Identifying malware.

Post a reply

Identifying malware.

Postby Mwoplock » Tue Mar 11, 2014 5:22 am

What is the proper procedure for identifying the account that is sending a specific email? It appears one of our PCs must have malware that is logging on as a user and sending out many email that are spam. Or the other option is their password has been hacked and is being used for spam. However I can't identify the user. You can see the emails being sent in the logs (outmail__xxx.txt), but there isn't any data on who is sending it. Attached is a copy of the log with full debug.

Please post a generic procedure to identify the user who sent an email.
Mwoplock
 
Posts: 15
Joined: Wed Mar 27, 2013 9:25 pm
Top

Re: Identifying malware.

Postby Mwoplock » Tue Mar 11, 2014 9:38 pm

Here's a sample of the outmail log

Server Logs

Viewing File: outmail_2414.txt
Description: Server Log File

Tue, 11 Mar 2014 08:29:34 -> Failed: Action=[SMTP Transfer], Details=[Domain=sbcglobal.net, Host=mx2.sbcglobal.am0.yahoodns.net:25, IP=98.136.217.192: Transaction rejected with: 554 Message not allowed - [PH01] Email not accepted for policy reasons. Please visit http://postmaster.yahoo.com/errors/postmaster-27.html [120]]
Tue, 11 Mar 2014 08:29:34 -> Success: Action=[MX Lookup], Details=[DNS=8.8.8.8, Domain=comcast.net: Found 2 records]
Tue, 11 Mar 2014 08:29:35 -> Success: Action=[SMTP Transfer], Details=[Domain=comcast.net, Host=mx2.comcast.net:25, IP=76.96.40.147: Connection accepted.]
Tue, 11 Mar 2014 08:29:36 -> Failed: Action=[SMTP Transfer], Details=[Domain=comcast.net, Host=mx2.comcast.net:25, IP=76.96.40.147: Recipient Rejected: wbyargeon@comcast.net (550 5.1.1 Not our Customer)]
Tue, 11 Mar 2014 08:29:36 -> Failed: Action=[SMTP Transfer], Details=[Domain=comcast.net, Host=mx2.comcast.net:25, IP=76.96.40.147: All remaining recipients were rejected.]
Tue, 11 Mar 2014 08:29:37 -> Success: Action=[SMTP Transfer], Details=[Domain=comcast.net, Host=mx1.comcast.net:25, IP=68.87.26.147: Connection accepted.]
Tue, 11 Mar 2014 08:29:39 -> Failed: Action=[SMTP Transfer], Details=[Domain=comcast.net, Host=mx1.comcast.net:25, IP=68.87.26.147: Recipient Rejected: wbyargeon@comcast.net (550 5.1.1 Not our Customer)]
Tue, 11 Mar 2014 08:29:39 -> Failed: Action=[SMTP Transfer], Details=[Domain=comcast.net, Host=mx1.comcast.net:25, IP=68.87.26.147: All remaining recipients were rejected.]
Tue, 11 Mar 2014 08:29:40 -> Success: Action=[Process Mail], Details=[2 KB: Start transfer.]
Tue, 11 Mar 2014 08:29:41 -> Success: Action=[MX Lookup], Details=[DNS=8.8.8.8, Domain=yahoo.com: Found 3 records]
Tue, 11 Mar 2014 08:29:41 -> Success: Action=[SMTP Transfer], Details=[Domain=yahoo.com, Host=mta7.am0.yahoodns.net:25, IP=63.250.192.45: Connection accepted.]
Tue, 11 Mar 2014 08:29:41 -> Success: Action=[SMTP Transfer], Details=[Domain=yahoo.com, Host=mta7.am0.yahoodns.net:25, IP=63.250.192.45: Recipient Accepted: vierabrejnik@yahoo.com]
Tue, 11 Mar 2014 08:29:41 -> Success: Action=[SMTP Transfer], Details=[Domain=yahoo.com, Host=mta7.am0.yahoodns.net:25, IP=63.250.192.45: Recipient Accepted: tacb_2000@yahoo.com]
Tue, 11 Mar 2014 08:29:41 -> Success: Action=[SMTP Transfer], Details=[Domain=yahoo.com, Host=mta7.am0.yahoodns.net:25, IP=63.250.192.45: Recipient Accepted: jenlv81@yahoo.com]
