Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » How to find an infected PC in LAN? (Is it possible to locate an infected client sending spam in a LAN with Kerio?)
  •  
ableeker

Messages: 8
Karma: 0
Send a private message to this user
If a workstation in a LAN is infected, and sending spam, as a result you may notice that the mail you send has been refused by the receiver, because the mail server has been put on a blacklist, which the receiver may be using (the one from Spamhaus for example). If you check the blacklist site, they will tell you that the IP address of the server is put on the blacklist. To fix this, you'll have to find the client PC that's sending the spam, and remove the malware that's sending the spam. So how do you do find the offending PC if you have 20 PC's? Is there a way to see in Kerio which PC is sending the spam?
  •  
Neil Whiteside (Kerio)

Messages: 318

Karma: 35
Send a private message to this user
Hello Ableeker,

Your mail log should show the internal sender IP address for outbound messages.

I hope this helps.

Best regards,

Neil.

Knowledge Base: http://kb.kerio.com/.
Looking for technical support? http://www.kerio.com/support
  •  
ableeker

Messages: 8
Karma: 0
Send a private message to this user
Hello Neil,

I've just been checking the mail log, but all I see there looks like legitimate mail. One of the PC's should have been sending large amounts of spam, but I was wondering if those would show up in any of the Kerio logs? It would be great if they would, because it would be simple then to see what PC would be sending illegitimate mail...

Cheers
  •  
Neil Whiteside (Kerio)

Messages: 318

Karma: 35
Send a private message to this user
Hi,

In which case the infected PC is just sending straight out through your gateway, rather than using Kerio Connect.

You would need to check any logs on your gateway/firewall for similar signs of high traffic from one IP address.

Best regards,

Neil.

Knowledge Base: http://kb.kerio.com/.
Looking for technical support? http://www.kerio.com/support
  •  
ableeker

Messages: 8
Karma: 0
Send a private message to this user
I understand malware uses the mail engine in such a way that the spam sent doesn't show up in log files. So it would be great if that's not the case, and I could check the log file to find the offending PC.

There's another problem, I don't know when the spam has been sent, and what it's about, so how do I find it in the log file, but just by looking through it, I'm not seeing any spam runs.

Ah, so it's possible the spam doesn't show up in any of the Kerio logs...

I'll see if I can find out how to check the gateway/firewall.

Cheers!

[Updated on: Thu, 23 January 2014 12:12]

  •  
Ernesto (Kerio)

Messages: 90
Karma: 7
Send a private message to this user
It is not possible to send email messages through Kerio Connect without the activity being recorded in the logs.

Spam email can be disguised as to look like legitimate email, but it will still be recorded in the Kerio Connect logs.

One possibility, as my colleague Neil suggested, is that the malware is sending the spam emails through some other mailserver, other than Kerio Connect, in which case, yes, looking at the TCP/IP activity related to the email protocols (SMTP, IMAP, etc.) using some kind of protocol analyzer (Wireshark, tcpdump, etc.)can help to identify it.

Identifying spam emails being processed through Kerio Connect takes a little bit of effort, analyzing the logs and the message queue. I recommend to contact our Kerio Tech Support to request assistance on analyzing the Kerio Connect logs.

Sales Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
itg-ks

Messages: 13
Karma: 0
Send a private message to this user
More than likely the infected machine is sending it directly to the internet. Best practice would be to deny all outbound SMTP connections on your firewall and only allow the IP address of the Kerio server SMTP to traverse the firewall. This won't stop the computer from being infected but would stop the email from leaving your network and give you time to analyze the firewall logs to see which machine it is, or worst case scenario you would have time to look at each PC individually.
Previous Topic: Where is Variable: <value name="server-version"/> stored
Next Topic: After restore errors - Unable to open default email folder
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 11:44:42 CET 2017

Total time taken to generate the page: 0.00418 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.