Thursday, February 14, 2013

spambot on the LAN caused our mail server to get blacklisted - how I handled it

Yesterday, a machine on one of my client's LANs got a virus (particularly the cutwail spambot).  The machine began sending out spam which got the LAN's public IP address put on 6 different blacklists which severely compromised the functionality of my Exchange 2010 server on the LAN that served approximately 80 users.

The first thing I wanted to do was identify the compromised computer and clean it.  With more than 80 computers on the LAN, I needed a centralized way to do that.  Luckily, my Fortigate 60C firewall can spit out a report with that information.  Under System -> Config -> Advanced, there was a packet capture widget which could give me what I needed.  Here's how I captured all traffic on port 25:

The packet capture file was in PCAP format, which is a Wireshark format.  I opened up the file in Wireshark, and I could see (in this case) that (which is not the mail server) was sending a lot of traffic over port 25 to a lot of different locations.  This was my culprit.  I cleaned the computer using Malwarebytes and then delisted the public IP from the various blacklists it was on.

I'm going to look at options for having all network traffic go out on a different IP than the one that the mail server uses to avoid this in the future.  That could be a long term solution to this issue.

No comments: