Spamming from behind my firewall.

I am a small ISP using canopy. I have a problem with a user that I can’t track down. They apparently have a virus on their pc that is spewing spam. It is causing my ip address to be blacklisted. I am relatively new to all of this. Can someone recommend a tool that would be effective in identifying the source of the spam. Hopefully one that won’t break me. Thanks in advance for your help.

EDIT: I’m assuming you SNAT your customer network to your mail server IP? Let me know if this is true. Unless they are blocking your network such as a /27 or /24 etc. One thing to check if you AREN’T SNATing your customer network to the same IP as your mail server is the X-Originating-IP in the headers of email messages that are being reported as spam. If you’re not SNATing to a single address and giving customers dynamic/static public IPs, then that should be of help…even if it’s dynamic, you could traverse some logs and determine the time frame and trace back to the customer.

What type of firewall do you have? Is this a linux server based firewall?

Are your customers assigned a static public IP, dynamic public IP, dynamic private IP, static private IP then SNATd?

I’d recommend tcpdump, looking for outbound SMTP not leaving your network via your mail server address.

tcpdump -n -i ethX src net and dst port 25 and ! dst host

Where ethX is the interface out of your network
Where is your customer network
Where is your mail server IP

If you’re SNATing from each POP, you can atleast narrow it down to that particular POP.

Another option would be to log packets from the customer network destined for SMTP not your mail server via iptables.

Another option: Drop outbound SMTP from customer network not destined for your mail server.

An immediate solution would be to drop the outbound SMTP until you determine where the source of spam/zombie computers are coming from. This allows you to have some time to work on the problem without causing problems in the meantime with spamhaus/spamcop etc, etc.

Just a few ideas for you I suppose.

Here’s how I handle this problem.

1. The NAT firewall is running OpenBSD 4.2 + OpenBSD PF (packet filter / NAT).

2. The NAT firewall also has ‘pfflowd’ installed.

3. Every time a “state” is created (new NAT entry, for instance) then pfflowd sends the information to a collector.

4. We have another machine (the collector) configured with ‘flowd’ to collect flow information. (The same guy writes pfflowd and flowd by the way)

5. We setup newsyslog.conf on the collector to rotate the flowd log and HUP flowd.

6. When we get spam complaints, we just use the flowd-reader tool on the flowd files, pipe the output to grep and see which internal IP address was the culprit

7. If your customers use DHCP internally, then you also need to keep snapshots (every 20 minutes or whatever your ARP timeout is set to) of ALL ARP tables from your router ethernet interfaces, ALL bridge tables on your APs, and ALL subscriber session tables.

With #7, you can track down any user by MAC address at any point in time to correspond with your flowd logs.