Tue, 11 Mar 2014 08:29:41 -> Success: Action=[SMTP Transfer], Details=[Domain=yahoo.com, Host=mta7.am0.yahoodns.net:25, IP=63.250.192.45: Recipient Accepted: djasonlemke1@yahoo.com]
Tue, 11 Mar 2014 08:29:42 -> Failed: Action=[SMTP Transfer], Details=[Domain=yahoo.com, Host=mta7.am0.yahoodns.net:25, IP=63.250.192.45: Transaction rejected with: 554 Message not allowed - [PH01] Email not accepted for policy reasons. Please visit http://postmaster.yahoo.com/errors/postmaster-27.html [120]]
Tue, 11 Mar 2014 08:29:42 -> Success: Action=[SMTP Transfer], Details=[Domain=yahoo.com, Host=mta6.am0.yahoodns.net:25, IP=98.136.217.203: Connection accepted.]
Tue, 11 Mar 2014 08:29:42 -> Success: Action=[SMTP Transfer], Details=[Domain=yahoo.com, Host=mta6.am0.yahoodns.net:25, IP=98.136.217.203: Recipient Accepted: vierabrejnik@yahoo.com]
Tue, 11 Mar 2014 08:29:42 -> Success: Action=[SMTP Transfer], Details=[Domain=yahoo.com, Host=mta6.am0.yahoodns.net:25, IP=98.136.217.203: Recipient Accepted: tacb_2000@yahoo.com]
Tue, 11 Mar 2014 08:29:42 -> Success: Action=[SMTP Transfer], Details=[Domain=yahoo.com, Host=mta6.am0.yahoodns.net:25, IP=98.136.217.203: Recipient Accepted: jenlv81@yahoo.com]
Tue, 11 Mar 2014 08:29:43 -> Success: Action=[SMTP Transfer], Details=[Domain=yahoo.com, Host=mta6.am0.yahoodns.net:25, IP=98.136.217.203: Recipient Accepted: djasonlemke1@yahoo.com]
Tue, 11 Mar 2014 08:29:43 -> Failed: Action=[SMTP Transfer], Details=[Domain=yahoo.com, Host=mta6.am0.yahoodns.net:25, IP=98.136.217.203: Transaction rejected with: 554 Message not allowed - [PH01] Email not accepted for policy reasons. Please visit http://postmaster.yahoo.com/errors/postmaster-27.html [120]]
Tue, 11 Mar 2014 08:29:43 -> Success: Action=[SMTP Transfer], Details=[Domain=yahoo.com, Host=mta5.am0.yahoodns.net:25, IP=66.196.118.35: Connection accepted.]
Tue, 11 Mar 2014 08:29:43 -> Failed: Action=[SMTP Transfer], Details=[Domain=yahoo.com, Host=mta5.am0.yahoodns.net:25, IP=66.196.118.35: Transaction rejected with: 421 4.7.0 [GL01] Message from (71.164.221.104) temporarily deferred - 4.16.50. Please refer to http://postmaster.yahoo.com/errors/postmaster-21.html]
Tue, 11 Mar 2014 08:29:43 -> Success: Action=[MX Lookup], Details=[DNS=8.8.8.8, Domain=bowdoin.edu: Found 2 records]
Tue, 11 Mar 2014 08:29:44 -> Success: Action=[SMTP Transfer], Details=[Domain=bowdoin.edu, Host=smtp-in-2.bowdoin.edu:25, IP=139.140.238.27: Connection accepted.]
Tue, 11 Mar 2014 08:29:44 -> Success: Action=[SMTP Transfer], Details=[Domain=bowdoin.edu, Host=smtp-in-2.bowdoin.edu:25, IP=139.140.238.27: Recipient Accepted: kanders2@bowdoin.edu]
Tue, 11 Mar 2014 08:29:45 -> Failed: Action=[SMTP Transfer], Details=[Domain=bowdoin.edu, Host=smtp-in-2.bowdoin.edu:25, IP=139.140.238.27: Transaction rejected with: 554 rejected due to spam content]
Tue, 11 Mar 2014 08:29:45 -> Success: Action=[SMTP Transfer], Details=[Domain=bowdoin.edu, Host=smtp-in-1.bowdoin.edu:25, IP=139.140.238.26: Connection accepted.]
Tue, 11 Mar 2014 08:29:45 -> Success: Action=[SMTP Transfer], Details=[Domain=bowdoin.edu, Host=smtp-in-1.bowdoin.edu:25, IP=139.140.238.26: Recipient Accepted: kanders2@bowdoin.edu]
