[Dshield] Heavy Spam

Tom dshield at oitc.com
Sun Feb 12 22:48:31 GMT 2006


At 9:18 AM -0800 2/12/06, Arthur Neville wrote:
>Greetings...
>   Problem: Several users within our corporate network are receivers 
>of heavy spam, daily

Are they posting to usenet?

>   Solutions we have in place:  We have Symantec Mail Security 
>enabled but our admins have yet to fine tune it so it does not deny 
>everything that passes the wire, so we still get hammered.

I don't know about others experiences but 2 companies here (1 an ISP) 
have not seen great performance from Symantec for spam. It may just 
be configurations but we do much better than them with SA, handful of 
DNSbls and blocking problematic attachments.

>   Question: Any way to determine the extent that these users email 
>address has been compromised, or if any bots are active on our net, 
>or if these users themselves are being used as Zombies?????

If they have been compromised at all they will be passed around or 
sold. If you can retire them and give the users new emails do so and 
then lecture them on safe email practices. If you do that you can 
eventually direct those spammy addresses to SA for fingerprinting. 
Make sure you don't post the new ones anywhere except obfuscated (eg 
graphical representation of text or some javascript deconvolving 
function. (I don't trust anymore "you at foo.bar" to work since it is 
too prevalent)  Depending on your mail server you may be able to 
harden it from some dictionary attacks by invoking greylisting (this 
will also minimize how many bots will tie you up)

As for bots on your internal net, run and IDS and look for unapproved 
traffic as well as port 25 traffic from machines that are idle 
(Checking over night works well)  Convert all mail clients to use 
smtp submit port and SMTP auth and the monitor for internal port 25 
traffic 24/7.

>   I'm a App Specialist and quite frankly am just interested in 
>possible explanations to the prob to offer to our Net and Sys 
>Admins.....

Why aren't they being proactive? This what they're supposed to be doing...

Tom
-- 

Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
Google Talk: trshaw at gmail.com
skype: trshaw


More information about the list mailing list