Find infectees on your network
I’ve been working on ways to find infected computers on my network.
And there is one very simple way.
If you have a Postfix server, grep the log files each day for these phrases:
Blocked SPAM, LOCAL
Passed SPAM, LOCAL
Or you could do it in one go:
SPAM, LOCAL
That should net you a few infected machines.
I’ve seen infected machines sending spam to addresses in their own address book, so you should be able to find stuff that way.
Be on the lookout for stuff that looks like infected computers, but isn’t. A mailserver (at a client site) that sends mail to other recipients (such as a blackberry) may send on spam mails. You should familiarize yourself with the recipients in these cases, and figure it out that way.
Other servers may be set up in such a way it could be used to relay mail to its own domain. If that’s what you’re seeing, you’ll notice there are no outside recipients.
February 19th, 2006 at 12:57 am
Some other ways include:
1) Check the CBL regularly for hosts on your network (be nice to their public nameservers; if you have enough hosts, it would be worthwhile to get a local copy of this). Other blacklists may also be useful, but as far as I can tell, the CBL’s designed for this use.
2) If you’re doing virus scanning, look in your quarantine for viruses which arrived without Received: headers, don’t look like bounces, autoresponses, or other backscatter. The remaining senders will be infected machines spewing more infection. Any backscatter on your network should of course be addressed, but this requires different measures than infected machines…
February 19th, 2006 at 3:47 am
Yeah, I have my mail program mark virus-notifications from my network, so that’s covered. But I don’t see viruses all that often. I’ve tagged maybe three so far, and I’ve been doing this for months now.
The main problem is that infectees often ignore your own mail server, and spam directly instead.
Syslogging is another way to smoke’em out. I tagged a few that way too.
I would like to check CBL regularly, but it’s just not feasible to use their lookup. I need another way to do it. A local copy and an automated scan could be the right ticket.
February 19th, 2006 at 4:36 pm
I downloaded it with rsync (if you’ve got a linux box, it’s easy, just google it) and grepped it. Didn’t find any I didn’t already know about.
March 22nd, 2006 at 6:48 am
Most network mail configurations should only route through your mail server, so other machines should NEVER look for MX records, and your firewall should be configured so that the only machine that can communicate outbound on port 25 is the mail server.
Any other computer that is trying to send email direct to a server outside your network is either infected, or has a user performing questionable practices…
If you don’t have your own mail server (e.g. for a small home or office network), all the computers should only be communicating with your ISP or hosting mailserver on port 25. Again, any other action should be deemed dubious.
March 22nd, 2006 at 9:31 am
Tempting theory, but it doesn’t quite work in the real world.
You’ll have a LOT of ticked off customers if you close off port 25. If you’ve got a corporate network, feel free to close it off. But if you’re an ISP, I’ll give you a warning: You’ll have a lot of ticked off customers, and a lot of support phone calls.
Imagine all the users of Gmail alone…
July 20th, 2006 at 3:34 am
How do I find the spammers? I’m using sendmail. I’ve tried grep in maillog but nothing useful is coming up. i’m using Linux Redhat 9 with sendmail. I keep being blacklisted. But I need to find the machine spamming from my network. Please help
July 20th, 2006 at 3:41 am
When you’ve got something that bad, you can’t go by grep alone. You’ll need some statistics (a script that tallies mail sent and received, addresses and IP addresses) first, then see if anything jumps out at you. How big are the log files compared to before? Do you have copies of past log files? Are you familiar with the unique pattern of your server? If you’re familiar with the pattern, you may be able to look at the log by grepping for time stamp - one hour at a time. Also, some of the blocklists will tell you when they received a spam from you. Grep for that time period, and scroll through looking for something unusual.
Also, look at it from a different point of view. Do you have statistics for the whole network? See what’s coming into the server. If you’ve got an infected computer on your network, the spam will usually come in bursts then be inactive for periods.
July 20th, 2006 at 4:56 am
Thanks Admin. Can you give me some commands or the script to help in this matter? How do I grep for a particular time for instance? How do I analyse the logs?
The maillog size is 293884 while maillog.1 is 12 and maillog.2 is 24.
July 20th, 2006 at 8:10 am
Hi Sandras,
Actually admin is Spamhuntress.
You would need to find a script that works for your setup. I don’t use Sendmail, so I haven’t researched that.
You’d grep for a particular time (let’s say hour) by grepping for how the logs represent that time frame. Just omitting the minutes and seconds. I don’t know for sure if grep will let you do that. I’ve used TextHarvest on Windows for the heavier grepping. The point is that with TextHarvest, you can do much more complex grepping. The commands would be monstrous if you were to do that on a linux box with grep. You can find TextHarvest here: http://spamhuntress.com/wiki/Tracing_tools
That maillog isn’t too big. You could send it to me? Provided that’s about 300 Kb and not megabytes?