I have a mail server running on postfix ,fedora core 5.
Lately av been having a problem with being blacklisted by rbl servers.The rbls report that am listed in them because my network has either an open proxy,or is open for smtp relaying and the last that my LAN is infected by spam sending trojans.
I have eliminated being open proxy or smtp relay and the server is quite secure on this.


The big deal now is to sort the spam sending infiltrations in the windows LAN computers.I have tried to block packets trying to connect to destination port 25 outgoing from the server but this doesn't help.The viruses seem to be relaying from the windows computers by themselves and also using port 80 or other ports to send spam.


I have tried to scan for this spam sending viruses with current anti viruses & antispamwares with no success.Am still being blacklisted for sending spams.
My server has clamav,spammassasin running under amavisd with rbl support but this only does well to keep away spams from our network.

Again I don't want to re-install or format the windows computers because of vital data running at this time.

Anyone with a good suggestion on how to solve this???
Am really in need and would appreciate valid help.

1. How many "Winders (tm)" boxen are there?

2. Do you know how many / which ones are infected?

If there are many, you may have to just turn off the 'Net for the infected ones & force the (l)users to fix their machines themselves. Of course Murphy would indicate that the owner/CEO would be the worst offender.


3. Which "current anti viruses & antispamwares" have you tried with no success?

We may be able to suggest ones you haven't used.


Ultimately, it sounds as is you have user education problem.

4. How big is the company & do you have management behind you?


Feel free to # your answers & not have to quote my Q's.

Thanks archtoad6

One thing that has been bothering me is tracing the computers that are main offenders .I also believe that most of the machines are infected because of the network.The company is not so big and has 30 user computers.I have always used and been satisfied with NOD32 and also using Spyware Doctor for the spams.I would be happy to know the best for my scenario.

Again I would like to know how to log and watch this dummy emails being sent from this infected machines(per private IP) to help in tracing the culprits.
The mail server is working as the NATing machine and I know this is very possible though I don't know how to go about with this.

At this time I want formating to be the last option please.

You could try enabling logging on the NAT system and looking for the log entries for port 25/80 packets.

You could also use wireshark/ethereal to capture the packets on the network to look for the offending email etc.

Im sure there are other ways, but this would be a couple of options.

Hope this helps

What docalton says about wireshark/ethereal (old name/new name, for those who didn't know) is good advice. It can give more info about packets than you care to know, but the interface is hierarchical so you don't have to dig deep if you don't want to. It also has good filtering, so you don't have to be overwhelmed w/ info on packets that are of no interest to you. And believe me, on a "Winders (tm )" network of 30 there will be a *pot-load of overhead packets. I found the interface is relatively simple for the power of the application.

To recap my Q's:

1. 30 ["Winders (tm)" boxen].
2. "Most" are infected -- not exactly sure which ones.
3. Using http://anti-virus-software-review.to...32-review.html
   & http://anti-spyware-review.toptenrev...or-review.html
4. You don't say what management attitude & support is on this issue.

You have cured 2 1/2 out of 3 of your original problems & your greatest need is to eliminate existing spam trojans. There are basically 2 ways to go about this: Visit each computer individually & clean it, or make the individual users take that responsibility. Which you will need to do depends in great part on the answer to 4. above.

I read the semi-weekly SANS "NewsBites" security letter, & one of the recurring themes is that ultimately the user must be responsible for security -- no amount of administrator intelligence can offset (l)user idiocy. One of the ways that you can start changing their attitudes & habits is to persuade management to back you in forcing them to clean up their own mess(es).

Hope this works, else you will be doing it for them, perhaps over & over & over again.

In any case, here are the 2 additional tools I recommend: Spybot-S&D & Ad-Aware.

I use Spybot-S&D & Ad-Aware SE Personal twice a month on my girlfriend's W2k box.

If you're willing to invest in a learning curve, you can block "evil" domains in your DNS server. I use SmoothWall Express 2 as my firewall. It in turn uses dnsmasq as its DNS server. It
is very easy to block whole domains (not just individual hosts) in dnsmasq. SmoothWall Express 2 also uses squid as a proxy server, & (more learning curve) it can have even more complicated blocking lists. It all depends on how much effort you ant to put into it.

On the downside, SmoothWall Express 2 is not for commercial use; however, its fork IPCop is.

