Think client's network is infected with a BotNet of some sort . . . need some insight

C

Captain Colonoscopy

2[H]4U
Joined
Feb 19, 2004
Messages
3,861
So, I get a call this morning from an employee at one of our client's offices. Seems her inbox in outlook was filled with NDR messages from various email servers out on the internets. I checked through them all and they appear to be from legitimate smtp servers. Most hand indications that the mail was denied because it looked like UCE or UBE. Most of these messages that were being NDRed had subject lines typical of spam.

So, I am thinking, great, this lady got infected with something nasty. This is one of our last clients running SAV 10.1.6 and it looks like the client hadn't updated in a few months, great. So I repaired the install and re-installed the license and now it gets updates. I run a full system scan and it finds NOTHING! I download/install SuperAntiSpyware and all it finds is 79 tracking cookies. I am getting ready to run the web-based free virus scans from Kapersky and TrendMicro to see if they find anything.

Then, about an hour ago, I get a call from another client who started having the exact same problem two days ago. We usually only do network support for them, they take care of their own computers and have their own IT staff. Their Admin is out of the county on vacation and they also run SAV 10.x. They are running full system scans on about a dozen different computers that are all having this same problem as my other client right now.

Has anyone else here run into anything like this before? Anyone have any insight as to what to do next? I am contemplating removing SAV altogether and installing trial versions of NOD32 on the problem machines and seeing what happens there. The only problem with this is the SAV licenses don't run out until october so I am going to have a problem pushing an upgrade to NOD so soon before there SAV runs out. Then I have to explain why the product we sold them didn't catch their viruii . . . .

 
it sounds like someone is spoofing that domain. i've seen this many times.

1. make sure mail is set for reverse dns authenication.

2. make sure you have a up to date mx records

3. you can make a spf record and upload it to your host. (you can make one for free from here http://www.openspf.org/)

plus they have alot of good info on there to help stop this.

if you don't or can't upload the spf record there isn't much you can do, but wait it out untill the spammer moves on. g/l
 
The one client that has multiple people having the issue hosts their own email. They have a dedicated Exchange 2003 server and a guy that manages that himself, just happens to be out of the country. :)

The other client is an SMB with an SBS2003 server that we manage. They are a clinic that is associated with a hospital that provides their email via POP3. The SBS server grabs the email and delivers to their exchange mailboxes. The server does send SMTP mail as server.domain.com. There are Reverse-DNS records setup. I don't think we ever setup MX as they don't host their email, I am sure they don't have any SPF set up.

thanks for the help there guys. I will check out the DNS records and see what I can find out, don't know why I didn't think of that before . . . :D
 
So if they POP3 w/the SBS connector...port 25 is not opened/forwarded on the firewall correct? Why not SMTP relay to the POP3 host?
 
Okay, so I checked the queues on their SBS server and they are empty. So, doesn't look like the spam is coming from or being directed through their server, right now at least.....

Checking the DNS stuff now . . .
 
YeOldeStonecat said:
So if they POP3 w/the SBS connector...port 25 is not opened/forwarded on the firewall correct? Why not SMTP relay to the POP3 host?
Click to expand...

The hospital is REALLY goofy about that stuff. They will NOT allow the clinic to relay mail through their server, been there trying to do that before. port 25 is allowed out through the firewall, don't think it is allowed in through, will check that now.
 
I had this issue recently and I went through and triple checked and make sure it wasnt coming from or through my Exchange server at all. It is something that has infected someone else's machine who had these people email addresses'in their address book and is sending out things spoofing all those email addresses. There is nothing you can do. My guess is that the infected machine isnt on your network and is a client/friend/ something that had those email addresses.
 
do you have any monitoring programs? check to see if anyone else is useing port 25, if someone is they have a bot. but it still sounds like someone is spoofing said domain and its being blocked by the recipient or the recipient doesn't exsist.
 
Well, I just double checked the firewall (asa5510). Inbound SMTP was not forwarded to their server but I wasn't preventing outbound SMTP in any way at all. So now I have it setup to only allow outbound SMTP from the SBS server and all other hosts are denied. I am going to wait and watch that for the next few days and see what happens. Haven't had time to check the DNS yet, still. I got like five pots on my fire today . . . .
 
I had a similar problem a couple weeks ago at one of our remote offices. It was caused by a virus/spyware infection on 1 PC at that location. However there were several people that were getting the bounce back emails. I believe it was using her address book, etc. Once I got that PC fixed it no one has received anymore. It took about a day for all the bouncebacks, etc.

I don't remember the infection exactly, but I would check around and see who else is getting bounce backs and scan all the machines.
 
TheCreator said:
I had a similar problem a couple weeks ago at one of our remote offices. It was caused by a virus/spyware infection on 1 PC at that location. However there were several people that were getting the bounce back emails. I believe it was using her address book, etc. Once I got that PC fixed it no one has received anymore. It took about a day for all the bouncebacks, etc.

I don't remember the infection exactly, but I would check around and see who else is getting bounce backs and scan all the machines.
Click to expand...

What AV/malware program did you use to remove the infection?
 
Method said:
I had this issue recently and I went through and triple checked and make sure it wasnt coming from or through my Exchange server at all. It is something that has infected someone else's machine who had these people email addresses'in their address book and is sending out things spoofing all those email addresses. There is nothing you can do. My guess is that the infected machine isnt on your network and is a client/friend/ something that had those email addresses.
Click to expand...

I've seen this a few times....those "socially engineered" worms...spoof the address they come from utilizing an address they've harvested along their travels.
 
I had one system on a network that was infected and within 12 hours our exchange IP was blacklisted. It was a hidden mail replay on that system that could some how bypass our firewall (maybe via port 80? I am yet to work this one out), I had allowed the user to clear the print jobs from a shared printer but given their account to much access. Look at your usage per port and find what system is doing the damage. It could also be spoofing, if so there isn't all that much you can really do.

I am now pushing everything through squid but if you plan to do this please make a note that it can really screw up terminal services log ins.

The people who do all this crap are a pain and if I could get my hands on them I would cut their nuts off and feed them to the stray cats.

one good thing about the blacklist of our domain was that it stopped the people who used it to spoof. lol.

Every cloud and all that.
 
Well, I think these guys are getting spoofed. I checked dnsstuff.com and neither has an SPF record setup but all the MX appears to be correct. I am going to get that taken care of tomorrow. Well, I guess I learned what spoofing looks like today :D
 
.. dam spoofers, i hate them. the company i work for fell to this a few months back. i ran around for hours trying to figure out what was going on.. once i double checked my firewall rules, and noticed no one was useing port 25 other than the exchange server i knew we were being spoofed. reverse dns authenication and a spf record fixed it, and it hasn't happend since. G/L

checks these site to make sure your not blacklisted.

http://www.mxtoolbox.com/blacklists.aspx

http://www.senderbase.org/

http://www.spamcop.net/

http://trustedsource.com/
 
You must log in or register to reply here.
Back
Top