[Dshield] Heavy Spam
dshield at oitc.com
Sun Feb 12 22:48:31 GMT 2006
At 9:18 AM -0800 2/12/06, Arthur Neville wrote:
> Problem: Several users within our corporate network are receivers
>of heavy spam, daily
Are they posting to usenet?
> Solutions we have in place: We have Symantec Mail Security
>enabled but our admins have yet to fine tune it so it does not deny
>everything that passes the wire, so we still get hammered.
I don't know about others experiences but 2 companies here (1 an ISP)
have not seen great performance from Symantec for spam. It may just
be configurations but we do much better than them with SA, handful of
DNSbls and blocking problematic attachments.
> Question: Any way to determine the extent that these users email
>address has been compromised, or if any bots are active on our net,
>or if these users themselves are being used as Zombies?????
If they have been compromised at all they will be passed around or
sold. If you can retire them and give the users new emails do so and
then lecture them on safe email practices. If you do that you can
eventually direct those spammy addresses to SA for fingerprinting.
Make sure you don't post the new ones anywhere except obfuscated (eg
function. (I don't trust anymore "you at foo.bar" to work since it is
too prevalent) Depending on your mail server you may be able to
harden it from some dictionary attacks by invoking greylisting (this
will also minimize how many bots will tie you up)
As for bots on your internal net, run and IDS and look for unapproved
traffic as well as port 25 traffic from machines that are idle
(Checking over night works well) Convert all mail clients to use
smtp submit port and SMTP auth and the monitor for internal port 25
> I'm a App Specialist and quite frankly am just interested in
>possible explanations to the prob to offer to our Net and Sys
Why aren't they being proactive? This what they're supposed to be doing...
Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax),
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
Google Talk: trshaw at gmail.com
More information about the list