[NCSA-discuss] Finding an infected machine
Jeffrey Johnson
johjeff at gmail.com
Wed Feb 22 10:00:05 EST 2006
Check the headers on a sample spam message for date and time
originated and look at your smtp logs for that date and time. You
could also check your smtp logs for high volume MACs or IP's.
Depending on your mail server , you could possibly grep through
everyones sent mail folder for the message text.
Good luck.
Jeff
On 2/22/06, Sebastian Reher <sreher at gmail.com> wrote:
> I would temporaily change the logging on your firewall ( ie all
> outgoing mail) and then look throught the logs.
> \... Sebastian
>
> On 2/22/06, Brian Henning <brian at strutmasters.com> wrote:
> > Hi Folks,
> > I've never really had to deal with this sort of situation before, so
> > I'm not sure what the best countermeasure is. The situation is that
> > recently I've started getting notifications from AOL that my domain is
> > spamming their users. That's bad. I've set up the AOL postmaster
> > feedback loop thing (when AOL users complain about messages from our
> > domain, I get a copy of the complaint with the offending message), and
> > it looks like your typical "Check out these stocks!!" SPAM.
> >
> > On our network of probably 20 or 25 machines, I'm not sure how to
> > pinpoint which one (or more..) is actually spewing out the offending
> > mail. What's the best way to do that? I'm thinking maybe I could set
> > up a packet sniffer grepping for a phrase from the message, and see
> > which host it comes from...but I haven't the faintest idea how to
> > actually do that. Is that even a good idea?
> >
> > I've also made a prioritized list of the users I think are most likely
> > to infect themselves with such things, but I'd like to avoid
> > goose-chases if there's a good automated way to catch the offending
> > machine in the act.
> >
> > Thanks!
> > ~Brian
> >
> > --
> > ----------------
> > Brian A. Henning
> > strutmasters.com
> > 336.597.2397x238
> > ----------------
> > _______________________________________________
> > ncsa-discussion mailing list
> > ncsa-discussion at ncsysadmin.org
> > http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion
> >
> _______________________________________________
> ncsa-discussion mailing list
> ncsa-discussion at ncsysadmin.org
> http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion
>
--
Jeffrey Carlton Johnson
Sun Certified Solaris Security Administrator
More information about the ncsa-discussion
mailing list