The mechanics of detecting a spammer on your network are fairly straightforward. They will spam through your network in two ways:
- Via a compromised host on your network: an infected machine has become a bot in a botnet and is sending out spam directly to the Internet.
- Via a compromised mail account: the spammer uses one of your user’s mail accounts to broadcast spam via your own MTA.
To fix these situations:
1) A compromised host on your network
A compromised host is usually easy to spot. If you have a good business-class firewall, you will be able to see a high volume of outbound traffic -that does NOT originate from one of your MTA IP addresses – passing through port 25 to thousands of different locations. Getting on the infected machine, if possible, and issuing a netstat command (works with both Windows and *Nix) should show all the open outbound connections from the box. The results can provide corroborating evidence that the machine has been compromised.
- Remove the machine from your network and clean it up. Yeah, that’s easy to say, and God knows how long it could take. It can sometimes require a full wipe and reinstall of the OS if the machine has been root-kitted or the malware has downloaded.
- You will need to scan the other computers on the same network segment as the infected machine. Most current malware types perform a series of exploit attempts to try to find other vulnerable hosts on the network. So if you have one problem machine, chances are you have others.
- Don’t rely on only one anti-virus program or malware removal tool. Use multiple AVs and malware scrubbers (e.g., Malwarebytes, Spybot-S&D, etc.). If one tool misses something, the other(s) might not.
- If you managed to clean up the machine without a full system wipe, you should try to keep it on a different network segment than your production systems “ at least temporarily – in case you didn’t completely remove the malware. Isolating the machine reduces the chance that worm-like malware still resides on it, and prevents it from trying to access neighboring systems.
- Oh yeah, backups. I’m sure you backed up the machine, right?
- All your workstations and servers should have all existing OS patches applied
- You should have an up-to-date AV running on all machines (servers and workstations) to protect the entire network
- On the firewall, consider blocking egress (outbound) port 25 on all machines except for your MTA
- Ideally, you should deploy an intrusion detection/prevention system (IDS/IPS) or Network Access Control (NAC) to prevent future infections, however, these systems can be VERY expensive. There are some open-source IDS/IPS and NAC systems out there though, and I will cover some of these in another blog post
2) A compromised mail account
You usually learn about this when it’s too late, and by then you have already been blacklisted by an outside agency for spamming.Looking at your mail server logs should quickly tell you which account is being used to spam through your server.
- Change the account passwords the obvious first step
- Contact your MTA vendor to see how you can remove the messages from the existing outbound queues if you don’t know already
- Speak to the person whose mail account was hacked and try to ascertain what the cause could be:
– Password might have been too easy to guess, or it was in a standard brute force dictionary
– Person might have recently responded to a phishing email that got through
– Person’s machine might have been infected, and the malware is using the existing mail client (and associated credentials) to relay spam through your MTA instead of attempting to connect independently to the Internet.
- Enforce strict password policies to ensure they meet a minimum complexity requirement
- Educate your end users about not replying to password requests in emails
- Make sure your MTA can mitigate brute force attacks on POP, IMAP and AUTH logins
- Make sure you use some kind of spam filtering mechanism to reduce phishing attempts
- Make sure you implement some sort of queue monitoring mechanism. If your queues grow beyond a certain threshold or if mail takes more than a specified amount of time to enter or leave your MTA, an alert should be sent to someone to take action.
- Separate your inbound (ingress) and outbound (egress) SMTP servers. Since spammers will clog up your queues, it’s a good idea to separate the inbound and outbound streams to prevent all mail from building up.
- Make sure you filter the outbound messages. If someone does start sending out spam, you might stand a chance at quarantining the illegitimate traffic.