How can I find a computer on my network that is doing mass mailings?

I was notified by my isp that one of my machines is sending out spam. This happened about 3 months ago on windows machine running cygwin that was hacked due to an SSH vuln.

The hackers setup IIS and SMTP. I cleared out the machine and all the services are disabled so I think that machine is okay

I am wondering if there is any other way to identify which machine it could be coming from?

The ISP has NO useful information such as source port, destination port, destination IP... nothing.

I am running DD-WRT on my router, Windows 7 PC and a Windows XP PC.

Alex Ciarlill

Posted 2010-03-16T21:23:22.657

Reputation:

Answers

It's been a long time since I played with DD-WRT, but on most business-level routers they have the ability to write a log each time a firewall rule is matched.

I would create a firewall rule for Port 25 (assuming that the mass mailer is using the standard SMTP port) and get it to write a log with the source IP every time it happens. It should then be pretty easy to locate the culprit.

Mark Henderson

Posted 2010-03-16T21:23:22.657

Reputation: 5 956

It's the only way to be sure. – Zoredache – 2010-03-16T21:41:41.020

2@Zoredache, absolutally. And when you guage the price of rebuilding a machine after a nuke and the time taken to fix it, it makes much more economic sense to just re-image it. Especially once you factor in the potential cost to the company by letting an infected machine onto a corporate network. – Mark Henderson – 2010-03-16T21:57:40.923

+1 nuke that sucka :) ... and something constructive: If DD-WRT can do netflow that would be an alternative way to see who is sending a whole bunch of SMTP traffic – Zypher – 2010-03-16T22:10:43.153

1+1, and you should be blocking outgoing port 25 from any machine except your mail server! – James – 2010-03-16T22:13:39.220

@James, I don't know if I agree with that rule - a lot of companies permit personal mail accounts (or at the very least, don't have a policy denying it). This kills sending out through anything but the company server. It's just as annoying when ISP's deny you access port 25 access to anywhere off their network. – Mark Henderson – 2010-03-16T22:46:17.600

1Annoying, for sure, but I'd rather be a little bit annoying than have spam coming from my network. I don't have a problem with personal email accounts - they can either relay through the corporate server or use port 587 to their provider's SMTP server – James – 2010-03-16T23:14:39.473

After you've sealed off port 25 except for your mail servers, check them to ensure they are neither infected nor acting as a relay. Also, get back to the ISP and try to get more info, like source IP trail. – mpez0 – 2010-03-17T01:43:37.737

You could connect a hub in between the router and your LAN and then plug a computer into the hub and install a traffic monitor on it such as Microsoft network monitor or wire shark

http://www.wireshark.org/

You will then be able to monitor all that goes on and set up filters etc

Charles Gargent

Posted 2010-03-16T21:23:22.657

Reputation: 703

On my DD-WRT router I have a default outgoing deny policy and then open up specific ports from specific IP addresses, and obviously I open up common ports to all IPs such as 80, 443 etc – Charles Gargent – 2010-03-16T23:10:22.257

+1 for wireshark. monitoring the network traffic would be the way i'd set about it. – Joe Taylor – 2010-03-17T19:14:16.013

there is also MS network monitor 3 which has much the same functionality, I couldnt post the link to it as I didnt have enough points :( – Charles Gargent – 2010-03-17T20:08:52.533

I am also not sure how to track without netflow or SNMP logging. But would recommend you just restrict outbound SMTP traffic to your mail server(s)

Below assumes a mail server IP of 192.168.1.2 on the network 192.168.1.0/24

iptables -I FORWARD 1 -p tcp -s 192.168.1.2 --dport 25 -j ACCEPT
iptables -I FORWARD 2 -p tcp -s 192.168.1.1/24 --dport 25 -j REJECT

ITGuy24

Posted 2010-03-16T21:23:22.657

Reputation: 264

Install a network monitor or packet sniffer application to see what's going on in your network. You should then be able to figure out which workstation is sending out all the SMTP traffic. Good luck!

goblinbox

Posted 2010-03-16T21:23:22.657

Reputation: 2 414

Give Wireshark a try -- that's what our company suggests to folks when we report such issues to them:

http://frontiernet.net/~tech962/findthespambot/index.html

user31472

Posted 2010-03-16T21:23:22.657

Reputation: