Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to find spambot? Got network abuse report from my ISP

    Scheduled Pinned Locked Moved General pfSense Questions
    85 Posts 10 Posters 8.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MrGlasspoole
      last edited by

      I'm not sure if i'm doing the blocking right.
      I have a lot of this in this log:
      1.jpg

      But i don't see a LAN IP?
      Is it the right place to look?

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @Gertjan
        last edited by Gertjan

        Euuuh, I said :

        @Gertjan said in How to find spambot? Got network abuse report from my ISP:

        Block them all on you LAN,

        Something like this :

        4b32212e-1a92-43b3-9e44-2c8a284bf2e5-image.png

        edit : the alias "mail_ports" is an 'ports' alias with mail ports (25 587 465)

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by marvosa

          Those blocks are on your WAN, so they won't tell you much. Like @Gertjan mentioned, you'll want to either create 3 separate rules on your LAN interface which blocks and logs each port. Or create an alias that contains all 3 ports and create one block rule.

          Either way, if you want to capture the internal IP's, you have to put the rule on your LAN interface. Also, make sure the block rule is above your LAN net/any rule.

          1 Reply Last reply Reply Quote 0
          • M
            MrGlasspoole
            last edited by

            Yes just realized i can still send mails and moved the rules to LAN.

            @Gertjan said in How to find spambot? Got network abuse report from my ISP:

            Remove snort. It should be there to warn you way before your ISP. It isn't working for you so pretty useless

            How should it warn me? I mean i don't sit there and watch it the whole day.
            I only check Snort if something is not working to see if something got blocked.

            How do others handle that kind of scenario?
            We don't send much mails. Would be cool to build something that blinks an LED if a mail was send
            and makes a peep every time. That way you realize there a hundreds of mails going out.
            Sound like a job for an Arduino.

            1 Reply Last reply Reply Quote 0
            • M
              marvosa
              last edited by marvosa

              The first step is creating the firewall rule(s) on the correct interface so you can log the traffic. Next, since PFsense has a really short log buffer, I would start exporting your logs to a syslog server so you have historical data that can be filtered, which will help you identify the offending device(s).

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                If you had Snort running on the LAN it would show the internal source IP on those alerts.

                If you have that block rule in place then filter the firewall logs to show only blocked traffic on LAN, check what's there.

                Steve

                1 Reply Last reply Reply Quote 0
                • M
                  MrGlasspoole
                  last edited by MrGlasspoole

                  Back then (2014) when i did set up Snort the tutorial said WAN.
                  But i made a search now and it seems like the recommendation is to put Snort on the LAN.

                  I guess unless that spam thing happens again i will never know what it was.
                  As i said i did a lot of testing/playing the last days and maybe it was something on a Raspberry Pi

                  M provelsP 2 Replies Last reply Reply Quote 0
                  • M
                    marvosa @MrGlasspoole
                    last edited by

                    @MrGlasspoole There may be differing options on this subject, but I have Suricata running on both interfaces. The WAN to identify incoming nefarious activity and the LAN to identify the same thing outgoing (e.g. infected machines or the same thing you're experiencing right now, etc)

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      @marvosa said in How to find spambot? Got network abuse report from my ISP:

                      The WAN to identify incoming nefarious activity

                      Why would it matter unless forwarded, if forwarded through to lan - you would see it there, and stop it, etc.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      M 1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @marvosa
                        last edited by Gertjan

                        @marvosa said in How to find spambot? Got network abuse report from my ISP:

                        I have Suricata running on both interfaces. .... and the LAN to identify the same thing outgoing (e.g. infected machines or the same thing you're experiencing right now, etc)

                        You are aware of the fact that most traffic is "invisible" these day : SSL encrypted.
                        The unwanted traffic also encrypted these days.

                        Site that use 'http' web access start to fade away, as do 'clear' smtp / pop and imap communication. It's smtps these days (or pops or imaps).
                        Suricata can not inspect that SSL traffic flow.

                        The information that is known at the firewall level is : the destination IP, port, DNS and reverse DNS.
                        What's in the subsequent traffic stays hidden.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 1
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          If you have the spare CPU cycles then inspect traffic on both but that's going to be double inspecting on the vast majority of traffic. If you run on only one interface I would recommend LAN. You don't see hits on the firewall itself but having visibility on the internal IPs of more valuable IMO. I depends what you're trying to catch.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • M
                            marvosa @johnpoz
                            last edited by

                            @johnpoz said in How to find spambot? Got network abuse report from my ISP:

                            Why would it matter unless forwarded, if forwarded through to lan - you would see it there, and stop it, etc.

                            I just like to see what alerts are generated on the WAN.. just because I'm curious... also, IMO, if you're going to run it at all... you might as well run it on both fronts.