Tue, 11 Mar 2014 08:29:46 -> Failed: Action=[SMTP Transfer], Details=[Domain=bowdoin.edu, Host=smtp-in-1.bowdoin.edu:25, IP=139.140.238.26: Transaction rejected with: 554 rejected due to spam content]
Tue, 11 Mar 2014 08:29:51 -> Success: Action=[Process Mail], Details=[2 KB: Start transfer.]
Tue, 11 Mar 2014 08:29:51 -> Success: Action=[MX Lookup], Details=[DNS=8.8.8.8, Domain=cfisd.net: Found 2 records]
Tue, 11 Mar 2014 08:29:52 -> Success: Action=[SMTP Transfer], Details=[Domain=cfisd.net, Host=cfisd.net.inbound10.mxlogicmx.net:25, IP=208.65.145.2: Connection accepted.]
Tue, 11 Mar 2014 08:29:52 -> Success: Action=[SMTP Transfer], Details=[Domain=cfisd.net, Host=cfisd.net.inbound10.mxlogicmx.net:25, IP=208.65.145.2: Recipient Accepted: jessica.clark@cfisd.net]
Tue, 11 Mar 2014 08:29:52 -> Failed: Action=[SMTP Transfer], Details=[Domain=cfisd.net, Host=cfisd.net.inbound10.mxlogicmx.net:25, IP=208.65.145.2: Transaction rejected with: 554 Denied [3501f135.0.3138176.00-2207.4351969.p02c12m066.mxlogic.net] (Mode: normal)]
Tue, 11 Mar 2014 08:29:53 -> Success: Action=[SMTP Transfer], Details=[Domain=cfisd.net, Host=cfisd.net.inbound10.mxlogic.net:25, IP=208.65.144.2: Connection accepted.]
Tue, 11 Mar 2014 08:29:53 -> Success: Action=[SMTP Transfer], Details=[Domain=cfisd.net, Host=cfisd.net.inbound10.mxlogic.net:25, IP=208.65.144.2: Recipient Accepted: jessica.clark@cfisd.net]
Tue, 11 Mar 2014 08:29:53 -> Failed: Action=[SMTP Transfer], Details=[Domain=cfisd.net, Host=cfisd.net.inbound10.mxlogic.net:25, IP=208.65.144.2: Transaction rejected with: 554 Denied [4501f135.0.2351097.00-1960.3379727.p01c11m011.mxlogic.net] (Mode: normal)]
Tue, 11 Mar 2014 08:29:53 -> Success: Action=[MX Lookup], Details=[DNS=8.8.8.8, Domain=pillsburylaw.com: Found 2 records]
Tue, 11 Mar 2014 08:29:54 -> Success: Action=[SMTP Transfer], Details=[Domain=pillsburylaw.com, Host=us-smtp-1.mimecast.com:25, IP=205.139.110.61: Connection accepted.]
Tue, 11 Mar 2014 08:29:54 -> Failed: Action=[SMTP Transfer], Details=[Domain=pillsburylaw.com, Host=us-smtp-1.mimecast.com:25, IP=205.139.110.61: Recipient Rejected: debbie.franklin@pillsburylaw.com (451 Internal resource temporarily unavailable - http://kb.mimecast.com/Mimecast_Knowledge_Base/Administration_Console/Monitoring/Mimecast_SMTP_Error_Codes#451)]
Tue, 11 Mar 2014 08:29:54 -> Failed: Action=[SMTP Transfer], Details=[Domain=pillsburylaw.com, Host=us-smtp-1.mimecast.com:25, IP=205.139.110.61: All remaining recipients were rejected.]
Tue, 11 Mar 2014 08:29:55 -> Success: Action=[SMTP Transfer], Details=[Domain=pillsburylaw.com, Host=us-smtp-2.mimecast.com:25, IP=207.211.31.81: Connection accepted.]
Tue, 11 Mar 2014 08:29:55 -> Failed: Action=[SMTP Transfer], Details=[Domain=pillsburylaw.com, Host=us-smtp-2.mimecast.com:25, IP=207.211.31.81: Recipient Rejected: debbie.franklin@pillsburylaw.com (451 Internal resource temporarily unavailable - http://kb.mimecast.com/Mimecast_Knowledge_Base/Administration_Console/Monitoring/Mimecast_SMTP_Error_Codes#451)]
Tue, 11 Mar 2014 08:29:55 -> Failed: Action=[SMTP Transfer], Details=[Domain=pillsburylaw.com, Host=us-smtp-2.mimecast.com:25, IP=207.211.31.81: All remaining recipients were rejected.]
Tue, 11 Mar 2014 08:33:53 -> Success: Action=[Add Mail To Queue], Details=[2 KB]
Mwoplock
 
