[SOLVED] HELP! Seem to be a spammer!?



  • Hi Guys,

    I am facing a severe problem with my internet connection. For the fourth time in one and a half week my internet connection is disconnected because I seem to be a spammer. The ISP refuses to give me more information where the spamming is coming from. Because of privacy reasons they are not allowed to give this information! Very frustrating because it is my internet connection? The only information the ISP gave me is that I am sending 411 messages in 3 minutes? That’s all

    I need your help guys since I am using pfSense as the primary firewall. Is there a way to narrow down the problem myself? How can I find the source of the problem? My ISP is refusing to give me any more info to troubleshoot the problem. They are even threatening to shut me down for a whole month

    I hop sincere you guys can help me with this. Starting to get desperate

    Kind regards
    Herman



  • So it's likely that at least one of the devices in your network has been compromised.

    Disconnect them all from the network and give each device a thorough check before connecting it back to the network.

    Watch your traffic and if it spikes upon connecting a device check that device again.

    You can also have a look here: https://forum.netgate.com/category/54/traffic-monitoring for a package that might help in finding devices using more traffic than they should.

    Good luck.



  • @grimson Thank you Grimson. Checked all I can. PfSense is my last hope. I just cannot find the compromised host.

    Any sugestios what tool to use finding the spammer. I am not that packets guru...

    Any help is appreciated.
    Herman


  • Netgate

    Block connections on LAN from any address to port TCP/25 and TCP/465 and TCP/587 then look at the firewall logs. Nobody will be able to send email while this is in place.

    OR

    Packet capture (Diagnostics > Packet Capture) on LAN for port TCP/25 (Then 465 and 587) for a while (say 10000 packets) then look at the traffic to see what's going on. This will not be disruptive.

    OR

    Examine the firewall states (Diagnostics > States) and see if you can find the problem. Filtering on something like :25 (or :465 or :587) might help.

    Does your ISP allow outbound SMTP connections (TCP/25)?



  • @derelict

    Hi Derelict,

    Created LAN rules to block all the mail traffic (25/465/587) except for the mailserver itself. Are the rules beneath created correctly? What is the best way to check if the rules are working from a host that isn't allowed to use port 25 etc.
    0_1533497251640_BlockSmtpLan.JPG

    Did run the packet capture for 1000 packets. First run is port 25. I have saved the .cap file and opened it with Wireshark. I see a lot here, but honestly I am not able to see what is a threat or not. The same with the States filter. Not really sure what to look for.

    Yes the ISP supports outbound mail through a smarthost (smtp.ziggo.nl)

    Hope this helps a bit. For now I have internet again. I have disabled the Exchange send connector till I have found the problem. This was the fourth time the ISP disconnected me.

    Kind regards,
    Herman


  • Netgate

    Just enable logging on that block rule then check the logs. That should tell you who is trying to send email to the outside.



  • @derelict

    Hi Derelict let me try that. So I asume that the rules are configured correctly?

    Regards,
    Herman



  • Remember that if someone is spoofing one of your email addresses they can cause you issues as well. I haven't read through the thread completely yet so I may be speaking out of the context of given information.

    mxtoolbox.com is a good resource to get to know..

    Your DNS provider may have an SPF wizard. You might want to consider using it to build your SPF to disallow other servers from sending mail as you. Its not a perfect system but it does help.

    Good Luck!

    ps. make sure you don't have an open relay.



  • @derelict To be sure. I see the logs in System Logging, Dynamic View?


  • Netgate

    I would just filter the logs for blocks to destination port 25.



  • @chpalmer

    Hello chpalmer,

    Thanks for this tip. I am familiar with MX Toolbox. I am not really sure my domain provider has such a tool. Doesn’t MX Toolbox not have that tool? I have access to my DNS host file. I see no spf record in there. For the record, my Exchange Server is configured to send mail via a smart host from the ISP (Ziggo). I do not use MX records to send outbound (Ziggo, doesn’t allow that).

