Video Screencast Help

Email Script on Machine using SMTP - Endpoint does not detect

Created: 03 May 2010 • Updated: 07 Nov 2010 | 7 comments

I have a machine some where on my network that has an email script running on it that is sending out hundreds of messages to the outside world using my SMTP sever, I have been unsuccessful at locating the infected machine, the email comes from "members@eBy.com" so it is not logging which machine it is coming from, I had to set up a rule on my symantec spam software to trap and delete the message, but I would still like to know why the enterprise endpoint software is not picking this up.  Surely I can not be the only person that has this script embeded in a machine.

Just today it tried to send out over 750 emails, of which they were all blocked, does anyboby have an idea how I can track this down?

Comments 7 CommentsJump to latest comment

Thomas K's picture

How many clients in your environment? Could  you try setting up a firewall rule logging mail traffic on certain groups of clients at a time? Apply the policy to your group then watch the logs to see where this is coming from.

Cruiser0358's picture

No Luck Creating a rule.

I created a rule to monitor POP3 Port 110 and SMTP Port 25 and set it to log everything in the traffic log, then tested it to see if it was recording traffic on those ports, no joy on this, nothing was being recorded, weather it was allowed or blocked did not seem to matter.

I guess that I am doing something wrong with this and it has become very frustrating.  Can anybody assist me with creating this firewall rule so that it works?

I have Symantec Endpoint Protection latest Version .

teiva-boy's picture

If the client is using your own mail server to send out emails, you would need the firewall rule on the mail server to be logging any requests to it.  

Alternatively you could do a port mirror of your switch where your email server is plugged into, and use a machine with SEP to capture the traffic this way..  Of course wireshark could do the same thing too.

There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."

Mick2009's picture

Hi Cruiser,

Two suggestions: first, do you have the optional SEP email scanning tools on your computers?  If so it will scan outgoing mail messages for threats, and will generally pop-up messages about communication to remote mail servers. These pop-ups are a good indication that a spammer's mass-mailer has been installed on a computer.   See this article for more information: Many Unexpected Pop-Ups from Symantec Email Proxy are Displayed (http://service1.symantec.com/SUPPORT/ent-security....)

Second: have you examined the email headers from these unwanted mails?  Headers often include the IP address where a message originated.

Third: please provide more information on how many clients you have on your network, and what kind of mail server.  Is it MS Exchange?  Is that Exchange server defended by SMSMSE?  Do the legitimate mail clients connect to it via MAPI or via SMTP and POP3?  Monitoring that mail server for incoming port 25 connections will reveal the source of the problem.  Also, Exchange can log message details (where they came from, etc etc) - that would also tell you, if in fact the infected computer is using your own mail server.

Thanks and best regards,

Mick

With thanks and best regards,

Mick

Cruiser0358's picture

Made changes to permissions, somone was trying to relay off of us and it stopped it from going any further. now we have made permission changes and the traffic has stopped completely.

Going to monitor the system and see if anything re-occurs.

Mick2009's picture

Many thanks for letting the forum know of your progress!  Hopefully a quick Internet search by a future admin in similar circumstances will land here and point them in the right direction.

Do check back with this community forum if your experience any issue in the future.

With  best regards,

Mick

With thanks and best regards,

Mick