A long story, but I'll try to keep it on the short side.
A client of ours with 25 computers, contacts us and says that they couldn't send email to anyone at Comcast. We host their email and website, so I look in to it. I create a account on their account, and send mail from it to my comcast account without any problems. I used the webmail portion of the website, and that worked fine, however when sending from outlook/express it wasn't being received.
So I checked their IP against some RBL's (Real Time Black Lists), which basically in this case told us that they were spamming. Contacting SPAMCOP.net, and also cbl.abuseat.org I found out that they had the Storm Worm, or something like it.
From cbl.abuseat.org:
Headers from Spamcop.net didn't tell me which workstation it was coming from only their public IP.
Since we host their email, I quickly checked to make sure they were not spamming through us and they were not. Last thing you want as a webhost / email provider is to end up on a spamming blacklist.
Anyhow, the client is running Symantec Corporate Edition, and all scans come up clean with it. So decided to tackle it with Spybot, Adaware, HiJackthis, and several others. Those found alot of spyware in the network, but didn't eliminate the problem.
The cbl.abuseat.org tells you the last time it was detected, which really helps , and checking the next day we could see that it was still happening.
Now it came down to how to find the culprit, it was either:
A: Packet Sniffer on the network capture all traffic and examine.
or
B: Rip out Symantec, install NOD32 Smart Security Edition.
We went with the NOD32 and glad we did. It found a Bunch more items that the above programs did not even find, eliminated the storm worm.
I was a big fan on NOD32 before, but now it's really solidified it.
A client of ours with 25 computers, contacts us and says that they couldn't send email to anyone at Comcast. We host their email and website, so I look in to it. I create a account on their account, and send mail from it to my comcast account without any problems. I used the webmail portion of the website, and that worked fine, however when sending from outlook/express it wasn't being received.
So I checked their IP against some RBL's (Real Time Black Lists), which basically in this case told us that they were spamming. Contacting SPAMCOP.net, and also cbl.abuseat.org I found out that they had the Storm Worm, or something like it.
From cbl.abuseat.org:
Headers from Spamcop.net didn't tell me which workstation it was coming from only their public IP.
Since we host their email, I quickly checked to make sure they were not spamming through us and they were not. Last thing you want as a webhost / email provider is to end up on a spamming blacklist.
Anyhow, the client is running Symantec Corporate Edition, and all scans come up clean with it. So decided to tackle it with Spybot, Adaware, HiJackthis, and several others. Those found alot of spyware in the network, but didn't eliminate the problem.
The cbl.abuseat.org tells you the last time it was detected, which really helps , and checking the next day we could see that it was still happening.
Now it came down to how to find the culprit, it was either:
A: Packet Sniffer on the network capture all traffic and examine.
or
B: Rip out Symantec, install NOD32 Smart Security Edition.
We went with the NOD32 and glad we did. It found a Bunch more items that the above programs did not even find, eliminated the storm worm.
I was a big fan on NOD32 before, but now it's really solidified it.
