Becoming a spammer: hands-on experience

Reading the stories of Windows workstations becoming members of a spam botnet becomes way less enjoyable when you’re faced with the same problem (one of my kids managed to install a Trojan). It took me a day to clean the infected computer (it would have been easier to just format it, but the repeated installation of the Windows XP + Office software is so boring), but I’ve learned a few interesting networking lessons in the process that I’ll document in the next days.

Let’s start with an easy one: once you discover one of your workstations is opening a lot of SMTP sessions, immediately block it on the firewall router (this access list will also help you verify that you've removed all spam-related infections). I’ve used the simplest access list possible; it blocks the outbound SMTP sessions from the infected workstation.

ip access-list extended Inside
 deny   tcp host 192.168.200.198 any eq smtp log
 permit ip any any
!
interface Vlan1
 ip access-group Inside in

If you want a more sophisticated solution, you might log the outbound TCP sessions of the affected PC. The following access list blocks all outbound SMTP sessions and logs the SYN packets of outbound TCP sessions. DNS over UDP is allowed, but all other UDP is blocked. All other hosts are not affected (the permit ip any any at the end):

ip access-list extended InsideLog
 deny   tcp host 192.168.200.198 any eq smtp log
 permit tcp host 192.168.200.198 any established
 permit tcp host 192.168.200.198 any log
 permit udp host 192.168.200.198 any eq domain
 deny   udp host 192.168.200.198 any
 permit ip any any

Recent IOS releases support access list matching on individual bits in the TCP header. Using this functionality, you can match and log only TCP packets with SYN bit set (the rest of the TCP session is permitted due to permit ip any any at the end).

ip access-list extended InsideLog
 deny   tcp host 192.168.200.198 any eq smtp log
 permit tcp host 192.168.200.198 any syn log
 permit udp host 192.168.200.198 any eq domain
 deny   udp host 192.168.200.198 any
 permit ip any any

1 comment:

  1. Nice beginning of a story! It reminds me the past while I did honeypot research and hunting the evil user getting pride of himself on the number of hosts he got in his botnet on IRC channels :)

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.