[NCSA-discuss] Finding an infected machine

James Hunt jhunt at captiveaire.com
Wed Feb 22 10:11:39 EST 2006 

   Well, odds are very slim that an infected machine would send email out
   the designated SMTP for the organization.  Most likely it's acting as
   a rogue SMTP server itself... so if you block port 25 out the firewall
   with the only exception being the single legit SMTP server, then the
   broadcast problem is OVER.  Then you just have to set up the firewall
   to log failed attempts at 25, and you've got your infected machine.
   Jeffrey Johnson wrote:

Oh, you might also be able to set up your spam filter to temporarily
filter outbound email.  That might be the quickest way to identify who
is generating the most spam.

Jeff

On 2/22/06, Jeffrey Johnson [1]<johjeff at gmail.com> wrote:


Check the headers on a sample spam message for date and time
originated and look at your smtp logs for that date and time. You
could also check your smtp logs for high volume MACs or IP's.
Depending on your mail server , you could possibly grep through
everyones sent mail folder for the message text.

Good luck.

Jeff

On 2/22/06, Sebastian Reher [2]<sreher at gmail.com> wrote:


I would temporaily change  the logging on your firewall ( ie all
outgoing mail)   and then look throught the logs.
\... Sebastian

On 2/22/06, Brian Henning [3]<brian at strutmasters.com> wrote:


Hi Folks,
   I've never really had to deal with this sort of situation before, so
I'm not sure what the best countermeasure is.  The situation is that
recently I've started getting notifications from AOL that my domain is
spamming their users.  That's bad.  I've set up the AOL postmaster
feedback loop thing (when AOL users complain about messages from our
domain, I get a copy of the complaint with the offending message), and
it looks like your typical "Check out these stocks!!" SPAM.

On our network of probably 20 or 25 machines, I'm not sure how to
pinpoint which one (or more..) is actually spewing out the offending
mail.  What's the best way to do that?  I'm thinking maybe I could set
up a packet sniffer grepping for a phrase from the message, and see
which host it comes from...but I haven't the faintest idea how to
actually do that.  Is that even a good idea?

I've also made a prioritized list of the users I think are most likely
to infect themselves with such things, but I'd like to avoid
goose-chases if there's a good automated way to catch the offending
machine in the act.

Thanks!
~Brian

--
----------------
Brian A. Henning
strutmasters.com
336.597.2397x238
----------------
_______________________________________________
ncsa-discussion mailing list
[4]ncsa-discussion at ncsysadmin.org
[5]http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion



_______________________________________________
ncsa-discussion mailing list
[6]ncsa-discussion at ncsysadmin.org
[7]http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion



--
Jeffrey Carlton Johnson
Sun Certified Solaris Security Administrator




--
Jeffrey Carlton Johnson
Sun Certified Solaris Security Administrator
    _______________________________________________________________________

_______________________________________________
ncsa-discussion mailing list
[8]ncsa-discussion at ncsysadmin.org
[9]http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion

References

   1. mailto:johjeff at gmail.com
   2. mailto:sreher at gmail.com
   3. mailto:brian at strutmasters.com
   4. mailto:ncsa-discussion at ncsysadmin.org
   5. http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion
   6. mailto:ncsa-discussion at ncsysadmin.org
   7. http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion
   8. mailto:ncsa-discussion at ncsysadmin.org
   9. http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion

More information about the ncsa-discussion mailing list