Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Detecting SPAM From Inside your Network

We all receive and are annoyed by the amount of "SPAM" email in our in-box. One way to fight SPAM is to monitor large networks for evidence of compromised hosts that are being used to email out unwanted content. This blog entry shows how passive network analysis and log analysis can be used to look for specific types of events that can indicate SPAM originating from inside your network.

Watch for Changes in the number of Email "Clients"

The Passive Vulnerability Scanner (PVS) detects which hosts connect on port 25 (SMTP) and which hosts have email servers on port 25. Using the Security Center and the PVS, any organization can quickly obtain a list of all systems which connect to port 25 on the Internet and use email clients. By tracking the total number of email clients in use on a network, an organization can observe when there are large changes in this population.

For example, in the screen shot below, we've asked the Security Center to graph the number of unique hosts that communicate on port 25 (SMTP) over the past 90 days.

Smtpclients1

This graph shows that there have been many more SMTP clients in operation in the last month than has previously been in effect. This could be a zombie botnet making more SMTP connections than before. This could also mean that more users are sending email from more locations. This may also correspond to changes in DHCP lease policies where the same user population is making use of more IP addresses than before. The point is to look for a change, and then perform the investigation to see what has caused it.

Asset Based Behavior Analysis

Another method to search for internal SPAM sources is to look for systems sending email that shouldn't be sending email. For example, your web server most likely isn't your email system and it probably doesn't even have an email client installed on it.

Combining the Security Center's ability to classify network nodes into one or more "asset" groups and the PVS's ability to report which hosts have email clients on them can provide a list of which assets have email clients. Consider this example chart produced by the Security Center below:

Smtpchart

In this list, it is understandable that there are no email clients on the "DNS Servers" or that there is one email client in the "POP Servers" list of assets. However, many of the other asset groups such as "FTP Servers", "SSH Servers" and "HTTP Servers" have multiple detected email clients.  Being able to drill into these asset lists and see which specific hosts are sending email can identify if a server has been compromised and is part of a botnet. It can also be used to see if a "server" resource is being used as a desktop system which may also violate corporate policy.

Log Correlation Engine Analysis

If the Log Correlation Engine is in use and receiving netflow, network sessions or firewall logs, performing some analysis on port 25 traffic can also be very enlightening. For example, in a corporate environment where all outbound email is authenticated and goes through a well known email server, listing outbound "Firewall Deny" events for port 25 can identify host trying to connect directly to the Internet. These may just be normal users trying to send mail to a non-corporate mail account, but this can also be an indicator of SPAM.

Below is an example screen shot of all port 25 traffic over the past 7 days at a large enterprise network:

Smtpconnections1

Notice the dramatic increase in email connections observed towards the right side of the graph.

The LCE also has the ability to use Black Lists of IP addresses that are well known SPAM providers. The current blacklist.tasl script uses a publicly available list of well known SPAMing sites for correlated activity.

Detecting "The Bat!"

The PVS also has rules to detect the specific email clients in use by each end node. It performs this analysis to discover if there are any vulnerabilities associated with the email client in use. One of the email clients we look for is a client known as "The Bat!" which can be used for mass mailing.

Below is a screen shot of a listing of all client side email vulnerabilities discovered on a medium sized network, including two detects of "The Bat!" email client:

Smtpbat

To analyze this further, choosing this vulnerability and then performing an asset summary could tell us which organizations or resources (such as one of our HTTP servers as compared to an office laptop) were using this potentially unwanted email client.

SOCKS4 and SOCKS5 Proxies

There have been several cases of malware which seeks out local SOCKS4 or SOCKS5 proxies in order to connect to the network. Both Nessus and the Passive Vulnerability Scanner can be used to detect these types of proxies. The PVS passively identifies SOCKS4 and SOCKS5 proxies and can look inside these protocols to see if there are any botnet command and control messages being passed.

For More Information

If you would like to learn more about the capabilities of the Passive Vulnerability Scanner, Log Correlation Engine and Security Center, consider watching one of the many demonstration videos available at the Tenable Network Security web site.

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.