                            @Gertjan said in How to find spambot? Got network abuse report from my ISP:

                            You are aware of the fact that most traffic is "invisible" these day : SSL encrypted.
                            The unwanted traffic also encrypted these days.
                            Site that use 'http' web access start to fade away, as do 'clear' smtp / pop and imap communication. It's smtps these days (or pops or imaps).
                            Suricata can not inspect that SSL traffic flow.
                            The information that is known at the firewall level is : the destination IP, port, DNS and reverse DNS.
                            What's in the subsequent traffic stays hidden.

                            Yes, I am aware of encrypted traffic and neither said Suricata could inspect SSL traffic nor do I expect it to. It's all about rules, signatures, and reputation.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              @marvosa said in How to find spambot? Got network abuse report from my ISP:

                              you might as well run it on both fronts.

                              Nope - that logic makes no sense..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                              1 Reply Last reply Reply Quote 0
                              • provelsP
                                provels @MrGlasspoole
                                last edited by provels

                                @MrGlasspoole FWIW, I'd block the mail ports as suggested overnight. Probably be able to come up with the offender by morning. Also, how many clients are you serving and what kind of antivirus protection do you have in place? Could also possibly a laptop someone brought in.

                                Peder

                                MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                                BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                                1 Reply Last reply Reply Quote 0
                                • M
                                  MrGlasspoole
                                  last edited by MrGlasspoole

                                  I have the ports blocked since 3 days and Snort runs now on LAN.

                                  Nothing shows up. All phones, PCs, tablets, the print server, satellite receiver, DECT station are connected as ever.
                                  Nobody was here with a another device.
                                  As i said: could be something temporary from playing around and it's no longer present.
                                  But it's hard to believe there was something in Raspbian, Armbian or DietPi.
                                  Maybe something i did but on the new Fire TV stick that i already did uninstall...

                                  The funny thing is that the day before someone from my ISP was here because bridge mode did not work and there box sometimes did crash/reboot.
                                  He was the only one with other devices.
                                  He told me the router did not receive the last firmware automatically and made a reset to factory defaults. After that the router did pull the newest firmware.

                                  GertjanG 1 Reply Last reply Reply Quote 0
                                  • GertjanG
                                    Gertjan @MrGlasspoole
                                    last edited by Gertjan

                                    @MrGlasspoole said in How to find spambot? Got network abuse report from my ISP:

                                    Nothing shows up

                                    You mean : even you didn't send a mail ?
                                    Show us the LAN firewall ?

                                    @MrGlasspoole said in How to find spambot? Got network abuse report from my ISP:

                                    He was the only one with other devices.

                                    These devices are not passing through pfSense ...

                                    No "help me" PM's please. Use the forum, the community will thank you.
                                    Edit : and where are the logs ??

                                    M 1 Reply Last reply Reply Quote 0
                                    • A
                                      akuma1x
                                      last edited by

                                      Does anybody know what this means, in his screenshot above?

                                      source_port: 33431

                                      Jeff

                                      NollipfSenseN 1 Reply Last reply Reply Quote 0
                                      • GertjanG
                                        Gertjan
                                        last edited by

                                        @MrGlasspoole said in How to find spambot? Got network abuse report from my ISP:

                                        source_port: 33431
                                        source-port: 33431
                                        original-rcpt-to: www.tiaanxxxxxxxx.09@gmail.com
                                        source-ip: 176.199.xxx.xxx
                                        

                                        When the mail was send, it cam from the IP 176.199.xxx.xxx using port 33431.
                                        The device that send the mail the mail was behind pfSense (but was it - see my question just above) and so it was NATted.
                                        The original source LAN IP and source port can't be known to the ISP.
                                        The only thing they and we know is the destination, a gmail mail server and one of the mail destination ports : 465 or 25 if gmail still accepts mail on port '25'.

                                        No "help me" PM's please. Use the forum, the community will thank you.
                                        Edit : and where are the logs ??

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          MrGlasspoole @Gertjan
                                          last edited by MrGlasspoole

                                          @Gertjan said in How to find spambot? Got network abuse report from my ISP:

                                          You mean : even you didn't send a mail

                                          What i mean is that nothing shows up that is trying to send mails.
                                          Sure, if I try to send one (what of course is not working) it shows up.

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            MrGlasspoole
                                            last edited by MrGlasspoole

                                            It happened again.

                                            Nothing in Snort and mail ports are blocked:
                                            5.jpg

                                            I have a lot of blocked UDP but i don't know what device it is with that IPv6:
                                            2Status_-System-Logs_-Firewall_-Normal-V_---10.1.0.gif

                                            And this and 10.1.254.10 is my Nvidia Shield:
                                            4Status_-System-Logs_-Firewall_-Normal-V_---10.1.0.1.gif

                                            M 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.