Best practices to implement when you suspect you have a mass-mailer in your environment.
|Article:TECH94614|||||Created: 2009-01-17|||||Updated: 2013-10-22|||||Article URL http://www.symantec.com/docs/TECH94614|
You have reports that you are on one or more blacklists and have been informed that your environment is sending out SPAM or other undesirable traffic.
Your domain is on one or more blacklists.
If you are listed on one or more black list services contacting the service may give you an idea of what they (The RBL) triggers on or what the requirements are for getting removed from the black list.
When trying to determine whether one or more machines in your environment are sending out spam, you will need to restrict outbound SMTP traffic such that only certain machines are allowed to send email out of your environment. The best location to make this restriction would be at a perimeter firewall or switch that all outbound port 25 traffic would pass through. Configure its settings so that only your mail server, SMTP gateway, or mission critical servers that need to SMTP data outbound may do so.
Then examine your firewall logs to see which machines in the environment are attempting to send outbound SMTP traffic that should not be. Those machines will be the prime suspects in terms of what machines may contain a mass-mailer worm, virus or trojan.
It is also recommended that you ensure all your antivirus scanners definitions are fully up to date and then run a full virus scan throughout your entire network. If you pinpoint a machine as the one sending out the traffic, please contact your antivirus technical support for steps necessary to identifying and submitting the infected file(s) for analysis and removal.
Article URL http://www.symantec.com/docs/TECH94614