Re: Best methods for tracing a mass-mailing worm infected workstation ona network?

BadBoy House wrote:

> I'm interested in finding out about any other proven methods for
> tracking down mass-mailer infected workstations.

What are you using for a network switch or hub?

Most of the larger units have a web interface that lets you look at
various interface (port) statistics, maybe even let you block TCP port
25.

From: "Virus Guy" <>

| BadBoy House wrote:

>> I'm interested in finding out about any other proven methods for
>> tracking down mass-mailer infected workstations.

| What are you using for a network switch or hub?

| Most of the larger units have a web interface that lets you look at
| various interface (port) statistics, maybe even let you block TCP port
| 25.

You mean a "Managed Switch".


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Well whatever. The lack of reply from the original poster is telling.

Perhaps he got wiped out by his own mass emailing worm :-)

--



"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:...
> From: "Virus Guy" <>
>
> | BadBoy House wrote:
>
>>> I'm interested in finding out about any other proven methods for
>>> tracking down mass-mailer infected workstations.
>
> | What are you using for a network switch or hub?
>
> | Most of the larger units have a web interface that lets you look at
> | various interface (port) statistics, maybe even let you block TCP port
> | 25.
>
> You mean a "Managed Switch".
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

BadBoy House wrote:

> Packet sniffing for port 25 is a technique I already use. As is
> blocking port 25 however what if you get an infection that uses a
> different port??

Trojanized or botted PC's that are used as spam proxies will be
performing direct-to-mx spam runs and will be using port 25 because it's
the universally recognized port.

You might want to block MX lookups on your network, or at least look for
any PC that's performing a lot of them.

BadBoy House wrote:

> however what if you get an infection that uses a different port??

To expand on that a little:

While port 25 is the defacto, world-wide port that is universally
recognized for client-to-MTA or MTA-to-MTA email communication, there
are other ports:

Port 366 (TCP,UDP) On-Demand Mail Relay
Port 465 (TCP) SMTP over SSL (usually the default for Outlook)
Port 587 (TCP) message submission port (usually SSL)

I would expect that the success rate of a spam relay trying to use those
ports to be quite low.

Those are the SMTP ports. Not mentioned are the IMAP protocal ports
(143, 993). And also not mentioned are the POP ports (used to retrieve
email, not send it).

Most organizations and ISP's block out-bound port-25 on their network
boundary from all their internal machines or IP space except those
machines that are dedicated MTA's or out-bound SMTP handlers. All
internal PC's are supposed to send mail through those machines on
port-25 or any of the above ports.

Again, one way to find a spamming PC on your network is look for the PC
that's trying to send a lot of traffic on port 25 to IP's other than
your designated out-bound SMTP handler. Or look for a PC that's doing a
lot of MX lookups.

You might also want to look for traffic on the above ports (366, 465,
587) because trojans that discover that you've blocked port-25 might try
those (you should block 366 and 587 as well as 25).