How to detect a spammer on your network? | Enterprise security magazine
The mechanics of identifying a spammer on your organization are genuinely clear. They will spam through your organization two ways:
- Through an undermined have on your organization: a contaminated machine has become a bot in a botnet and is conveying spam straightforwardly to the Internet.
2. By means of an undermined mail account: the spammer utilizes one of your client’s mail records to communicate spam through your own MTA.
To fix these circumstances:
- A compromised host on your network
Detection:
A compromised host is usually easy to spot. If you have a good business-class firewall, you will be able to see a high volume of outbound traffic -that does NOT originate from one of your MTA IP addresses — passing through port 25 to thousands of different locations. Getting on the infected machine, if possible, and issuing a netstat command (works with both Windows and *Nix) should show all the open outbound connections from the box. The results can provide corroborating evidence that the machine has been compromised.
Remediation:
- Eliminate the machine from your organization and tidy it up. No doubt, that is anything but difficult to state, and God realizes how long it could require. It can at times require a full wipe and reinstall of the OS if the machine has been root-kitted or the malware has downloaded.
- You should examine different PCs on a similar organization section as the tainted machine. Most current malware types play out a progression of endeavor endeavors to attempt to discover other weak hosts on the organization. So on the off chance that you have one issue machine, odds are you have others.
- Try not to depend on just a single enemy of infection program or malware evacuation apparatus. Utilize different AVs and malware scrubbers (e.g., Malwarebytes, Spybot-S&D, and so on) In the event that one instrument misses something, the other(s) may not.
- In the event that you figured out how to tidy up the machine without a full framework wipe, you should attempt to keep it on an alternate organization portion than your creation frameworks “ at any rate briefly — on the off chance that you didn’t totally eliminate the malware. Segregating the machine diminishes the opportunity that worm-like malware still lives on it, and keeps it from attempting to get to neighboring frameworks.
Goodness better believe it, reinforcements. I’m certain you supported up the machine, correct?
Prevention:
- All your workstations and servers should have all existing OS patches applied.
- You should have an up-to-date AV running on all machines (servers and workstations) to protect the entire network
- On the firewall, consider blocking egress (outbound) port 25 on all machines except for your MTA
- Ideally, you should deploy an intrusion detection/prevention system (IDS/IPS) or Network Access Control (NAC) to prevent future infections, however, these systems can be VERY expensive. There are some open-source IDS/IPS and NAC systems out there though, and I will cover some of these in another blog post