If you are already using bind, you can still block entire domains, but the process is more complicated; squid can probably be (may be already) installed, unless you are already using a different (unlikely).

Moved: This thread is more suitable in Security and has been moved accordingly to help your thread/question get the exposure it deserves.

Thanks again docalton and archtoad6

Av now decided again to rescan all the comps though I did a thorough check earlier and found nothing. I just don know how this spam sending trojans behave and where they reside - I JUST DONT KNOW - my network keeps being blacklisted every time delist it.

Am also going to look for any funny packets with wireshark though I am not sure if I can filter mail only packets with it???
About the user maintaining their own comp security is a very good habit if implemented but sometimes not possible if ur the one delegated with the maintenance / securing the comps.
Just hoping am going to get even better ideas of dealing with this new breed of trojans.

You should be able filter on anything you want. I haven't had occasion to run wireshark since the name change, but I found the old interface "relatively simple for the power of the application" -- i.e. not exactly easy, but worth learning & not stupidly complicated.

Did you d/l & run either Spybot-S&D & Ad-Aware?. Spybot is very likely to help w/ your spam trojan problem.

Have you identified the trojan involved?

Who has blacklisted you?

What impact is that having on your users?

Have any of the blacklisters offered any info about the problem?

How do your users connect to the 'Net -- what router(s), firewall, etc.?

Arch, they are using their mail system as a NAT/firewall system.

That's why I though it would make a good candidate for utilizing wireshark. It would be easy to sniff all the packets hitting the net through that box as it's all being nat'd through it.

As for using the capture filtering in wireshark, the display filters are different so make sure you use the right one.

Here is a capture filter for looking at traffic destined for port 80 (www) or port 25 (smtp):

"dst port 25 || dst port 80"

perhaps you can run it on your nat/mail server for a while listening on eth0/eth1 or whatever your internal interface is.

If you can determine what the packets look like, you can keep running this looking for that and that might help to make sure that you have completely resolved the issues with all the machines.

Hope this helps

I haven't eval'ed the situation so I don't know for 100% what is going on, but just beware that you can be RBL blacklist for doing absolutely nothing at all. The first time(s) I got listed, I worried and worried and stayed up hours looking for trouble that just wasn't there.

Places like Spamhaus and their cohort cbl.abuseat.org don't bother to show one shred of proof (none in any of my listings) to why you were listed in the first place, so tracking down a problem is much harder then. In my case, I was listed because of what some Windows user did almost a year ago due to a malware that doesn't even execute on Linux. Use a C&R system, any sort of dynamic connection, DHCP, some types of DSL or cable, configure something different than the mainstream in terms of mail services, block/bounce a delivery attempt in a certain way or just get on the wrong side of one of the people with influence at one of those places and you'll get listed each and every time and made out to be a filthy spammer. Entire countries have had their e-commerce shut down and legitimate business destroyed by RBL usage. Mail administrators get frustrated with SPAM, and resort to the equivalent of using hand grenades to free hostages. They hurt innocent people.

As no where in your original post do you confirm that your network is actually infected, this may or may not be the case. The blacklists certainly don't know:

I guess it's one of those? They are very different problems.

While this is technically possible, it's not likely. The malware would have to locate other open proxy servers, connect to their port 80 (HTTP, no SOCKS 4/5 proxies are likely to listen here, not enough to support a SPAM run), transmit their SMTP commands and hope the mailserver the proxy is aiming at doesn't defend against SMTP slamming. I should hope nowdays that must do. Sendmail does with its greet_pause feature and rejecting delivery attempts that give commands before the HELO has be replied to, and I see a few attempts of this sort now and then.

The malware either has its own SMTP engine or it does not. If it does, it will attempt direct delivery to its targets, and this should be highly visible due to the machines in question attempting TCP/25 connections. If it does not have its own engine, then the malware must rely on the infected system's own mail routing, which usually means that the mail will be submitted to a designated outbound mailserver, depending on how you configured your network. Webmail also uses port 80, but these types of accounts require login and passwords. I have seen one SPAM malware that had lists of these sorts of accounts, but so far it's not appeared to do much.

In my opinion, job #1 is cut the network off. Then sniff everything and wade through that using Wireshark display filters. Only after you know what you're dealing with can you fight it.

