I was wondering, whether any Anti-virus running on these Pcs would be able to detect or inform any such suspicious behaviour?

Regards,
T
0
 
LVL 16

Assisted Solution

by:Shaik M. Sajid
Shaik M. Sajid earned 250 total points
ID: 41876929
antivirus should have centralized with reporting and monitoring option to monitor this but thats too all the clients should be up to date ... with antivirus updates ... and not in a compramise mode...

antivirus cannot monitor network traffic ....  just it can give you the report of the virus activity ... lets say you are selected a suspicious e-mail as not spam then,,,

so the best is to monitor using the network monitoring tools ... above are graphical tools easy to use and monitor ...

all the best.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 41876935
Commonly it is via the email gateway to trace down the source machine that is sending out SPAM

e.g. Create an ACL on the inside interface of your firewall to only accept port 25 traffic from the IP of your mail server, then monitor hits to the ACL to determine the IP address from which the spam is originating. Also run "netstat" to show you all the open connections on the exchange server.  It'll list the IP address and the computer name of each connection.

Another is one from the ISP "warning"

e.g. You received an alert from ISP that there is a certain pc on your network behind your firewall sending out an lots of spam, which your domain name is in jeopardy of being blacklisted.

As a whole, the norm or more direct practice is
-block anything sending out emails on port 25 apart from the internal email server.
-block smtp to everything but the valid external email server.
-check your firewall logs and look for anything sending out on smtp to places it's not supposed to

See one example -
if your users are using the ISP's SMTP server, you should easily be able to block port 25 traffic vby configuring the users to use SMTP submission on port 587. This is an authenticated session and is FAR better to use anyway than generic SMTP.

I've gone ahead and blocked port 25 on the linksys router for outgoing traffic, and then setup Outlook to send through port 587. Thanks for Barrulus for that suggestion. I've also used NETSTAT on each machine to locate the offender. For future use i've gone ahead and downloaded pfsense to monitor outgoing traffic
https://www.experts-exchange.com/questions/26275359/How-do-I-identify-which-computer-on-my-network-is-sending-spam.html
0
 

Author Closing Comment

by:TiazfaD
ID: 41889106
Dear Shaik and btan,

Thanks again !! Lots of help.

Regards,
T
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
What to do: microsoft scam where someone connects to PC remotely 7 96
Can we get infected by copying & pasting 6 109
antivirus on mac 8 74
How to remove audio ad 4 62
These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Forget those services on TV trying to sell you software – that’s step one.  Almost all of the software you need should be available for free.  The tricky part is doing the work.  If you are not comfortable performing these steps yourself, contact a …
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now