How do you detect a spambot on your network?

exchange-2003 spam
49,543

Solution 1

First, you need to stop the spam.
a- set your firewall to not allow outbound SMTP/POP except from the email server.
b- set your mail server to not allow outbound relay.

Then, you need to find the problem machine(s).
1- Look at the firewall logs to see which machine(s) are actually trying to do outbound mail and getting blocked. Those machines are infected.
2- Make sure each machine has current A/V, and do a thorough scan on each machine.
3- You may want to implement the Windows Firewall on each machine.
4- If still not found you will need to use a sniffer.

Note: I don't think that DNS and email on the same server is an issue.

Solution 2

The problem could be that that your exchange server is allowing RELAY. Make sure that setting is turned off or set only the IPs which are allowed to relay via that server. Your network design should only allow the exchange server to send traffic out of your network via port 25.

Most spambots use port 25. Once you have setup like that, then if any other machine try to send via port 25 it will show up in the firewall logs.

Good Luck!

Solution 3

  1. You should sniff your network traffic. There are many nice tools available, all the way from plain packet dumps similar to tcpdump all the way to fancy GUI visualization apps. Typically you will need to either: a) plug into a special port on your switch, b) configure another port to see all traffic, or c) do the sniffing from your firewall/router. First just focus on finding SMTP traffic to the outside world from any machine that's not the Exchange sever. Later you should examine all traffic to see if anything else is going on: IRC from someone's machine who doesn't even know what IRC is, for instance.
  2. Write a plain language statement of what traffic should be allowed out of your network, and implement outbound rules at your firewall/router, with logging. You will be surprised how well this works. And it will also mean that you will know when something bad is happening before you hear it from an outside party!

Solution 4

If you have a firewall, a simple solution is to block all outbound port 25 traffic except for your Exchange server. Individual machines are likely trying to send spam on their own. Once you've put the block in place, check the firewall logs to see which IP is trying, and failing, to hit port 25 outbound.

Share:
49,543

Related videos on Youtube

mav
Author by

mav

Updated on September 17, 2022

Comments

  • mav
    mav almost 2 years

    I help manage a small network of about 40 computers. We are running an Exchange 2003 mail server.

    What is the best way to find which machine is infected by a spambot? I've tried installing anti-virus and anti-malware programs on each computer. After scanning the computers I did find a few that had lots of malicious programs and thought that our problem was solved. However our domain keeps getting blocked by DNS Blacklists and I have to remove them daily for our clients to receive our e-mail.

    Note: We are being attacked by Directory Harvest and Backscatter tactics.

    edit: Our e-mail server doubles as a DNS server. Could this possibly open up vulnerabilities for spam attacks?

  • mav
    mav about 15 years
    Our e-mail data is stored locally on each computer. We have other servers however I do not believe that they should affect our mail server.
  • mav
    mav about 15 years
    How do I check my exchange server Relay options so that I can turn it off?
  • mav
    mav about 15 years
    Honestly this seems like a good solution. However not being too familiar with Exchange 2003 limits my knowledge of how to go about implementing this. I guess we'll just need to hire someone outside the company with more network/server knowledge.
  • tomjedrz
    tomjedrz about 15 years
    "Relay restrictions" are controlled on the "Access" tab of the "SMTP Virtual Server" Properties page. It is a bunch of layers down through the Exchange System Manager. The complete path (on my server) is Admin Groups/First Admin Group/Servers/<<server name>>/Protocols/SMTP/Default SMTP Virtual Server.
  • Alex
    Alex about 15 years

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Exchange 2003 mail non-delivery (NDR), spam activity? events 7002 & 7004
Good & free Exchange spam filter
Outlook - Junk Email - Add an email to the safe senders for entire company?
Outlook meeting requests and mail resending or repeating - Exchange 2003
PermError SPF Permanent Error: Too many DNS lookup
how to avoid email header Received: from unknown and email going to spam
phpmailer, php, header, email goes to spam
PHP - Send email from other domain without being spam!
sending mail with php & escaping hotmails junk folder
How to get ip-address out of SPAMHAUS blacklist?