From: Allen (postfixrfnj.org)
Date: Sun Dec 24 2006 - 22:40:44 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello postfix users, hope you're having a better holiday weekend than I
am, but if you're in front of your PC rather than celebrating perhaps
you can help me out.

I think I've captured a new virus/trojan/something in the wild here, I
have a machine making dozens of connections to various IPs out there
trying to send mail to and from seemingly random IP addresses on a
windows machine that should not be doing anything of the sort.

Norton, Mcafee, AVG and Trend Micro all come up clean for viruses and
other threats, as do Spybot Search & Destroy and AdAware.

I haven't yet nailed down what process is initiation the SMTP
connections, but I have firewalled it off, and am setup to NAT all
outgoing traffic on port 25 to a postfix machine I have available.

What I want to do while I'm dealing with the machine itself, is have
postfix sort-of act like an open relay for the infected host; but
rather than sending the mail on to wherever it is intended to go, I
want to forward it all to a local address of my choosing. I'm curious
to see what the machine is trying to mail, be it spam, keylogs,
sensitive files, or who knows what.

Any help on getting postfix to thus "capture" all mail from a specific
client IP would be very much appreciated.

Also on the off chance that anyone can recommend a really great program
for logging what programs are creating sockets to where on a windows
machine would be a big help as well in tracking this thing down. If I
have to I'll just nuke the box and forget about all this, and I'll
probably end up doing that anyway, but I'd like to capture as much of
it as I can to submit on to the AV vendors so they can come up with a
signature for it.

Thanks, and happy holidays.

-Allen

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]