[NCSA-discuss] Finding an infected machine
Jeffrey Johnson
johjeff at gmail.com
Wed Feb 22 10:01:46 EST 2006
Oh, you might also be able to set up your spam filter to temporarily
filter outbound email. That might be the quickest way to identify who
is generating the most spam.
Jeff
On 2/22/06, Jeffrey Johnson <johjeff at gmail.com> wrote:
> Check the headers on a sample spam message for date and time
> originated and look at your smtp logs for that date and time. You
> could also check your smtp logs for high volume MACs or IP's.
> Depending on your mail server , you could possibly grep through
> everyones sent mail folder for the message text.
>
> Good luck.
>
> Jeff
>
> On 2/22/06, Sebastian Reher <sreher at gmail.com> wrote:
> > I would temporaily change the logging on your firewall ( ie all
> > outgoing mail) and then look throught the logs.
> > \... Sebastian
> >
> > On 2/22/06, Brian Henning <brian at strutmasters.com> wrote:
> > > Hi Folks,
> > > I've never really had to deal with this sort of situation before, so
> > > I'm not sure what the best countermeasure is. The situation is that
> > > recently I've started getting notifications from AOL that my domain is
> > > spamming their users. That's bad. I've set up the AOL postmaster
> > > feedback loop thing (when AOL users complain about messages from our
> > > domain, I get a copy of the complaint with the offending message), and
> > > it looks like your typical "Check out these stocks!!" SPAM.
> > >
> > > On our network of probably 20 or 25 machines, I'm not sure how to
> > > pinpoint which one (or more..) is actually spewing out the offending
> > > mail. What's the best way to do that? I'm thinking maybe I could set
> > > up a packet sniffer grepping for a phrase from the message, and see
> > > which host it comes from...but I haven't the faintest idea how to
> > > actually do that. Is that even a good idea?
> > >
> > > I've also made a prioritized list of the users I think are most likely
> > > to infect themselves with such things, but I'd like to avoid
> > > goose-chases if there's a good automated way to catch the offending
> > > machine in the act.
> > >
> > > Thanks!
> > > ~Brian
> > >
> > > --
> > > ----------------
> > > Brian A. Henning
> > > strutmasters.com
> > > 336.597.2397x238
> > > ----------------
> > > _______________________________________________
> > > ncsa-discussion mailing list
> > > ncsa-discussion at ncsysadmin.org
> > > http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion
> > >
> > _______________________________________________
> > ncsa-discussion mailing list
> > ncsa-discussion at ncsysadmin.org
> > http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion
> >
>
>
> --
> Jeffrey Carlton Johnson
> Sun Certified Solaris Security Administrator
>
--
Jeffrey Carlton Johnson
Sun Certified Solaris Security Administrator
More information about the ncsa-discussion
mailing list