Thursday, February 14, 2013

spambot on the LAN caused our mail server to get blacklisted - how I handled it

Yesterday, a machine on one of my client's LANs got a virus (particularly the cutwail spambot).  The machine began sending out spam which got the LAN's public IP address put on 6 different blacklists which severely compromised the functionality of my Exchange 2010 server on the LAN that served approximately 80 users.

The first thing I wanted to do was identify the compromised computer and clean it.  With more than 80 computers on the LAN, I needed a centralized way to do that.  Luckily, my Fortigate 60C firewall can spit out a report with that information.  Under System -> Config -> Advanced, there was a packet capture widget which could give me what I needed.  Here's how I captured all traffic on port 25:

The packet capture file was in PCAP format, which is a Wireshark format.  I opened up the file in Wireshark, and I could see (in this case) that (which is not the mail server) was sending a lot of traffic over port 25 to a lot of different locations.  This was my culprit.  I cleaned the computer using Malwarebytes and then delisted the public IP from the various blacklists it was on.

I'm going to look at options for having all network traffic go out on a different IP than the one that the mail server uses to avoid this in the future.  That could be a long term solution to this issue.

Thursday, February 7, 2013

allowing Bomgar reps to share screen without permission from user

By default, a new Bomgar rep will need permission from users in order to view or control the user's screen.  There is a check box you can clear that will allow reps to take control of the user's screen without needing the user to authorize it.

Go to your /login page - such as
Log in as an administrator

Click on edit next to the name of the rep you want to add this ability for:

Uncheck both boxes as noted below (though only the box for "prompt customer for approval of these actions in attended sessions" is necessary)