Re: [qmailtoaster] spammer in LAN or using the server from internet

2009-01-12 Thread Istvan Köpe 

Thanks for the quick answer.
The common problem at both scenarios is that I don't know what is the 
content of the spam send from the network. I don't know how to separate 
the outgoing spam from the incoming spam.
For example if a spam is arriving at the "office" mailbox, that spam is 
forwarded to several other mailboxes. This generates send traffic. How 
can I separate the forwarded spam from the generated/send spam? If I 
could separate the generated spam, I could eliminate the scenario when 
the server is sending the spam. The guys from the blacklist have the 
content of the spam sent from my IP, but they would not share it with me 
Not even the header.
The other problem is that I don't have IP-s in the /var/log/qmail/send 
log and in /var/log/qmail/smtp is too much data.


Istvan

Jake Vickers wrote:

Istvan Köpe wrote:

Hello,

I have been listed in a blacklist and I can't delist myself, because 
as they say there is spam coming from my IP address. The mail server 
is also a router.


Not the best scenario, but I understand it can sometimes be unavoidable.




Scenario 1.
I have no clue how to catch the infected machine. Theoretically there 
should not be any zombie machine because I have up-to-date antivirus 
on every station. But what if even like that I have a zombie machine?
Theoretically if I control the router I should be able to filter all 
the traffic, but I don't know what application to use, what method to 
use and what am I looking for?

Any suggestions?


You could force all traffic yo port 25 to your server using the 
firewall.  This may make some of your users unhappy, but would force 
all outgoing email to be routed through your mail server.  You would 
redirect any traffic on port 25 (and possibly 587) to your mail 
server's IP address instead.
Depending on your environment, you may even have a machine you don't 
know about sending the spam. I worked for Time Warner for a couple 
years and we would make weekly sweeps of the offices (15 in all, all 
across town) looking for wireless signals that were not supposed to be 
there and for unknown MAC addresses.  You would be surprised how many 
employees would bring an acces s point into the office so that they 
could get a wireless signal outside (they liked to sit outside at the 
picnic tables and work). We also had a couple younger employees that 
would bring their laptops from home and hide them under 
desks/plants/whatever so they could get faster downloads on their 
torrents (I ran the Roadrunner installation department - we had a 
**BIG** pipe in the main office). We found laptops connected for 
torrenting that were dripping with malware.
you could also use wireshark to monitor your network for traffic 
outgoing on port 25 and see if you could glean the MAC/IP of the 
offending machine (which may or may not help, depending on if someone 
hid a laptop under an office plant).




Scenario 2.
Somebody cracked a password of a user and is using the account to 
send spam. I checked the logs, but there is so much spam traffic, 
that I don't know what to look for. I don't know exactly how the logs 
work, but I couldn't find anything interesting. Theoretically in 
/var/log/qmail/send there should be all the outgoing mails, but I 
found a lot of spam like subjects here. I presume that those are 
related to the aliases and forwards. Is this correct?

Please give me a clue what to look for? And how to look for?



You should just see outgoing messages from authenticated users in the 
send and submission logs. If you're seeing spam there, then check the 
IP as that will probably be your offending machine.  You are correct 
in that it may be aliases or forwards. You could turn on spam scanning 
for local addresses (the instructions should be in the wiki). You 
could also enable taps and tap your domain and look at the emails to 
see where the spam is coming from. Not sure what country you're in, so 
this may not be legal in your country.



Is there other possible scenarios?



Yeah, like I mentioned above with users bringing their own equipment 
in. Without a witch hunt it's hard to track that sort of stuff unless 
you keep EXTREMELY meticilous logs on things like what computers are 
plugged into what ports on switches, where the wall plates are, etc.


Good luck!


-
QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com






-
QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] spammer in LAN or using the server from internet

2009-01-12 Thread Jake Vickers 

Istvan Köpe wrote:

Hello,

I have been listed in a blacklist and I can't delist myself, because 
as they say there is spam coming from my IP address. The mail server 
is also a router.


