[NCSA-discuss] Finding an infected machine

James Hunt jhunt at captiveaire.com
Wed Feb 22 09:41:05 EST 2006 

First off, I'd block port 25 from any IP on your network through the 
firewall except the legit mail server.  That is of course if you have 
your own mail server in house.  That will immediately end your spam 
outbound problem.  But you still have to find the machine inside.

Then I'd set up one port on your switch to broadcast all packets from 
all ports out that port - and then hang a machine on that port running 
Ethereal.  Filter all traffic except port 25.  Another way of doing this 
is to install Cacti (www.cacti.net) on a box in the office, set up SNMP 
monitoring of your switch, and graph bits/sec bandwidth of all 
machines.  Let it run overnight and look for which port has spikes of 
activity in the middle of the night - or is steadily showing outbound 
traffic.  That will probably point out your troublemaker right there.

By the way, have you looked in the headers of the spam and made sure 
it's really your network's IP address?  It'd be a shame to go through 
all the hoops when it's just some spammer faking your domain name in the 
reply address.

Brian Henning wrote:

> Hi Folks,
>   I've never really had to deal with this sort of situation before, so 
> I'm not sure what the best countermeasure is.  The situation is that 
> recently I've started getting notifications from AOL that my domain is 
> spamming their users.  That's bad.  I've set up the AOL postmaster 
> feedback loop thing (when AOL users complain about messages from our 
> domain, I get a copy of the complaint with the offending message), and 
> it looks like your typical "Check out these stocks!!" SPAM.
>
> On our network of probably 20 or 25 machines, I'm not sure how to 
> pinpoint which one (or more..) is actually spewing out the offending 
> mail.  What's the best way to do that?  I'm thinking maybe I could set 
> up a packet sniffer grepping for a phrase from the message, and see 
> which host it comes from...but I haven't the faintest idea how to 
> actually do that.  Is that even a good idea?
>
> I've also made a prioritized list of the users I think are most likely 
> to infect themselves with such things, but I'd like to avoid 
> goose-chases if there's a good automated way to catch the offending 
> machine in the act.
>
> Thanks!
> ~Brian
>

More information about the ncsa-discussion mailing list