Kaseya Community

Detect spambots

  • Hello,

    One of the problems we face as an MSP is when our clients get infected with spyware that uses the host computer as a spam bot.

    For the most part we lock our client's firewalls down so that only the exchange server is allowed to send traffic on port 25, but in some cases the client pops their email from a host, in which case, all machines need access to that port.

    We do not use KES, yet. For the moment, we are primarily a Trend Micro shop, but things have been getting past Trend lately.

    Most of the time, we aren't aware of the problem until the client's domain name gets blacklisted. Identifying the machine on the network can be difficult.

    Is there a way to use network monitoring, or something else in Kaseya that can help locate which machine may be spamming?

    Legacy Forum Name: Detect spambots,
    Legacy Posted By Username: Matt.Conlon
  • All machines need access to that port, but only from the host. In other words, block pop to all. Then create an allow rule that only allows pop to the host's public ip range.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: boudj
  • That's true, that'll keep them from getting blacklisted. Detecting the infected computer is a little more tricky though.

    I have used the network monitoring feature, but I have the same issues with that as I do with the Sonicwall logs... It seems that you can view either all data sorted by service, or all machines total network traffic... you can't seem to get a break down of the individual machine's traffic.

    In other words, I can see that 20% of the network's traffic is SMTP, or I can see that workstation1 is 20% of the network's traffic... What I can't see is what percentage of workstation1's traffic is SMTP.

    I know there are ways to find what I'm looking for, I'm just wondering if there's a way to do it, using kaseya instead of digging through firewall logs.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: Matt.Conlon
  • What firewall do you have?

    Legacy Forum Name: How-To,
    Legacy Posted By Username: boudj
  • Depends on the client. A few of them have a basic Linksys router / firewall, but most have sonicwalls either tz 170, 180 or 190.

    It's possible I'm mistaken, maybe they've fixed that issue in recent firmware.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: Matt.Conlon
  • Hi

    If you create a rule in the Sonicwall to block all outbound SMTP traffic from all IP addresses except the server any workstation that tries to send SMTP traffic will be logged in the logs.

    hc

    Legacy Forum Name: How-To,
    Legacy Posted By Username: howardc
  • Yep. That's what we usually do, however in some cases it's not an option. Some of our clients don't have an exchange server, but pop their mail.

    Like Boudj was saying though, if I deny all smtp from the Lan to the wan EXCEPT for the host's IP range (comcast or network solutions, or whoever hosts the mail) then I should be able to get the machines who are having smtp packets denied.

    I'm aware of a few different ways to do it. The reason I posted it here on the Kaseya forums was to find out if there was perhaps a way to find this information using Kaseya, i.e. not have to remote into a machine or log into a firewall. A monitor set perhaps?

    Legacy Forum Name: How-To,
    Legacy Posted By Username: Matt.Conlon
  • Most of those routers should be able to send syslog data. If you set the routers to send their syslog data to a server with syslogd (or kiwi on windows ) installed you can then run those logs through a program like Sawmill that will allow you to view SMTP traffic by IP address.

    Sawmill and kiwi both have trial versions I think... they're both quite cheap as well. We do this for a few clients that want to have a more in depth look into what's happening on their network.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: ssugar