WEB IT Crew, help tracking down spam mailer on network

Discussion in 'OT Technology' started by kamikaze, Mar 4, 2009.

  1. kamikaze

    kamikaze Active Member

    Joined:
    Jan 30, 2005
    Messages:
    33,629
    Likes Received:
    0
    Location:
    Barrie Ontario
    I keep getting outgoing emails blocked by some company called Proofpoint. So I emailed them and they say a computer on our network is sending out spam. Is there anyway I can monitor for this to try and track down the machine that is doing it? They are being extremely vague and won't give me destination information because they claim that would compromise their client's security.

    Thanks
     
  2. thomor25

    thomor25 I make money online....

    Joined:
    Jun 11, 2000
    Messages:
    11,101
    Likes Received:
    0
    Location:
    Denver Colorado
    monitor outgoing packets on port 25 and 26 on your network
     
  3. kamikaze

    kamikaze Active Member

    Joined:
    Jan 30, 2005
    Messages:
    33,629
    Likes Received:
    0
    Location:
    Barrie Ontario
    ok. I setup a packet capture app on a machine on my network, that should catch it if there's a machine sending info on port 25/26 right? Or am I going to have to setup some sort of proxy machine?
     
  4. kamikaze

    kamikaze Active Member

    Joined:
    Jan 30, 2005
    Messages:
    33,629
    Likes Received:
    0
    Location:
    Barrie Ontario
    ok, so the packet capture app didn't find anything, but I found a program that logs all outbound traffic from my router. Do I need to be looking for traffic sent to IP's with a remote port of 25-26 or local port of 25-26 or both?
     
  5. thomor25

    thomor25 I make money online....

    Joined:
    Jun 11, 2000
    Messages:
    11,101
    Likes Received:
    0
    Location:
    Denver Colorado
    both just in case
     
  6. kamikaze

    kamikaze Active Member

    Joined:
    Jan 30, 2005
    Messages:
    33,629
    Likes Received:
    0
    Location:
    Barrie Ontario
    cool. Now, is it possible that whatever computer is doing this is sending from a different port? or is SMTP pretty well limited to that port range?
     
  7. retorq

    retorq What up bitch??

    Joined:
    Dec 14, 2006
    Messages:
    6,061
    Likes Received:
    0
    Location:
    Mohave Desert
    Just setting up a network monitor app on a machine plugged into your network isn't gonna do shit if it's a switched/subnet'd/vlan'd network.

    If a machine on your network is sending out spam you need to monitor outgoing port 25 at your firewall. Watching incoming isn't going to tell you anything. The easiest way for you to find this is going to be to modify your firewall rules to deny sending from port 25 from all internal IPs and pull the logs. It'll be in there ...
     
  8. kamikaze

    kamikaze Active Member

    Joined:
    Jan 30, 2005
    Messages:
    33,629
    Likes Received:
    0
    Location:
    Barrie Ontario
    ok, so in the last ~24 hours I've only got 7 outbound hits on port 25. I didn't deny the traffic as there are people here that need to send email and I didn't want to be blocking them. at least 2 of those hits are legit, as they happened just as my boss was sending an email. One of my co-workers said that he had a machine on the bench that was heavily infected and he wiped it yesterday, so I'm wondering if it wasn't that machine. I emailed the guy at Proofpoint to see if he had any hits within the last 24 hours so I guess i just gotta wait to see.

    Thanks for all your help guys. I really appreciate it :)
     
  9. Statik

    Statik I am The Redworm.

    Joined:
    May 16, 2001
    Messages:
    4,723
    Likes Received:
    14
    Location:
    Destination Quasar 16.33.45.78
    First, let me know more about what type of email you guys use...is it exchange? Lotus Notes (god I hope not)? Hosted email?

    Here's the thing, if your network has an exchange server and some type of spam appliance, then restrict inbound/outbound communications via port 25 to ONLY either your spam appliance (and route all inbound/outbound mail thru it) or your outer exchange server. No internal PC should be able to connect to port 25 to the outside world anyway, as when people send email to the outside world, it has to go thru the Exchange server first, then out the exchange server via port 25. Workstations do not need port 25 access outside. Also, if your concern is people using some sort of hosted email (think Outlook Express that is configured to get to their GMAIL account), that all uses usually the following ports depending on who's hosting it:

    POP3 - port 110
    IMAP - port 143
    Secure SMTP (SSMTP) - port 465
    Secure IMAP (IMAP4-SSL) - port 585
    IMAP4 over SSL (IMAPS) - port 993
    Secure POP3 (SSL-POP) - port 995

    There is no legit reason for a workstation to use port 25 to the internet from a network unless it's an email server or some other dedicated allowed relay server (see ListServer) for example....
     
  10. kamikaze

    kamikaze Active Member

    Joined:
    Jan 30, 2005
    Messages:
    33,629
    Likes Received:
    0
    Location:
    Barrie Ontario
    I guess i should have specified, it's a small peer-to-peer network. No servers, 4 or 5 workstations for employees, and up to 15 client computers at any given time. We are a small computer repair shop. Since we don't host our own email, everyone is configured to use external mail servers either from our ISP or in my case my .mac address using either Outlook Express or Thunderbird.
     

Share This Page