We have a trojan on our network as out IP keeps getting blacklisted by CBL. Something is sending spam about once every week and then we get blacklisted and it stops. I installed wireshark and set it to collect traffic data for TCP port 25 and have been waiting for another CBL blacklist. It happened again yesterday and I have the logs and I am not sure what I am looking for. I can see that the only traffic is through our mail server. We couldn't find any infection on that machine, but I know that doesn't mean anything. I just want to be able to confirm that this machine is the problem before going doing the work to get it offline. Would someone be able to check my logs for me? :) asked 10 Sep '14, 15:55  Alisononthego |
One Answer:
Handing out captures with email conversations in the packets is something you should be careful about. What you should be able to to is to look at the conversations on TCP port 25 and check who is sending mail to which recipients. Maybe there's something that doesn't look right, e.g. strange senders, subjects, etc. You can use the "Follow TCP Stream" popup menu option on the conversations to get a ASCII dump of the payload, which makes it easier to read. answered 10 Sep '14, 16:26  Jasper ♦♦ |
Thanks for the tip.
The blacklist is for the external IP of our network x.x.x.68. We only have the one and we have been given 8 other IPs in the same range that I have setup as aliases on our firewall x.x.x.96 -x.x.x.103. The mail server uses one of them x.x.x.100, but that isn't the IP that is blacklisted. I'm not that familiar will how all this works, but I naturally assume that all the traffic from us to the outside world looks like its coming from that external address anyway?
In the logs all I can see is traffic to and from the internal and external IP address of the mail server. The blacklist noted that the last detection was at 12.30pm yesterday give or take 30mins. So I have 3 x 10mb logs that cover that period. Wireshark has used color coding in some lines. I have the default color rules in place, is there a particular color I should look for and then follow that stream?
I converted your answer to a comment.
Wireshark does not color code for SMTP, but you can easily find those communications by putting the filter "tcp.port==25" into the filter box above the packet list. It may also help to only look at the communication from the IP address that has been blacklisted. You can filter that by entering "ip.addr=x.x.x.68" to see what it does.
If you know that SMTP from that address is the reason for the blacklisting you can combine the two filters into "ip.addr==x.x.x.68 and tcp.port==25" to filter out anything not related. If you do that and have 0 packets left you probably didn't capture at the correct spot. If you have packets, the next step is to examine them for stuff that looks odd (which, I admit, is easier said than done because it requires experience in spotting odd stuff).
P.S: it's 2 am in Germany right now, so I need some sleep - if your problem still exists tomorrow we can see if I can take a look at what you got.
Thankyou for fixing my post, I am new here :) The external IP never appears, maybe because the logging is done inside the network, not sure. My capture filter was for TCP port 25, but as you suggested I filtered the saved log for tcp.port==25 and there is color coding. It has coded some lines black with pink writing. I think the error is [TCP Fast Retransmission]. Could this be the spam traffic? Thanks for your help. Hopefully I will solve in the next 24 hours. I am using a smart host to get our mail out, so it isn't that urgent, but its one of those things that has been hard to work out!
No problem ;-)
Retransmissions (or any TCP message) are not relevant to SPAM, as those messages only indicate symptoms on the TCP (transport) layer, not the actual content.
Where was the capture taken? It would be best if you could do a capture on the "outside" of the router where the public IP addresses are used, because otherwise you can't really tell what internal (usually private) address is going to be which public IP.