Next step is locate the machine, then the binary. Submit the binary to your AV vendor and if they are like most this will generate a signature that can be used to find the rest automatically, plus save the next guy the same trouble. Often times just a simple 'strings' of the malware binary is enough to find contacted hosts, or library routines that give away the workings of the malware, that should give you enough to hamper its operation.

Visible strings in a spamming malware easily give away what this will be trying to do:

Bottom line: see for yourself that you are truely infected before trying to fix a problem that may not be there.

Thanks jayjwa for your lengthy address to my problem.docalton and archtoad6 I just hope ur still around even after my continuous bugging I really hope this will be sorted out.Sorry I was away for a while and couldn't reply earlier.
My problem is still there if not worse.For the last week av been blacklisted by quite a number of rbls.i.e cbl,spamhaus,spamcop,sorbs which makes me eliminate malice as the cause being blacklisted.For instance if I de-list them one day ,they get re listed the next day or in two days time again.It really seems to be a problem with my network.

archtoad6 av looked at spybot and it looks very impressive and av designated a day this week where I disconnect the whole network and do all the scanning with this utilities u recommended.I bliv I might get somewhere with this and give u feedback on the same.

Here is a capture filter for looking at traffic destined for port 80 (www) or port 25 (smtp):

"dst port 25 || dst port 80"

docalton I am finding it difficult to trace the culprits with wireshark coz of the many machines and the transactions on the screen.Is there an option to this or what would you guyz recommend?
I might now opt to format all the machines though as I said I wanted to exhaust any available solution before I go to this level.Again if I formatted am not very sure the problem will go or re-occur again.
THIS IS WHERE I SAY I NEED MORE OF YOUR EXPERIENCED HELP.

It's lengthy thread, did not read it all. Maybe somebody mentioned it already. My guess is your mail server is hijacked. It really would help if you could see the spam headers coming from your network.

What you need to do first is to determine where the spam is coming from.

The two most likely possibilities are: the client machines, the mail server.
This is the most important information as it will tell you the next step.

Using wireshark/tshark should help you to isolate the problem. Scrolling it on the screen would be very difficult indeed. Use the file option and capture it to a file. After a while stop it and use the wireshark gui to look through it. You can transfer it so you can use wireshark on one of the MS machines to look through the file if you dont have a gui on you server.

Use it on both the internal and external interface. If you find nothing of interest on the internal and you find the offending on the external, perhaps your mail server got owned.

Something like this (substitute the right parameters)

tshark -i eth0 -a 'duration:600' -f 'dst port 25 || dst port 80' -w eth0cap.cap

This will run wireshark sniffing on eth0 for a duration of 10 minutes (600 seconds) looking for
packets destined for either port 25 or 80. It will write the packet information to the file eth0cap.cap. Adjust the file/interface/duration to your needs and fire away.

Once finished, transfer the file if needed. Then open that capture file in the gui of wireshark and take a look.

Other things to look at is the postfix log. Watch the outbound mail queue. Perhaps using iptables/firewalling to reject port 25 packets unless it is to the mail server (if its using port 25) essentially dropping tcp port 25 packets that would otherwise need nat'ing.

Finding the source of the crap will help to dictate the fix.

Thanks all.

I finally used spybot , got and removed a number of infiltrations from all the windows comps.
The server was however blacklisted a few hours later by a few rbls including cbl.

Using wireshark , I noticed the server making external port 25 connections when the LAN was disconnected i.e I had unplugged the cable from the LAN ethernet port when scanning.The server was only connected to WAN port serving the internet but still made remote port 25 connections which seems strange.

On IP Tables , I blocked connections from the external ethernet port going to port 25 but I could not send mail from other mail servers like yahoo.

Heres is my rule which I guess is wrong to work in my scenario:
{eth0 is the WAN port}
iptables -A OUTPUT -o eth0 -p tcp --dport 25 -j DROP

I also tried the rules described on the cbl site but they dont seem to help me coz I keep been blacklisted.

Here are the rules:
iptables -A FORWARD -p tcp --dport 25 -j DROP

Forgive me but how would I check on the spam headers?And how would I know that my server is owned or hijacked ?
If so,what are the remedies if any..

Kindly help its taking even more time than I expected.

U mean u all went silent on me?