On Tue, July 14, 2009 7:21 am, Lucian Cristian wrote:
> Karpaha Vinayaham wrote:
>> Dear All
>>
>> One of my user machine was infected by a virus and it start
>> sending lots of spam mails. As the user was using smtp-auth my server
>> accepted the mail.
>> Because of this my server IP is blacklisted, after diagnosing i
>> have blocked the infected machine IP through iptable and scanned for
>> virus.
>>
>> Now the problem is solved, but i wanted to know how to control this
>> behaviour.
>>
>> With Regards
>> Vinay
>>
>>
>> ------------------------------------------------------------------------
>> Love Cricket? Check out live scores, photos, video highlights and
>> more. Click here
>> <http://in.rd.yahoo.com/tagline_cricket_2/*http://cricket.yahoo.com>.
> I don't know any trojan that can use auth sistem to send emails,
> classical way is to send mails using it's own "server", so blocking
> destination port 25 for the inside clients should solve the problem, but
> if there is an aplication that sends mails using auth sistem then we are
> all doomed :D
>
> Regards
> Lucian
>
Sounds from your description here like you were routing forwarding LAN
traffic through the same IP address (same server perhaps) that is hosting
your mail. The spam zombie probably wasn't routing via your mail server
itself, rather just your IP address interface (on the same machine or
otherwise). Spam zombied machines generally send spam directly. In this
case, you can either do as Lucian suggests and ban outbound port 25 to
forwarding in IPTABLES, or, better yet if possible, route your LAN traffic
through a different IP address/interface/server.
Also, as I presume the machines on your LAN are Windows machines. Make
sure to lock down your client workstations tightly in a controlled manner.
If running in a Windows Workgroup, make sure users only have "Restricted
User (User Group)" accounts on a machine by machine basis. If on a Samba
domain or Active Directory Domain, also make sure all users are granted
only "User Group" permissions on the Domain. This will help to ensure that
users are are not as easily infected in the first place. Unfortunately, in
some cases, users must be granted certain slightly elevated permissions on
machines for certain software applications to run properly (e.g. "Standard
User" (Power Group). Quickbooks is a notable example of such a
badly-designed application. Users in the Power Group can get infected.
Also, make sure you are continually educating/informing your users as to
network policies/procedures. Users should not open e-mails from untrusted
sources, and should never follow links in such emails, and should never
follow links in casual e-mails from friends that they receive at the
workplace. Use of 3rd party e-mail providers (webmail, et.al), over which
you have no control should be discouraged. If a machine shows signs of
infection (XP antivirus or other similar bots), users should be educated
to unplug the network cable immediately from the wall and contact support.
Leave the machine running, and rebooting can cause the infection to become
more deeply embedded in the windows registry and/or system32 directory.
Anti-virus software on individual machines is proving less and less
effective in stopping infection, as the time from virus reporting to AV
definition update at the AV vendors can only happen so fast. "Zero-hour"
exploits have exploded, and often the only prevention for these are wise,
well-educated users.
These are headaches that can't always be prevented by the network admin.
I've had two zombie infected machines within the past year, after seeing
no infections of any type on my networks for around 8 years. One was a
year ago this week and one 2 weeks ago. Both were on machines with
elevated permissions. Both were in the same office. The first was a user
who was designated as a local office admin. At that point a year ago, I
eliminated all users with full admin privileges of any kind. The most
recent, however, was on a user's machine with Power Group permissions.
Unfortunately, that machine cannot be locked down any further, and that
infection slipped by local AV filters. However, in order to get infected,
the user had to have followed a malicious link or visit an infected
website (probably running IIS).
However, you can mitigate these things as above, and I hope this is of
some help to you. I know how incredibly painful cleaning up these types of
things can be.
Good luck!
Tim
--
Tim Pleiman
Bravo Systems Technologies
"Advanced Open Source Solutions for Business"
Chicago, IL USA
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
