This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can Wireshark help track down who is sending spam

0

For the last 24 hours, I have seen email in the queue that is spam. My firewall is preventing most of them from being sent out. I have done the following to try and remove the problem. I shut down all the computers in the building down 1 at a time, including servers. The only computer running was the exchange server and the firewall. The firewall I'm using is Untangle. The queue was still filling up. I turned the firewall off and the queue stopped filling up. I ran Rootkit scanners, I ran ESET, and several others and malwarebytes. The only thing found was several Trojans. I cleaned them up and rescanned the system again. I flushed out the queue and restarted the server. I left around 3 am this morning. When I came back in around 11:30, I looked in the queue and it was filling up again. So either someone has hacked one of the accounts on the server or found an exploit. I have all the latest service packs and updates installed for the server. I need to find out how this queue is getting filled up.

Can wireshark figure this out for me, or is there something else I can use to find the problem? Also I ran netstat -an and port 25 has about 20 established connections. I did do an IP trace on several of the IP's and a few are coming in from Switzerland and several arab counties.

Thanks to anyone who can help.

asked 09 May '13, 09:56

pac0124's gravatar image

pac0124
1111
accept rate: 0%

edited 09 May '13, 11:10

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118


4 Answers:

2

Have you checked the mail server logs? (Yes, if the server is hacked, the logs could be hacked as well, but it's a place to start.) Most mail servers have different logging levels. You could increase the log level for more detail while you're troubleshooting this problem.

Are these messages in the inbound queue being queued for local delivery (to your users)? Or are they in the outbound queue for off-site delivery to non-local users?

Also I ran netstat -an and port 25 has about 20 established connections. I did do an IP trace on several of the IP's and a few are coming in from Switzerland and several arab counties.

Are you sure your mail server is not configured as an open relay? If so, and the spammers have discovered it, you're likely to be blacklisted pretty soon, so I'd double-check the server configuration immediately.

Yes, in answer to your question, if you capture all the traffic to and from your mail server, you could use Wireshark to figure out where it's coming from, but I'd start with the server and firewall logs first.

answered 09 May '13, 11:09

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

edited 09 May '13, 13:00

1

My first thought too, based on the question, is that the server is acting as an open relay.

Have a look at http://www.spamhelp.org/shopenrelay/

(09 May '13, 12:48) SYN-bit ♦♦
1

Are you sure your mail server is not configured as an open relay?

@pac0124: That's a good one. telnet to your mail server on port 25 and try to send an e-mail to a domain that does not belong to you. If the mail server accepts that, you're doomed ;-)

telnet 1.2.3.4 25

220 mx.mydomain.net HELO mail.spammer.com 250 mx.mydomain.net MAIL FROM: [email protected] 250 OK RCPT TO: [email protected]microsoft.com 250 OK <<===== THIS should not happen on your server!!

(09 May ‘13, 12:53) Kurt Knochner ♦

1

The only thing found was a several Trojans.

Hm....

or is there something else I can use to find the problem.

If there is already a firewall, why not simply checking the logs who sends the spam mails?

Regards
Kurt

answered 09 May '13, 10:00

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

1

Even if your server is not an open relay, you might have a email account that is compromised. I had that on a server once where some wiseguy created a test account called "[email protected]", and the password was also set to (guess what?) "test". Since it was the default domain, anyone coming in with user "test" and password "test" was now authorized. It didn't take long until some malicious external scans found that account and abused it, sending tens of thousands of messages in a couple of minutes.

My advice: capture at the mail server (any NIC that is has an IP address), filter on SMTP and check who is delivering tons of messages. If you're really getting slammed with SPAM mails it should be relatively easy to spot, either by scrolling through the packets or by using the conversation statistics/TCP. Whenever I had a case like this the SPAM conversations really stood out by the sheer number of recipients given - keep in mind that a TCP session for SMTP delivery can have hundreds or thousands recipients, you do not need to create that many single sessions. Check what account is used to do it. Remove the account or set a strong password.

Update: I just tried to build a filter that could spot SMTP delivery where neither sender nor recipient have an email address of your company - which is a typical thing for SPAM as long as they're not using a hacked account including the email address. Try this display filter to see if anything comes up (replace "yourcompany.com" with your mail domain:

smtp.data.fragment.count > 0 and not (imf.address contains "yourcompany.com")

If you have multiple domains you need to exclude them as well, e.g.

smtp.data.fragment.count > 0 and not (imf.address contains "yourcompany.com" or imf.address contains "theothercompany.com")

Maybe it will help you spot the bad stuff.

answered 14 May '13, 02:46

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 14 May '13, 03:02

0

Update, I was able to monitor the firewall over the weekend when no one was in the office. The problem of trying to find the IP in the logs was because there was a lot of e-mail going out the door from our own users. By not having anyone here, I noticed 1 IP address was connected to us. I did an IP trace and it verified that it was coming from Sweden. We don't email anyone from there, so I created a rule in the firewall to block the IP. We have been spam free for the last 8 hours today.

Prior to finding the IP, I did a test using telnet and another website to test for open relay. I was not able to relay any emails. Whoever was doing this is using some sort of exploit (all updates up to date), a virus (I did scan every server and every computer with two different AV/malware scanners and found nothing), or hacked account (which I changed the accounts that have any kind of admin permissions) before I found the IP from Sweden. So I'm really not sure how the spam is getting relayed. Anyone have any ideas as to how this might have happened?

I would like to thank Kurt and Jim for your suggestions and help.

answered 13 May '13, 13:27

pac0124's gravatar image

pac0124
1111
accept rate: 0%

edited 13 May '13, 15:30

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118

would you mind to post the IP address of your mail server (or send it via e-mail - see my profile)?

(13 May '13, 13:50) Kurt Knochner ♦