Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Detecting SPAM From Inside your Network

We all receive and are annoyed by the amount of "SPAM" email in our in-box. One way to fight SPAM is to monitor large networks for evidence of compromised hosts that are being used to email out unwanted content. This blog entry shows how passive network analysis and log analysis can be used to look for specific types of events that can indicate SPAM originating from inside your network.

Watch for Changes in the number of Email "Clients"

The Passive Vulnerability Scanner (PVS) detects which hosts connect on port 25 (SMTP) and which hosts have email servers on port 25. Using the Security Center and the PVS, any organization can quickly obtain a list of all systems which connect to port 25 on the Internet and use email clients. By tracking the total number of email clients in use on a network, an organization can observe when there are large changes in this population.

For example, in the screen shot below, we've asked the Security Center to graph the number of unique hosts that communicate on port 25 (SMTP) over the past 90 days.

Smtpclients1

This graph shows that there have been many more SMTP clients in operation in the last month than has previously been in effect. This could be a zombie botnet making more SMTP connections than before. This could also mean that more users are sending email from more locations. This may also correspond to changes in DHCP lease policies where the same user population is making use of more IP addresses than before. The point is to look for a change, and then perform the investigation to see what has caused it.

Asset Based Behavior Analysis

Another method to search for internal SPAM sources is to look for systems sending email that shouldn't be sending email. For example, your web server most likely isn't your email system and it probably doesn't even have an email client installed on it.

Combining the Security Center's ability to classify network nodes into one or more "asset" groups and the PVS's ability to report which hosts have email clients on them can provide a list of which assets have email clients. Consider this example chart produced by the Security Center below:

Smtpchart

In this list, it is understandable that there are no email clients on the "DNS Servers" or that there is one email client in the "POP Servers" list of assets. However, many of the other asset groups such as "FTP Servers", "SSH Servers" and "HTTP Servers" have multiple detected email clients.  Being able to drill into these asset lists and see which specific hosts are sending email can identify if a server has been compromised and is part of a botnet. It can also be used to see if a "server" resource is being used as a desktop system which may also violate corporate policy.

Log Correlation Engine Analysis

If the Log Correlation Engine is in use and receiving netflow, network sessions or firewall logs, performing some analysis on port 25 traffic can also be very enlightening. For example, in a corporate environment where all outbound email is authenticated and goes through a well known email server, listing outbound "Firewall Deny" events for port 25 can identify host trying to connect directly to the Internet. These may just be normal users trying to send mail to a non-corporate mail account, but this can also be an indicator of SPAM.

Below is an example screen shot of all port 25 traffic over the past 7 days at a large enterprise network:

Smtpconnections1

Notice the dramatic increase in email connections observed towards the right side of the graph.

The LCE also has the ability to use Black Lists of IP addresses that are well known SPAM providers. The current blacklist.tasl script uses a publicly available list of well known SPAMing sites for correlated activity.

Detecting "The Bat!"

The PVS also has rules to detect the specific email clients in use by each end node. It performs this analysis to discover if there are any vulnerabilities associated with the email client in use. One of the email clients we look for is a client known as "The Bat!" which can be used for mass mailing.

Below is a screen shot of a listing of all client side email vulnerabilities discovered on a medium sized network, including two detects of "The Bat!" email client:

Smtpbat

To analyze this further, choosing this vulnerability and then performing an asset summary could tell us which organizations or resources (such as one of our HTTP servers as compared to an office laptop) were using this potentially unwanted email client.

SOCKS4 and SOCKS5 Proxies

There have been several cases of malware which seeks out local SOCKS4 or SOCKS5 proxies in order to connect to the network. Both Nessus and the Passive Vulnerability Scanner can be used to detect these types of proxies. The PVS passively identifies SOCKS4 and SOCKS5 proxies and can look inside these protocols to see if there are any botnet command and control messages being passed.

For More Information

If you would like to learn more about the capabilities of the Passive Vulnerability Scanner, Log Correlation Engine and Security Center, consider watching one of the many demonstration videos available at the Tenable Network Security web site.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training