From: Allen (postfixrfnj.org)
Date: Mon Dec 25 2006 - 11:13:30 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Rene van Hoek <reneactive8.nl>:

> Allen wrote:
>> Just an FYI to Rene and anyone else following along, it was so easy
>> it killed me. I just created a new transport that calls the
>> sendmail binary, changing the "from" and "to", and then made that
>> the content_filter for the smtpd on the new port rather than the
>> existing spamassassin content filter.
>
> The orginal 'from' address (from the compromised Windows PC) is
> always the same then?

No, the from and to were both changing, the from address looked
randomly generated. On the network I have the windows box (now clean,
BTW), a FreeBSD firewall/NAT box, and an outside FreeBSD postfix mail
server.

What I did was first firewalled off all outgoing connections to port 25
on the firewall/NAT machine to stop the flood, then I made three
changes to the postfix server.

  == Added a new alias to send the captured mail to.

  == Added a new smtpd service to master.cf, listening on port 3030 like so:
3030 inet n - n - - smtpd
  -o mynetworks=24.128.71.36/32 -o content_filter=trojan

  == Created a 'trojan' entry in master.cf using the pipe transport to
forward everything to the aliased address:
trojan unix - n n - - pipe
  user=nobody argv=/usr/sbin/sendmail -oi -F TROJAN -r trojanrfnj.org
-f trojanrfnj.org trojanrfnj.org

On the "trojan" service I wasn't sure if I needed -r or -f as 'man
sendmail' for postfix says they both do the same thing, so I just threw
them both in, probably only needed one.

 From there I setup a NAT rule (ipnat) on the firewall to redirect all
outbound traffic destined to 0.0.0.0/0 port 25 tcp to the postfix
machine, port 3030; then I just removed the previously created firewall
entry blocking port 25.

The net result is all mail the machine tried to send via SMTP was
natted and sent out to the postfix box no matter where it was intended
to go, the postfix box accepted it and just forwarded it on to the
"trojanlocaldomain" alias and I was able to capture a large chunk of
the mail.

It was all just run of the mill spam as I suspected, but I wanted to be
sure it wasn't something more nefarious. I captured about 2100
messages in a minute or so of capture before putting the firewall rule
back in and getting on with the business of finding the suspect
software.

I had no luck at all tracing it with netstat or any other network tool,
I'm wondering if it was acting as a sniffer and using raw IP access to
avoid showing up in the stack.

The spam is just garbage with random subject lines and from
names/addresses, mostly porn spam. The funny thing is nowhere in the
message body is any URL referenced. There is a lot of HTML for
formatting, and an embedded base64 encoded GIF, but that's it. The
embedded gif is one of those "invest in this stock!!" type deals,
trying to get you to invest in "OTC:GDKI.PK".

I can put source to one of the messages up somewhere if you're
interested in seeing it but it's pretty run of the mill stuff as far as
spam goes.

Thanks for the suggestions earlier!

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]