GSV Online Gaming _ Technical Support _ Is there a way to tell which PC on a network is sending an email?
Posted by: Hippy Jan 5 2007, 10:22 AM
I'm convinced a PC on my work network is acting as a zombie, every day i get a couple of hundred spam emails to the server's catchall account, all emails seem to have the same format and come from a random address.
I also get about a hundred 'undeliverable' messages which have been sent from my network and been bounced back from the recipiants servers.
The addresses on these returned emails is normally an address that doesn't exist on my exchange database, something like 'info@hippy.com' or 'mailer@hippy.com' where the domain is correct but the username is not.
Sometimes it is from a real address that is not in use anymore.
Is there any way to tell within exchange (or client outlook) which computer is sending these emails?
I've done a full virus scan on all pc's and the server and even shut down the pop3 connector but the mails were still being sent, the server refuses to let me use trend's housecall to do a scan but the local software (symantec) and bit torrent all show up nothing.
if i could at least find out which pc it was, that would help.
Cheers.
Posted by: Myocardial Infarction Jan 5 2007, 11:22 AM
Possibly after something similar as I'm getting the same thing atm, getting loads of mail from like sknhl@silverthrupence.com etc bounced back from undeliverable places which seem to have normal type addresses.
Posted by: Trig Jan 5 2007, 12:01 PM
Maybe someones spoofing the sent from addy to be the same as your domain, we get em all the time I just ignore em
Posted by: Hippy Jan 5 2007, 01:07 PM
The undeliverable emails are coming from my system administrator service though, pretty sure they're originating from my network
Posted by: Clingy Jan 5 2007, 03:35 PM
We are getting literally thousands a day here and they all purport to come from one of our info@xxxxx addresses and are to about three different korean addresses (yahoo.co.kr for example). In the end it got so bad (what with these messages and the "undeliverables") I have installed DNSBL filtering which our mail software(MDaemon) allows. I am sure it can be used by Exchange.
I doubt very much it is anything to do with an internal PC.
The blacklist I am using is from The Spamhaus Project and is sbl-xbl.spamhaus.org or something like that. The following site explains
<a href="http://www.spamhaus.org/index.lasso" target="_blank">http://www.spamhaus.org/index.lasso</a>
It has worked a treat!
Posted by: Hippy Jan 5 2007, 03:50 PM
Thanks Clingy,
We use Symantec mail security which is a complete pile or carp! Never seems to filter anything out, i've no idea if it's set up correctly or what!
I've now added the SBL dns server lookup filter thing to it's list, so will see if it helps.
We're renewing our software this week as symantec has thankfully run out.
I'm looking at the sophos small business solution instead. Any opinion?
Budget is around £250 - £350 a year
Posted by: Hippy Jan 5 2007, 04:17 PM
Well i signed up to the RBL test thing and this is the response i got.
'Testing your SBL block. See <a href="http://www.crynwr.com/spam/" target="_blank">http://www.crynwr.com/spam/</a> for more info.
Please note that this test will not tell you if your server is open for relaying. Instead, it tests to see if your server blocks email from IP addresses listed in various blocking lists; in this case, the SBL list.
Could not connect to 81.138.0.181: Connection timed out Attempting to run traceroute. If the traceroute fails persistently, then it's likely that the ISP where it fails is subscribed to the BGP3 version of the RBL, and is blocking RBL'ed hosts at the IP level. You should ask if that is indeed what they are doing. If so, then you do not need to use DNS blocking of the RBL.'
This was immediately followed by another few 'undeliverable' emails.
Posted by: Clingy Jan 5 2007, 04:59 PM
Oooo...
Forgot about open relay. We had a big issue with that some time back. I think www.ordb.org might be able to check that out for you. But that doesnt explain your current problem. (edit - just seen they have closed down....not unhappy about that as I had a run-in with them).
Also forgot to ask some basic questions....is your email server a pop3 server (connected to your ISP's pop3 server) or an SMTP server. If you don't know WTF I'm on about then I guess it's a pop3. DNSBL really only works well on SMTP servers.
The DNSBL may not block the "undelivered" mail. For that you may need to set some rules in your content filters. I'm not familiar with Exchange but I'm sure it must have these options.
Sophos is good software from what I understand. Not sure how featured it is though and it was too expensive for us. If you can afford it then go for it. We went for F-Secure in the end mainly because the admin server side of things was far more intuitive (I cba to read manual or go on training). However we didn't go for client based anti-spam. We have spamassassin plugin on our email software which catches quite a lot of the obvious, but still thousands get past it! I always tink client anti-spam is a waste as your bandwidth is still being hammered with spam. The beauty of DNSBL is that it rejects the connection outright so the mail never even arrives.
My ramblings have probably confused you greatly Hippy. It could be that your smaller set-up isn't able to use some of these facilities.
Posted by: Hippy Jan 5 2007, 05:29 PM
Not to worry clingy, i'm fairly up on terminology, just dont really get exchange yet.
Yes, it's a pop3 account, using exchanges built in pop3 connector.
We're currently paying nearly £400 for symantec mail security and antivirus, so £250 for sophos seems much better. You're probably thinking of the enterprise version, there's a small business version too.
We only have 10 pc's here so dont need anything too powerful.
In the symantec console, i've setup loads of filters and added 3 different blacklist addresses, but it hasn't ever stopped a single spam email or virus.
It could be that i dont know how to set it up, but there's no more settings for it, it looks so straight forward, just doesn't work
Sophos on it's way next week i think.
S There A Way To Tell Which Pc On A Network Is Sending An Em
Moderator: Claw
