[NCSA-discuss] Finding an infected machine
brian at strutmasters.com
Wed Feb 22 08:51:42 EST 2006
I've never really had to deal with this sort of situation before, so
I'm not sure what the best countermeasure is. The situation is that
recently I've started getting notifications from AOL that my domain is
spamming their users. That's bad. I've set up the AOL postmaster
feedback loop thing (when AOL users complain about messages from our
domain, I get a copy of the complaint with the offending message), and
it looks like your typical "Check out these stocks!!" SPAM.
On our network of probably 20 or 25 machines, I'm not sure how to
pinpoint which one (or more..) is actually spewing out the offending
mail. What's the best way to do that? I'm thinking maybe I could set
up a packet sniffer grepping for a phrase from the message, and see
which host it comes from...but I haven't the faintest idea how to
actually do that. Is that even a good idea?
I've also made a prioritized list of the users I think are most likely
to infect themselves with such things, but I'd like to avoid
goose-chases if there's a good automated way to catch the offending
machine in the act.
Brian A. Henning
More information about the ncsa-discussion