Li'l Abner wrote:
> Mike Easter wrote:
>
>> Li'l Abner wrote:
>>
>> I got a spam email from him myself. His friends have also complained.
>> His ISP threatened to blacklist him if it doesn't stop. Actually, he
>> is moving home from another area and will soon be hooked up to OUR
>> ISP. And I know for a fact they'll blacklist him if he spews email.
Did you inspect the headers to see if the spam e-mail actually
originated from this user? The From and Reply-To path are *data*
headers added by the sender's e-mail client, not by a mail server. They
can contain whatever value the sender wants to put in those headers.
Extremely rare are mail servers that require the sender specify the
account in their From header through which they send an e-mail.
We would have to know what is the e-mail service provider (ESP) for your
user. We would also have to see the evidence of the spam e-mail but
just the headers is sufficient (munge out the username but not the
domain name in any e-mail addresses for the user, if present and
actually their own, and for any of the victimized recipients).
>> The owner has been warned by his ISP.
That the e-mail provider warned him of spam abuse reports simply means
they received spam abuse complaints. That doesn't mean they
interrogated the headers to determine that this user was the one that
actually sent the spam. Most users are boobs when it comes to reviewing
the headers of an e-mail (few even bother to actually look). They just
go by what is shown in the From header and assume that the sender would
never lie as to who they are. Yeah, sure, spammers never lie about
their e-mail address, uh huh.
>> So presumably/maybe there has been spam evidence provided to the ISP
>> abuse address -or- the ISP (maybe) sees network traffic profile and
>> notifies the IP user -or- something else. You are leaving out a lot of
>> important background and evidence details.
>
> This is all that he has told me. I have no doubt the computer was spewing
> email.
So with those network monitoring tools you claim to have, did you check
the traffic from this user's host to filter on and check for their
e-mail volume? So far, basing your "evidence" on what the user said
which provided no actual details then you do NOT know there is spam
coming from this host. Since any sender - you, the user, the spammer, a
malcontent, another employee, ANYONE - can put anything they want in the
From header (because it is *data* added by the sender's e-mail client as
the sender configured it themself), you don't know from where the spam
originated.
So just network tools have you actually used to monitor this user's host
regarding e-mail volume and recipients? Have you used any packet
sniffing tool to check how much traffic goes to e-mail ports (i.e.,
which traffic goes to mail servers)? Have you checked the recipients
specified in the RCPT-TO commands sent by this host to the mail server
(assuming they weren't SSL/TSL connects)?
If YOU aren't managing the mail server used by this accused user, how do
you know that his account with some other ESP has not been hacked?
Maybe he used a weak password. Maybe he divulged his login credentials
in reaction to some phish mail. Maybe the login credentials were
cracked using social engineering (e.g., a malicious site using CAPTCHA
input from its porn-hungry users employs those users to do the grunt
work of cracking passwords in the CAPTCHA screens of webmail providers).
Did this user ever bother to change their login credentials (and, this
time, use a STRONG password)? When they do change their password, also
have them change the personal detail info because that gets used with
the "Forgot Password" mechanism afforded by most ESPs.
>> There's detection tools to use on networks, routers, servers, etc.
>> but nothing about the individual computer except for a couple of
>> those "wipe it and start over" replies.
I have never seen a packet sniffer utility recommend some "wipe and
restart" notice. If this host is on a corporate network, why aren't
they monitoring their traffic down to each host? There would be little
value in some generic volume statistics that didn't help resolve
problems down to the sources for those problems.
If instead this host was brought to you where you don't have a
corporate-level network and monitoring tools setup then why not go look
on the host as to what is making all the network connections? There are
plenty of on-host monitoring utilities available, like SysInternals'
TCPview. However, it's probably better not to disturb the software
configuration on the problematic host and instead sniff the traffic by
having that host's traffic go through a gateway or router host where you
can separately monitor its traffic (but you won't know which process
generated the traffic but you'll know to where that traffic goes and
what it contains if not encrypted).
>>> I've done a full scan with MSE, MBAM, SAS, and ComboFix. MSE found
>>> nothing, MBAM found 18 MyWebSearch and 2 Trojan Vundo, SAS found a
>>> bunch of tracking cookies, and Combofix found nothing at all.
I may not be known malware doing the spamming. Could be a zero-day
pest. While some security programs monitor the behavior of the e-mail
clients (to see if they are spamming), not many spambots use the
installed e-mail clients but instead make their own connects. If the
pest can't be easily found by anti-malware products then it's time for
you to monitor the behavior of the host. See what processes are making
network connections, how often, for how long, and to where they connect.
> The spam I got from him had his own return email address, as did the others
> who complained to him. How would they have known who to complain to if it
> didn't come from his email address. You think his neighbor's machines would
> send out email with *his* return address?
It doesn't appear you are adept at interpreting the headers of e-mails.
Most e-mail users don't understand those headers (and there are some
anomalies that I'm not used to for some ESPs). Sorry, but without the
headers for *us* to inspect then we can't verify your conclusion that
the spam e-mails actually came from this user's host or that they
originated from this user's ESP. Please provide evidence in the form of
the headers for the spam e-mails that are purporting coming from this
user or their account. Leave domains intact (since those aren't
sufficient for anyone to try cracking this user's account). Munge or
X-out the usernames on the accounts (for sender and recipients) to
protect their accounts from spambots that harvest e-mail addresses from
Usenet posts. Make sure to include ALL headers, not just the ones you
think are relevant.
That the spam may originate from the user's account does NOT mean they
originate from the user's host. How certain are you that the user's
account hasn't been hacked? Spambots are handy but harder to get
working on even partially secured hosts. It's pretty easy to send spam
if you can hack into someone's account and directly use it for your
spamming. However, considering how easy it is to get free e-mail
accounts, it's usually easier to obtain those and spam from there (and
lie about the sender's e-mail address).
Reply With Quote