From: Allen (postfixrfnj.org)
Date: Mon Dec 25 2006 - 01:38:13 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Rene van Hoek <reneactive8.nl>:

> Rene van Hoek wrote:
>> Allen wrote:
>
>>>
>>> What I want to do while I'm dealing with the machine itself, is
>>> have postfix sort-of act like an open relay for the infected host;
>>> but rather than sending the mail on to wherever it is intended to
>>> go, I want to forward it all to a local address of my choosing.
>>> I'm curious to see what the machine is trying to mail, be it spam,
>>> keylogs, sensitive files, or who knows what.
>>
>> Hi, what I can think of is the following (but I am not sure if there
>> is an better solution):
>>
>> Isolate the Postfix machine from the internet, so it can't send any
>> e-mail out.
>> Use the 'always_bcc' setting, to send a copy of every e-mail to an
>> specific e-mail address.
>>
>> http://www.postfix.org/postconf.5.html#always_bcc
>>
>> I know that you can setup Postfix to have an 'catch-all' address for
>> an specific domain. But I don't know if you can setup Postfix in
>> such way that any e-mail send to any domain should be send to an
>> specific e-mail adress. The above is the best I can think of.
>>
>>
> Or take a look at this:
>
> http://www.postfix.org/rate.html, section ' Always postponing delivery'.
>
> But that is for any e-mail sent, so you should use an postfix test
> machine for this, not your production server.
>
> rene at active8 nl

I appreciate your input so far, though right now I haven't been able to
put any of the postfix side to use since I only have the one server
available. Maybe tomorrow or Tuesday I'll have time to setup another
one just to handle this, but for right now I am just trying to handle
it with what I have.. :/

I've added another smtpd service to master.cf listening on a different
port, with the IP of the problem machine overriding the "mynetworks"
setting. I telnetted in and sent a message that would normally be
rejected as an attempt at open relaying, and it worked ok -- the
infected machine itself is still firewalled off and not forwarding to
this port.

What I need now is that last bit of the puzzle. Postfix on this port
will take all incoming mail given to it regardless of destination, now
I just need a way to force it to deliver to a specific mailbox, file,
or something rather than attempting to move it on out to the real
destiation.

It seems like this should be pretty simple to do but I haven't figured
it out just yet.. Any more thoughts on your (or anyone else lurking
out there!) part is very welcome.

>>> Any help on getting postfix to thus "capture" all mail from a
>>> specific client IP would be very much appreciated.
>>>
>>> Also on the off chance that anyone can recommend a really great
>>> program for logging what programs are creating sockets to where on
>>> a windows machine would be a big help as well in tracking this
>>> thing down. If I have to I'll just nuke the box and forget about
>>> all this, and I'll probably end up doing that anyway, but I'd like
>>> to capture as much of it as I can to submit on to the AV vendors so
>>> they can come up with a signature for it.
>>>
>> See:
>> http://www.hsc.fr/ressources/articles/win_net_srv/identify_process_sockets.html
>>> Thanks, and happy holidays.
>>>
>>> -Allen
>>>

This was a very informative link, thank you, I had no idea MS had
finally gotten around to putting this feature into netstat. It's been
a long time coming, maybe I'll be able to catch this thing in the act
now.

I have tcpview (mentioned in the link) but it's a "slow" monitor, and
this trojan is bringing the connections up and down so fast that they
never even show up in tcpview. I'm pondering trying to find a half
decent sniffer for windows (another chore in itself) or just pushing
the connection through a FreeBSD "dummynet" and slowing it down to
300baud or less, which should make it stick around long enough to
capture if I can't get it with netstat.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]