How do you detect a spambot on your network?

spam exchange-2003

Solution 1:

First, you need to stop the spam.
a- set your firewall to not allow outbound SMTP/POP except from the email server.
b- set your mail server to not allow outbound relay.

Then, you need to find the problem machine(s).
1- Look at the firewall logs to see which machine(s) are actually trying to do outbound mail and getting blocked. Those machines are infected.
2- Make sure each machine has current A/V, and do a thorough scan on each machine.
3- You may want to implement the Windows Firewall on each machine.
4- If still not found you will need to use a sniffer.

Note: I don't think that DNS and email on the same server is an issue.

Solution 2:

The problem could be that that your exchange server is allowing RELAY. Make sure that setting is turned off or set only the IPs which are allowed to relay via that server. Your network design should only allow the exchange server to send traffic out of your network via port 25.

Most spambots use port 25. Once you have setup like that, then if any other machine try to send via port 25 it will show up in the firewall logs.

Good Luck!

Solution 3:

  1. You should sniff your network traffic. There are many nice tools available, all the way from plain packet dumps similar to tcpdump all the way to fancy GUI visualization apps. Typically you will need to either: a) plug into a special port on your switch, b) configure another port to see all traffic, or c) do the sniffing from your firewall/router. First just focus on finding SMTP traffic to the outside world from any machine that's not the Exchange sever. Later you should examine all traffic to see if anything else is going on: IRC from someone's machine who doesn't even know what IRC is, for instance.
  2. Write a plain language statement of what traffic should be allowed out of your network, and implement outbound rules at your firewall/router, with logging. You will be surprised how well this works. And it will also mean that you will know when something bad is happening before you hear it from an outside party!

Solution 4:

If you have a firewall, a simple solution is to block all outbound port 25 traffic except for your Exchange server. Individual machines are likely trying to send spam on their own. Once you've put the block in place, check the firewall logs to see which IP is trying, and failing, to hit port 25 outbound.

Related

How to add a broadcast address to loopback with ifconfig on a OS/X?
UFW logs blocked request on open port, what am I missing?
HP ProLiant DL380 G4 SATA support? [closed]
Domain Admins group denied access to d: drive
What is the difference between httpd_read_user_content and httpd_enable_homedirs?
SSH port forwarding
Editing sudoers file to restrict a user's commands
Convert and redirect URL in uppercase to lowercase using .htaccess
HP SmartArray P400: How to repair failed logical drive?
How to convert an NSString into an NSNumber
UIScrollView Scrollable Content Size Ambiguity
How can I wait In Node.js (JavaScript)? l need to pause for a period of time