Posts: 15
Joined: Wed Mar 27, 2013 9:25 pm
Top

Re: Identifying malware.

Postby Code Crafters » Wed Mar 12, 2014 9:10 am

Check the SMTP logs as these will contain more information about the IP and possibly sender of the email attempts. As you say it must be an existing user account credentials being used. You should also limit the Max Mails Per Day in the SMTP security tab and user group settings to prevent any users sending out too many SPAM emails per day to at least limit the problem until you can identify the account.
Code Crafters
 
Posts: 933
Joined: Mon Sep 10, 2007 2:35 pm
Top

Re: Identifying malware.

Postby Mwoplock » Mon Apr 21, 2014 3:02 pm

Why isn't it very simple to identify? The outmail log should tell you who is sending it. An IP address, a user name, something. This make the log worthless and very difficult to find out who. In fact, I'm about to go to a new mail server just because you have such a poor ability to find out this basic information.
Mwoplock
 
Posts: 15
Joined: Wed Mar 27, 2013 9:25 pm
Top

Re: Identifying malware.

Postby Mwoplock » Mon Apr 21, 2014 3:09 pm

Who is sending this? The time stamps don't line up with the SMTP logs? The received email address aren't found in smtp logs? How the hell are you supposed to find out where this is coming from.... I can't believe you don't have a procedure to trace down who is sending emails...
Mwoplock
 
Posts: 15
Joined: Wed Mar 27, 2013 9:25 pm
Top

Re: Identifying malware.

Postby Mwoplock » Mon Apr 21, 2014 3:14 pm

not sure the attachment was in the last reply... OH now text files aren't allowed.. Hell I can't even post problems on this site without a hassle.
Attachments
outlog.zip
(28.65 KiB) Downloaded 1027 times
Mwoplock
 
Posts: 15
Joined: Wed Mar 27, 2013 9:25 pm
Top

Re: Identifying malware.

Postby Code Crafters » Wed Apr 23, 2014 9:52 pm

If you can't match the sender to the SMTP logs, try the WebMail logs and possibly the POP3 retrievals as they're the only other ways to send emails. Note that if it's not the first send attempt in outgoing mails then the timestamps could be different but if it sends successfully first time then it's probably roughly the same time coming into AMS as leaving via outgoing mails.
Code Crafters
 
Posts: 933
Joined: Mon Sep 10, 2007 2:35 pm
Top
Post a reply

Return to General

Who is online

Users browsing this forum: No registered users and 28 guests

© 2003 - Code Crafters Software Limited. Registered in England Number 06548368.
cron