Internal Spammer

[Daire]

Hi

I have a spammer on the LAN, mail is being sent out with spoofed sender addresses and we are now on some email blacklists.

We have eTrust ITM on all pcs scanning for viruses and spyware but it doesnt seem to find the spamming application.

How can I find out which computer is sending the spam? The server is not an open relay server so the spam mail must be comming from inside??? Is this correct?

Thanks all

 

[MarkArnold]

First step is to make sure that your firewall doesn't accept SMTP from any address except your Exchange server and your server only accepts SMTP from other Exchange servers.
If you've secured that you can then just use some transport diagnostics logging to see who is sending all the mail.

 

[Davetoo]

I have to disagree with the "only accepts SMTP from other Exchange servers". The world is pretty big, there are other email servers out there other than Exchange based ones. Not real sure how you'd go about trying to limit that anyway.

If you have a decent firewall, watch it to see where the email is originating from Odds are it's not using your Exchange server but rather it's own SMTP server to send the spam.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[MarkArnold]

Davetoo, it was just a context thing on my part. I was referring to internal systems, not servers on the big bad Internet. At this stage I wasn't interested in the outside world as we're talking about an internal issue.

And no, you can't tie yourself (except in 2007) to only Exchange servers because there are too many ISP relays out there where a message starts off on an Exchange server but goes through something else on its journey.

As for your 2nd paragraph about the decent firewall. That's exactly what I told the OP, except I didn't word it well enough seemingly.

 

[Davetoo]

You need to be as clear as possible when providing such specific support as we provide here on TT. While you may have been thinking the things you describe, what you wrote wasn't the same thing so it wasn't clear. If you're only interested in internal systems, specify that in your post.

No...it really wasn't clear at all what you meant as to the "transport diagnostic logging"...KISS it (keep it simple stupid). ;-)

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[MarkArnold]

Thanks for the advice. Guess I've just been a terrible MVP for the last eight years.

 

[Davetoo]

Uh..ok, guess so then. I've only been one for three years myself, but as you can see by my profile here, I'm a pretty frequent helper here on TT. You can take my advice and move on, or just move on. Either way I'm good with it.

Cya.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[Hondy]

i would set up ethereal on your network and filter by SMTP this will tell you which IP address is sending out all of the mail.

You will need to sniff part of the network that sees all of the traffic, e.g. your internet connection, if you have a switched envirnoment you won't see all of the traffic so you have to place your sniffer carfefully.

Cheers

 

[Daire]

Thanks Guys, I hope I havent started a row.

Anyway, there is just one exchange server and about 20 clients so abviously all the clients send their mail out through the exchange box.

Something is generating mails (you know the ones that ask you to confirm your bank details).

I was just wondering if I can track the sending LAN IP address so I can identify the rogue pc?

Cheers
Daire

 

[MarkArnold]

Rows? Never.
Just use ethereal as Hondy said or look on the firewall to see what (if it is an internal smtp engine) address is hitting the firewall.
As for checking the IP address against any rogue MAPI sending you're pretty much out there.

What is it that makes you sure you are the offending site?

 

[Daire]

Hi

Its not an internal smtp engine sending out on the internet so I wont see anything on the firewall except the exchange server sending.

If there is an internal smtp engine its forwarding to the exchange box.

 

[MarkArnold]

To make it a little clearer. The discussion was based around the possibility that one of your workstations has malware on it that has its own smtp capabilities. The existence of these trojans is why the anti virus vendors usually have a setting that stops workstations sending out SMTP (tcp 25) messages.

So, thing one to do is to make sure that only the Exchange server is sending through the firewall.

Then make sure you are on the default settings on Exchange. Your Exchange server, by default does not even accept messages from workstations or users on your network for relay out to the Internet. So, if the server isn't accepting messages from rogue workstations we've eliminated the errant SMTP component.

http://www.msexchange.org/tutorials..._Center_or_How_to_Save_Your_A_in_a_Pinch.html

is the next thing on your journey. You presumably know the destination address, an address that a sender (you select) should not be sending to. use the message tracking center to trace it to a user and then you can trace the user to the PC.

 

[Zelandakh]

If that looks too complicated you can use netstat on the Exchange server to see which workstation is connecting on port 25.

However that is looking for the culprit workstation. You DO need to focus on Mark's advise and tie down the server so that this can't happen. Workstations should not be able to send SMTP email.

 

[JBruyet]

I would like to add to Hondy's recommendation about using Ethereal to find the culprit. You may already know this but if you're using a switch as opposed to a hub Ethereal won't see any packets. Hopefully you have a managed switch, and if so you'll need to set port forwarding (or duplicating or whatever it's called on your switch) so ALL packets go to one of the ports on the switch. Then connect the computer/laptop that has Ethereal on it to that port and start your scan. You should immediately find the guilty party.

Just my 2 pennies,

Joe B