How to find spambot? Got network abuse report from my ISP

MrGlasspoole

I'm not sure if i'm doing the blocking right.
I have a lot of this in this log:

But i don't see a LAN IP?
Is it the right place to look?

Gertjan

Euuuh, I said :

@Gertjan said in How to find spambot? Got network abuse report from my ISP:

Block them all on you LAN,

Something like this :

edit : the alias "mail_ports" is an 'ports' alias with mail ports (25 587 465)

marvosa

Those blocks are on your WAN, so they won't tell you much. Like @Gertjan mentioned, you'll want to either create 3 separate rules on your LAN interface which blocks and logs each port. Or create an alias that contains all 3 ports and create one block rule.

Either way, if you want to capture the internal IP's, you have to put the rule on your LAN interface. Also, make sure the block rule is above your LAN net/any rule.

MrGlasspoole

Yes just realized i can still send mails and moved the rules to LAN.

@Gertjan said in How to find spambot? Got network abuse report from my ISP:

Remove snort. It should be there to warn you way before your ISP. It isn't working for you so pretty useless

How should it warn me? I mean i don't sit there and watch it the whole day.
I only check Snort if something is not working to see if something got blocked.

How do others handle that kind of scenario?
We don't send much mails. Would be cool to build something that blinks an LED if a mail was send
and makes a peep every time. That way you realize there a hundreds of mails going out.
Sound like a job for an Arduino.

marvosa

The first step is creating the firewall rule(s) on the correct interface so you can log the traffic. Next, since PFsense has a really short log buffer, I would start exporting your logs to a syslog server so you have historical data that can be filtered, which will help you identify the offending device(s).

stephenw10

If you had Snort running on the LAN it would show the internal source IP on those alerts.

If you have that block rule in place then filter the firewall logs to show only blocked traffic on LAN, check what's there.

Steve

MrGlasspoole

Back then (2014) when i did set up Snort the tutorial said WAN.
But i made a search now and it seems like the recommendation is to put Snort on the LAN.

I guess unless that spam thing happens again i will never know what it was.
As i said i did a lot of testing/playing the last days and maybe it was something on a Raspberry Pi

marvosa

@MrGlasspoole There may be differing options on this subject, but I have Suricata running on both interfaces. The WAN to identify incoming nefarious activity and the LAN to identify the same thing outgoing (e.g. infected machines or the same thing you're experiencing right now, etc)

johnpoz

@marvosa said in How to find spambot? Got network abuse report from my ISP:

The WAN to identify incoming nefarious activity

Why would it matter unless forwarded, if forwarded through to lan - you would see it there, and stop it, etc.

Gertjan

@marvosa said in How to find spambot? Got network abuse report from my ISP:

I have Suricata running on both interfaces. .... and the LAN to identify the same thing outgoing (e.g. infected machines or the same thing you're experiencing right now, etc)

You are aware of the fact that most traffic is "invisible" these day : SSL encrypted.
The unwanted traffic also encrypted these days.

Site that use 'http' web access start to fade away, as do 'clear' smtp / pop and imap communication. It's smtps these days (or pops or imaps).
Suricata can not inspect that SSL traffic flow.

The information that is known at the firewall level is : the destination IP, port, DNS and reverse DNS.
What's in the subsequent traffic stays hidden.

stephenw10

If you have the spare CPU cycles then inspect traffic on both but that's going to be double inspecting on the vast majority of traffic. If you run on only one interface I would recommend LAN. You don't see hits on the firewall itself but having visibility on the internal IPs of more valuable IMO. I depends what you're trying to catch.

Steve

marvosa

@johnpoz said in How to find spambot? Got network abuse report from my ISP:

Why would it matter unless forwarded, if forwarded through to lan - you would see it there, and stop it, etc.

I just like to see what alerts are generated on the WAN.. just because I'm curious... also, IMO, if you're going to run it at all... you might as well run it on both fronts.

@Gertjan said in How to find spambot? Got network abuse report from my ISP:

You are aware of the fact that most traffic is "invisible" these day : SSL encrypted.
The unwanted traffic also encrypted these days.
Site that use 'http' web access start to fade away, as do 'clear' smtp / pop and imap communication. It's smtps these days (or pops or imaps).
Suricata can not inspect that SSL traffic flow.
The information that is known at the firewall level is : the destination IP, port, DNS and reverse DNS.
What's in the subsequent traffic stays hidden.

Yes, I am aware of encrypted traffic and neither said Suricata could inspect SSL traffic nor do I expect it to. It's all about rules, signatures, and reputation.

johnpoz

@marvosa said in How to find spambot? Got network abuse report from my ISP:

you might as well run it on both fronts.

Nope - that logic makes no sense..

provels

@MrGlasspoole FWIW, I'd block the mail ports as suggested overnight. Probably be able to come up with the offender by morning. Also, how many clients are you serving and what kind of antivirus protection do you have in place? Could also possibly a laptop someone brought in.

MrGlasspoole

I have the ports blocked since 3 days and Snort runs now on LAN.

Nothing shows up. All phones, PCs, tablets, the print server, satellite receiver, DECT station are connected as ever.
Nobody was here with a another device.
As i said: could be something temporary from playing around and it's no longer present.
But it's hard to believe there was something in Raspbian, Armbian or DietPi.
Maybe something i did but on the new Fire TV stick that i already did uninstall...

The funny thing is that the day before someone from my ISP was here because bridge mode did not work and there box sometimes did crash/reboot.
He was the only one with other devices.
He told me the router did not receive the last firmware automatically and made a reset to factory defaults. After that the router did pull the newest firmware.

Gertjan

@MrGlasspoole said in How to find spambot? Got network abuse report from my ISP:

Nothing shows up

You mean : even you didn't send a mail ?
Show us the LAN firewall ?

@MrGlasspoole said in How to find spambot? Got network abuse report from my ISP:

He was the only one with other devices.

These devices are not passing through pfSense ...

akuma1x

Does anybody know what this means, in his screenshot above?

source_port: 33431

Jeff

Gertjan

@MrGlasspoole said in How to find spambot? Got network abuse report from my ISP:

source_port: 33431
source-port: 33431
original-rcpt-to: www.tiaanxxxxxxxx.09@gmail.com
source-ip: 176.199.xxx.xxx

When the mail was send, it cam from the IP 176.199.xxx.xxx using port 33431.
The device that send the mail the mail was behind pfSense (but was it - see my question just above) and so it was NATted.
The original source LAN IP and source port can't be known to the ISP.
The only thing they and we know is the destination, a gmail mail server and one of the mail destination ports : 465 or 25 if gmail still accepts mail on port '25'.

MrGlasspoole

@Gertjan said in How to find spambot? Got network abuse report from my ISP:

You mean : even you didn't send a mail

What i mean is that nothing shows up that is trying to send mails.
Sure, if I try to send one (what of course is not working) it shows up.

MrGlasspoole

It happened again.

Nothing in Snort and mail ports are blocked:

I have a lot of blocked UDP but i don't know what device it is with that IPv6:

And this and 10.1.254.10 is my Nvidia Shield: