How to find spambot? Got network abuse report from my ISP

MrGlasspoole

I got a mail from my ISP with a network abuse report.
There are 3282 spam mails reported from my IP between Dec 3, 2019 3:04am and Dec 4, 2019 10:22am.

They look like:

    ip 176.199.xxx.xxx
    send_date 2019-12-04T09:22:15Z
    received_date 2019-12-04T09:22:15Z
    format marf

Incident part

    feedback-type: abuse
    user-agent: abusix-nifi/1.0
    version: 1
    source_port: 33431
    source-port: 33431
    original-rcpt-to: www.tiaanxxxxxxxx.09@gmail.com
    source-ip: 176.199.xxx.xxx
    original-envelope-id: A413E514-A0CF-4908-93E8-388A2D262B4E.5
    arrival-date: Wed, 4 Dec 2019 09:22:11 +0000
    original-mail-from: pqyc55@abusix.invalid

Evidence part

    authentication-results: example.me; auth=pass (plain)
    received: from ip-176-199-xxx-xxx.hsi06.unitymediagroup.de (ip-176-199-xxx-xxx.hsi06.unitymediagroup.de [176.199.xxx.xxx]) by example.me (Haraka/2.8.25) with ESMTPSA id A413E514-A0CF-4908-93E8-388A2D262B4E.5 envelope-from <pqyc55@abusix.invalid> (authenticated bits=0) (cipher=ECDHE-RSA-AES128-GCM-SHA256); Wed, 04 Dec 2019 09:22:10 +0000
    date: Wed, 04 Dec 2019 09:22:10 +0000
    from: Tonia <pqyc55@abusix.invalid>
    to: www.tiaanxxxxxxxx.09@gmail.com
    content-disposition: attachment; filename="dcq25tte.jpg"
    x-attachment-id: ubsf7esc94gf
    content-id: <ubsf7esc94gf>

In the Snort alerts i have many "141:1 (IMAP) Unknown IMAP4 command"
from 2019-12-03 04:54:11 to 2019-12-04 12:17:55 with my IP as source and different destination IPs.
Has it to do with the spam?

I don't use IMAP.

The thing is that i did a lot of stuff the last days.
Since monday i have bridge mode from my ISP (before it was double NAT)...
I moved pfSense from Proxmox to Hyper-V...
I did play with different OSs on RPi and Odroid...
Bought a Fire TV stick...

Is there a way to find out what was spamming?

Gertjan

@MrGlasspoole said in How to find spambot? Got network abuse report from my ISP:

There are 3282 spam mails reported from my IP ...

So you have a quiet busy spammer running on a device on your network. Installed some really 'free' software lately ?

Is there a way to find out what was spamming?

Simple, a device on your network !!
Well, you know it's a mail going out. Only 3 ports are used to send mail : 25, 587, 465 - all TCP.
Block them all on you LAN, and make the block rule to log.
Check the log, and you will know what device (= IP) is hammering.
Disconnect that device and your ISP will be happy, also the other 3282 guys that received pure rubbish from you ...
( and/or clean the device and have a talk with the owner ).

Remove snort. It should be there to warn you way before your ISP. It isn't working for you so pretty useless ^^

MrGlasspoole

I'm not sure if i'm doing the blocking right.
I have a lot of this in this log:

But i don't see a LAN IP?
Is it the right place to look?

Gertjan

Euuuh, I said :

@Gertjan said in How to find spambot? Got network abuse report from my ISP:

Block them all on you LAN,

Something like this :

edit : the alias "mail_ports" is an 'ports' alias with mail ports (25 587 465)

marvosa

Those blocks are on your WAN, so they won't tell you much. Like @Gertjan mentioned, you'll want to either create 3 separate rules on your LAN interface which blocks and logs each port. Or create an alias that contains all 3 ports and create one block rule.

Either way, if you want to capture the internal IP's, you have to put the rule on your LAN interface. Also, make sure the block rule is above your LAN net/any rule.

MrGlasspoole

Yes just realized i can still send mails and moved the rules to LAN.

@Gertjan said in How to find spambot? Got network abuse report from my ISP:

Remove snort. It should be there to warn you way before your ISP. It isn't working for you so pretty useless

How should it warn me? I mean i don't sit there and watch it the whole day.
I only check Snort if something is not working to see if something got blocked.

How do others handle that kind of scenario?
We don't send much mails. Would be cool to build something that blinks an LED if a mail was send
and makes a peep every time. That way you realize there a hundreds of mails going out.
Sound like a job for an Arduino.

marvosa

The first step is creating the firewall rule(s) on the correct interface so you can log the traffic. Next, since PFsense has a really short log buffer, I would start exporting your logs to a syslog server so you have historical data that can be filtered, which will help you identify the offending device(s).

stephenw10

If you had Snort running on the LAN it would show the internal source IP on those alerts.

If you have that block rule in place then filter the firewall logs to show only blocked traffic on LAN, check what's there.

Steve

MrGlasspoole

Back then (2014) when i did set up Snort the tutorial said WAN.
But i made a search now and it seems like the recommendation is to put Snort on the LAN.

I guess unless that spam thing happens again i will never know what it was.
As i said i did a lot of testing/playing the last days and maybe it was something on a Raspberry Pi

marvosa

@MrGlasspoole There may be differing options on this subject, but I have Suricata running on both interfaces. The WAN to identify incoming nefarious activity and the LAN to identify the same thing outgoing (e.g. infected machines or the same thing you're experiencing right now, etc)

johnpoz

@marvosa said in How to find spambot? Got network abuse report from my ISP:

The WAN to identify incoming nefarious activity

Why would it matter unless forwarded, if forwarded through to lan - you would see it there, and stop it, etc.

Gertjan

@marvosa said in How to find spambot? Got network abuse report from my ISP:

I have Suricata running on both interfaces. .... and the LAN to identify the same thing outgoing (e.g. infected machines or the same thing you're experiencing right now, etc)

You are aware of the fact that most traffic is "invisible" these day : SSL encrypted.
The unwanted traffic also encrypted these days.

Site that use 'http' web access start to fade away, as do 'clear' smtp / pop and imap communication. It's smtps these days (or pops or imaps).
Suricata can not inspect that SSL traffic flow.

The information that is known at the firewall level is : the destination IP, port, DNS and reverse DNS.
What's in the subsequent traffic stays hidden.

stephenw10

If you have the spare CPU cycles then inspect traffic on both but that's going to be double inspecting on the vast majority of traffic. If you run on only one interface I would recommend LAN. You don't see hits on the firewall itself but having visibility on the internal IPs of more valuable IMO. I depends what you're trying to catch.

Steve

marvosa

@johnpoz said in How to find spambot? Got network abuse report from my ISP:

Why would it matter unless forwarded, if forwarded through to lan - you would see it there, and stop it, etc.

I just like to see what alerts are generated on the WAN.. just because I'm curious... also, IMO, if you're going to run it at all... you might as well run it on both fronts.

@Gertjan said in How to find spambot? Got network abuse report from my ISP:

You are aware of the fact that most traffic is "invisible" these day : SSL encrypted.
The unwanted traffic also encrypted these days.
Site that use 'http' web access start to fade away, as do 'clear' smtp / pop and imap communication. It's smtps these days (or pops or imaps).
Suricata can not inspect that SSL traffic flow.
The information that is known at the firewall level is : the destination IP, port, DNS and reverse DNS.
What's in the subsequent traffic stays hidden.

Yes, I am aware of encrypted traffic and neither said Suricata could inspect SSL traffic nor do I expect it to. It's all about rules, signatures, and reputation.

johnpoz

@marvosa said in How to find spambot? Got network abuse report from my ISP:

you might as well run it on both fronts.

Nope - that logic makes no sense..

provels

@MrGlasspoole FWIW, I'd block the mail ports as suggested overnight. Probably be able to come up with the offender by morning. Also, how many clients are you serving and what kind of antivirus protection do you have in place? Could also possibly a laptop someone brought in.

MrGlasspoole

I have the ports blocked since 3 days and Snort runs now on LAN.

Nothing shows up. All phones, PCs, tablets, the print server, satellite receiver, DECT station are connected as ever.
Nobody was here with a another device.
As i said: could be something temporary from playing around and it's no longer present.
But it's hard to believe there was something in Raspbian, Armbian or DietPi.
Maybe something i did but on the new Fire TV stick that i already did uninstall...

The funny thing is that the day before someone from my ISP was here because bridge mode did not work and there box sometimes did crash/reboot.
He was the only one with other devices.
He told me the router did not receive the last firmware automatically and made a reset to factory defaults. After that the router did pull the newest firmware.

Gertjan

@MrGlasspoole said in How to find spambot? Got network abuse report from my ISP:

Nothing shows up

You mean : even you didn't send a mail ?
Show us the LAN firewall ?

@MrGlasspoole said in How to find spambot? Got network abuse report from my ISP:

He was the only one with other devices.

These devices are not passing through pfSense ...

akuma1x

Does anybody know what this means, in his screenshot above?

source_port: 33431

Jeff

Gertjan

@MrGlasspoole said in How to find spambot? Got network abuse report from my ISP:

source_port: 33431
source-port: 33431
original-rcpt-to: www.tiaanxxxxxxxx.09@gmail.com
source-ip: 176.199.xxx.xxx

When the mail was send, it cam from the IP 176.199.xxx.xxx using port 33431.
The device that send the mail the mail was behind pfSense (but was it - see my question just above) and so it was NATted.
The original source LAN IP and source port can't be known to the ISP.
The only thing they and we know is the destination, a gmail mail server and one of the mail destination ports : 465 or 25 if gmail still accepts mail on port '25'.