Not the best scenario, but I understand it can sometimes be unavoidable.




Scenario 1.
I have no clue how to catch the infected machine. Theoretically there 
should not be any zombie machine because I have up-to-date antivirus 
on every station. But what if even like that I have a zombie machine?
Theoretically if I control the router I should be able to filter all 
the traffic, but I don't know what application to use, what method to 
use and what am I looking for?

Any suggestions?


You could force all traffic yo port 25 to your server using the 
firewall.  This may make some of your users unhappy, but would force all 
outgoing email to be routed through your mail server.  You would 
redirect any traffic on port 25 (and possibly 587) to your mail server's 
IP address instead.
Depending on your environment, you may even have a machine you don't 
know about sending the spam. I worked for Time Warner for a couple years 
and we would make weekly sweeps of the offices (15 in all, all across 
town) looking for wireless signals that were not supposed to be there 
and for unknown MAC addresses.  You would be surprised how many 
employees would bring an acces s point into the office so that they 
could get a wireless signal outside (they liked to sit outside at the 
picnic tables and work). We also had a couple younger employees that 
would bring their laptops from home and hide them under 
desks/plants/whatever so they could get faster downloads on their 
torrents (I ran the Roadrunner installation department - we had a 
**BIG** pipe in the main office). We found laptops connected for 
torrenting that were dripping with malware.
you could also use wireshark to monitor your network for traffic 
outgoing on port 25 and see if you could glean the MAC/IP of the 
offending machine (which may or may not help, depending on if someone 
hid a laptop under an office plant).




Scenario 2.
Somebody cracked a password of a user and is using the account to send 
spam. I checked the logs, but there is so much spam traffic, that I 
don't know what to look for. I don't know exactly how the logs work, 
but I couldn't find anything interesting. Theoretically in 
/var/log/qmail/send there should be all the outgoing mails, but I 
found a lot of spam like subjects here. I presume that those are 
related to the aliases and forwards. Is this correct?

Please give me a clue what to look for? And how to look for?



You should just see outgoing messages from authenticated users in the 
send and submission logs. If you're seeing spam there, then check the IP 
as that will probably be your offending machine.  You are correct in 
that it may be aliases or forwards. You could turn on spam scanning for 
local addresses (the instructions should be in the wiki). You could also 
enable taps and tap your domain and look at the emails to see where the 
spam is coming from. Not sure what country you're in, so this may not be 
legal in your country.



Is there other possible scenarios?



Yeah, like I mentioned above with users bringing their own equipment in. 
Without a witch hunt it's hard to track that sort of stuff unless you 
keep EXTREMELY meticilous logs on things like what computers are plugged 
into what ports on switches, where the wall plates are, etc.


Good luck!


-
QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] spammer in LAN or using the server from internet

2009-01-12 Thread Istvan Köpe 

Hello,

I have been listed in a blacklist and I can't delist myself, because as 
they say there is spam coming from my IP address. The mail server is 
also a router.

So far I know I have two scenarios:
1. somebody from the LAN is infected and is sending spam without using 
the server

2. somebody is using my server

Scenario 1.
I have no clue how to catch the infected machine. Theoretically there 
should not be any zombie machine because I have up-to-date antivirus on 
every station. But what if even like that I have a zombie machine?
Theoretically if I control the router I should be able to filter all the 
traffic, but I don't know what application to use, what method to use 
and what am I looking for?

Any suggestions?

Scenario 2.
Somebody cracked a password of a user and is using the account to send 
spam. I checked the logs, but there is so much spam traffic, that I 
don't know what to look for. I don't know exactly how the logs work, but 
I couldn't find anything interesting. Theoretically in 
/var/log/qmail/send there should be all the outgoing mails, but I found 
a lot of spam like subjects here. I presume that those are related to 
the aliases and forwards. Is this correct?

Please give me a clue what to look for? And how to look for?

Is there other possible scenarios?

Thanks!

-
QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com