First: If you’re a security savvy IT administrator, this article is not for you. This will sound pretty obvious to you actually. If you’re an IT generalist and running a mail server is just part of your many tasks, this information could be for you.
From time to time, a client (or potential client) who isn’t running our product or may be running someone else’s product calls into our support line, but they still wind up blacklisted by upstream ISPs.
The client checks his mail server queues and doesn’t see any serious backlog of mail (other than the domains that are blacklisting him).
So what’s going on?
Chances are one of the systems on the network has been compromised and is being used as a spam bot.
Usually, a worm or virus infects a machine or workstation and this system is hijacked and “enrolled” into a vast network of compromised machines that usually do several things: distribute denial of service attacks for instance, or act as a spam zombie. Most of these “gangs” who operate botnets will use the systems to send out spam to third parties for a fee. It’s one of the primary methods they use to monetize the botnets.
If you don’t have that many systems on your network – you can easily ascertain which systems have been compromised.
On windows-based systems – you could simply get on each box and, from the command-line, do a
netstat –n. This will output all connections to and from the machine.
Normally you shouldn’t see more than one or two connections going out to an external system on port 25. You can see on the above screenshot that the machine I did a netstat on has an established connection to port 25 on an external system.
If you see a system has literally HUNDREDS or THOUSANDS of connections open, and if it happens to be the desktop belonging to an end-user, and the user is complaining that his system is slow – then you’ve pretty much nailed the culprit.
Unless the system in question is supposed to be sending out large amounts of Email, you need to pull the plug on the machine and clean it up using some kind of anti-virus or anti-malware product.
It is possible that in spite of all this, the worm or virus “comes back” … there are some very persistent threats that are horribly difficult to remove. Root kits (which often replace base functionality of the operating systems with ‘altered’ versions which are still operational but include a backdoor) may force you in the end to do a full system reinstall.
It all depends on how much energy you want to expend trying to get at the root of the problem. If, ultimately, you’ll spend days trying to clean a system thoroughly, sometimes it’s just better to save all user data, wipe and reinstall the OS from scratch.
If you have too many systems to check out individually
… and you are running a modern firewall, you can usually check the firewall logs to see if there are systems that have large numbers of outgoing port 25 connections. If it happens to be a machine that isn’t or shouldn’t be running a mail server, then you’ve found it.
Will a spam filter protect me from this?
It will protect you on the outbound leg if you route the mail coming from your primary mail server through that spam filtering gateway, unless you “trust” this server. However, if you have port 25 outbound open at large, it means that workstations or servers can connect directly to servers on the internet without going through your MTA or your filtering gateway. If that’s the case, then your spam filter is absolutely useless.
Today – it’s recognized as a best practice to block all outbound port 25 connections at the perimeter, only allowing outgoing connections from legitimate mail servers on your network. That implies forcing end-users to use your MTA for all outgoing Emails.
Regardless, if you’re a service provider or a small business running a mail server, you should check out MAAWG’s best practices documents:
Trackback from your site.