- January 15, 2020: Linked to spam trap and honeypot observation method resources.
Spam Propagation is when malware sends unsolicited email (spam), known as “spambots.” If spam originates from email addresses or devices within a company’s network, this is an indicator of an infection.
Spam activity is observed using:
How to Track Spambots
If resources are limited, you do not have a packet analyzer, are on a time constraint, or are not seeing a large volume of findings, doing nothing may be the correct risk management decision for your business. Bitsight Security Ratings are intended to help prioritize your cybersecurity risk management activities. If limiting spam propagation is low priority, then the rating can be used to make this decision more data-driven.
The following examples are clear indications of spambot activity:
- Port 25: Search for port 25 activity from machines in your company firewall logs.
- Known Spambots: Include “spambot” as a keyword and the following spambots in your search:
- Impossible HELO
- Most machines are generally behind a router. If spambot activity is coming from computers behind a router:
- Firewall: Check your firewall logs to correlate timestamps of spambot finding details with outgoing mail.
- Destination Port: Use the destination port as another indicator to find your internal IP address associated with spambot activity.
- Timestamp: If spambot activity is coming from computers behind a router where your mail server is also located, use timestamps to correlate outgoing mail activity.
“Impossible HELO” Findings
These finding can be difficult to locate since they did not result in a sent message.
- If you are running a packet analyzer, search for the reported “helo [impossible domain]” in your logs.
- Ensure your understanding of HELO announcements from your mail server are aligned with RFC-2821.
- Check your HELO configuration for possible errors.
If you are still unsuccessful:
- Malware Detection: Check your systems for malware. Run malware detection on your systems that may be sending traffic through the IP address.
- Email Permissions: Check if any machine on this network is permitted to send email. If you have a packet analyzer (such as Snort, Suricata, or NetFlow) turned on for port 25 connections behind a Network Address Translation (NAT):
- With no mail servers:
- Block all port 25 connections. If port 25 is allowed connections again, the undiagnosed infected machines on your network are still present and could engage in malicious activity. If the malware also makes communications via port 80 or 443, it may be captured via a sinkhole and reported as a Botnet Infection or Potentially Exploited finding, but this correlation is not guaranteed.
- Block port 25 on your network. Only allow outgoing connections to mail services your organization is known to, or is planning to, use for internal/external email communication.
- Leave port 25 open, install a packet analyzer, and watch for announcements or messages from machines that are not designated mail servers or which match header information reported on your rating.
- With no mail servers:
- With mail servers: Watch which header information match the reported headers.
- Analyzer Search: Search for “helo [impossible domain]” in the finding details. If headers are preserved in these logs, look for findings that are not mail servers and have port 25 as the destination port.
Forensics is available as an add-on package.
Refer to Spam Propagation finding details to find spambots.