Help detect a spambot!


#1

Hello,

I am working on a Microsoft Exchange 2003 email server. Our mail server has a terrible spam problem, and I have a suspicion that one of our computers is infected by a spambot. What I’m trying to do is figure out which computer within our network is generating spam using wireshark.

What I tried doing is filtering the packets to TCP only, and then filtering the results down to tcp.port == 25 (port 25 is the SMTP port). Unfortunately I don’t think that I have the filters set up right.

After filtering the data, the only “Source” ip from our network ip address was the mail exchange server itself. I’m thinking that either I set up the filters wrong, or that our mail server is the spambot (the latter seems unlikely).

Could someone help me figure out how to correctly filter Wireshark so that I can see all network packets going to port 25? Either that or let me know a better way to detect our network spambot :stuck_out_tongue:

Thanks a lot for the help!


#2

Wouldn’t something like this be easier to do on your gateway? I do not know what kind of equipment you use, but even on my simple home gateway (running RouterOS) I can use a feature called Torch to monitor real-time traffic. Makes it child’s play to see which internal IP’s are trying to contact port 25 on external IP’s.

Another alternative is of course to block outgoing traffic to port TCP/25 for all machines except your Exchange server.

Both not really Wireshark-solutions, but they may solve your problem nonetheless. 8)


#3

Thanks for the response.

I actually found out the reason why wireshark was not picking up all of our network traffic, even though it is installed on our mail exchange server.
wireshark.org/faq.html#q7.1

However I still haven’t figured out how to configure it so that wireshark will monitor all network traffic instead of just server traffic.

I am currently considering just hiring an expert to help us remedy the situation.


#4

If you happen to have a spare PC somewhere with 2 or more ethernet interfaces, consider installing RouterOS on it, and place it between your network and your main gateway.


#5

I think we found our spambot!

Thanks for your support. Although I didn’t manage to get wireshark to run properly, and I didn’t install RouterOS on a machine. Instead I just went around each of the work stations and did full system scans on computers that seemed likely to have a virus or malware.

I installed AVG and malwarebytes on all of these machines, did a full system scan and found 2 machines in which I suspect the spam to have been originating from. We left our mail server running over the weekend and are no longer black listed by any of the websites on this list.
mxtoolbox.com/blacklists.aspx

So basically the moral of the story is to have all of your computers protected and guarded by anti-virus and anti-malware software at all times. Otherwise you may unknowingly become a spambot!

-mav