We all receive and are annoyed by the amount of "SPAM" email in our in-box. One way to fight SPAM is to monitor large networks for evidence of compromised hosts that are being used to email out unwanted content. This blog entry shows how passive network analysis and log analysis can be used to look for specific types of events that can indicate SPAM originating from inside your network.
Watch for Changes in the number of Email "Clients"
The Passive Vulnerability Scanner (PVS) detects which hosts connect on port 25 (SMTP) and which hosts have email servers on port 25. Using the Security Center and the PVS, any organization can quickly obtain a list of all systems which connect to port 25 on the Internet and use email clients. By tracking the total number of email clients in use on a network, an organization can observe when there are large changes in this population.
For example, in the screen shot below, we've asked the Security Center to graph the number of unique hosts that communicate on port 25 (SMTP) over the past 90 days.
This graph shows that there have been many more SMTP clients in operation in the last month than has previously been in effect. This could be a zombie botnet making more SMTP connections than before. This could also mean that more users are sending email from more locations. This may also correspond to changes in DHCP lease policies where the same user population is making use of more IP addresses than before. The point is to look for a change, and then perform the investigation to see what has caused it.
Asset Based Behavior Analysis
Another method to search for internal SPAM sources is to look for systems sending email that shouldn't be sending email. For example, your web server most likely isn't your email system and it probably doesn't even have an email client installed on it.
Combining the Security Center's ability to classify network nodes into one or more "asset" groups and the PVS's ability to report which hosts have email clients on them can provide a list of which assets have email clients. Consider this example chart produced by the Security Center below:
In this list, it is understandable that there are no email clients on the "DNS Servers" or that there is one email client in the "POP Servers" list of assets. However, many of the other asset groups such as "FTP Servers", "SSH Servers" and "HTTP Servers" have multiple detected email clients. Being able to drill into these asset lists and see which specific hosts are sending email can identify if a server has been compromised and is part of a botnet. It can also be used to see if a "server" resource is being used as a desktop system which may also violate corporate policy.
Log Correlation Engine Analysis
If the Log Correlation Engine is in use and receiving netflow, network sessions or firewall logs, performing some analysis on port 25 traffic can also be very enlightening. For example, in a corporate environment where all outbound email is authenticated and goes through a well known email server, listing outbound "Firewall Deny" events for port 25 can identify host trying to connect directly to the Internet. These may just be normal users trying to send mail to a non-corporate mail account, but this can also be an indicator of SPAM.
Below is an example screen shot of all port 25 traffic over the past 7 days at a large enterprise network:
Notice the dramatic increase in email connections observed towards the right side of the graph.
The LCE also has the ability to use Black Lists of IP addresses that are well known SPAM providers. The current blacklist.tasl script uses a publicly available list of well known SPAMing sites for correlated activity.
Detecting "The Bat!"
The PVS also has rules to detect the specific email clients in use by each end node. It performs this analysis to discover if there are any vulnerabilities associated with the email client in use. One of the email clients we look for is a client known as "The Bat!" which can be used for mass mailing.
Below is a screen shot of a listing of all client side email vulnerabilities discovered on a medium sized network, including two detects of "The Bat!" email client:
To analyze this further, choosing this vulnerability and then performing an asset summary could tell us which organizations or resources (such as one of our HTTP servers as compared to an office laptop) were using this potentially unwanted email client.
SOCKS4 and SOCKS5 Proxies
There have been several cases of malware which seeks out local SOCKS4 or SOCKS5 proxies in order to connect to the network. Both Nessus and the Passive Vulnerability Scanner can be used to detect these types of proxies. The PVS passively identifies SOCKS4 and SOCKS5 proxies and can look inside these protocols to see if there are any botnet command and control messages being passed.
For More Information
If you would like to learn more about the capabilities of the Passive Vulnerability Scanner, Log Correlation Engine and Security Center, consider watching one of the many demonstration videos available at the Tenable Network Security web site.