[NCSA-discuss] Finding an infected machine
sreher at gmail.com
Wed Feb 22 09:53:19 EST 2006
I would temporaily change the logging on your firewall ( ie all
outgoing mail) and then look throught the logs.
On 2/22/06, Brian Henning <brian at strutmasters.com> wrote:
> Hi Folks,
> I've never really had to deal with this sort of situation before, so
> I'm not sure what the best countermeasure is. The situation is that
> recently I've started getting notifications from AOL that my domain is
> spamming their users. That's bad. I've set up the AOL postmaster
> feedback loop thing (when AOL users complain about messages from our
> domain, I get a copy of the complaint with the offending message), and
> it looks like your typical "Check out these stocks!!" SPAM.
> On our network of probably 20 or 25 machines, I'm not sure how to
> pinpoint which one (or more..) is actually spewing out the offending
> mail. What's the best way to do that? I'm thinking maybe I could set
> up a packet sniffer grepping for a phrase from the message, and see
> which host it comes from...but I haven't the faintest idea how to
> actually do that. Is that even a good idea?
> I've also made a prioritized list of the users I think are most likely
> to infect themselves with such things, but I'd like to avoid
> goose-chases if there's a good automated way to catch the offending
> machine in the act.
> Brian A. Henning
> ncsa-discussion mailing list
> ncsa-discussion at ncsysadmin.org
More information about the ncsa-discussion