    Any suggestions wil be welcome,

    Regards,
    Herman



  • @derelict I have enabled the logging on the LAN Block rule and the allow rule for the Exchange server. But I don't see any logging regarding the rules. Not in normal view nor in Dynamic View. Am I looking at the right place here.

    Thanks guys for you patience!

    regards,
    Herman


  • Netgate

    Sounds like. Are you sure it is still ongoing?

    0_1533509557984_Screen Shot 2018-08-05 at 3.48.07 PM.png



  • @derelict The Source IP Address should be my WAN IP?
    What is the ^and the $ meaning in the Destination port?


  • Rebel Alliance Global Moderator

    had you setup pfsense notifications? If so maybe something was going wrong on pfsense and spamming the notifications - or trying to notify you which were failing. Since you should of gotten them.

    0_1533558988743_notifications.png

    Or did you try and setup mailreport package? These would be the 2 ways that pfsense would/could be trying atleast to send mail. Which your isp might not like - especially if something when wrong or was misconfigured and sending out lots of them.

    That is regex format looking for the port in question.


  • Netgate

    @herman said in HELP! Seem to be a spammer!?:

    @derelict The Source IP Address should be my WAN IP?
    What is the ^and the $ meaning in the Destination port?

    No. You are looking for the inside address so you can find out who on the inside is doing it, so you want to capture on the inside interface (LAN) for all addresses. Unless, like @johnpoz said above, it's actually the firewall doing the emailing.

    The fields there are regular expressions. ^25$ will only match 25. 25 might match 2579, 8254, 9925, 25341, etc.



  • @derelict & @johnpoz

    I have notifications configured. I dont think the firewall is the boogeyman because I setup the internal IP address (10.0.0.x) of the mailserver and mailing to an internal mailbox. Even now the outbound sendconnetor is temporary disabled, the test message from the pfSense arrives in the correct mailbox.

    Regards Herman



  • @Derelict & @johnpoz

    This is what i see in the Exchange que. A lot of these messages???

    0_1533572573166_1b99bd8b-67fd-4868-bee1-58915d41fabf-image.png


  • Rebel Alliance Global Moderator

    Well if your not seeing it logged anywhere, then maybe the ISP is full of shit.. Not the first time that sort of thing every happened. Did your IP change recently - maybe it was the guy with your IP before you, etc.

    If your logging all outbound on 25, and not seeing anything logged.. Then its being sent by you - or you have an active state that is still in use? Did you check your state table? flush it after you create your block/logging rules? You have it logging on all possible inbound ports? You have any road warriors coming in via vpn that could be sending spam through vpn connection?

    edit: contoso.com - that is one of the domains MS uses in its examples ;)
    https://en.wikipedia.org/wiki/Contoso

    So your exchange is sending spam? If your letting exchange outbound, and your isp is saying your spamming - then yeah more than likely is your exchange. If you have all kinds of crap like that in its queue what else sort of nonsense is in there? And being sent or tried to being sent, etc.

    If you can not just check your exchange log for what it has sent, how about just sniff on you wan for outbound 25... And look to see what kind of stuff is being sent or attempted to be sent.. email is sent in the clear so its very easy to view all the info in email.

    Do you accept inbound email into your exchange? If so could be spammers bouncing off you, or using reflection spam.. PM whats your public IP - will check to see if can bounce spam off you, ie open relay.



  • @johnpoz I would really love to pm you, if you teach me how to? God I feel so stupid right now...



  • "Failure, the best teacher it is!"


  • Rebel Alliance Global Moderator

    hehe..

    Dude look at my profile - you figured out how to follow me..

    Click the 3 dots and then start conversation - or just answer the one I started with you.

    0_1533578143913_hermanPM.png



  • Hi Guys,

    It seems that I have found the problem. It looked like the was a Health Mailbox corrupt. Found that because the mails always showed up with the email address inboundproxy@contose.com. The details can be seen in the screenshot earlier. After I finished the migration from Exchange 2013 to 2016 the problem went away. Let have the fingers crossed that this was THE problem?!

    I would like to thank all of you guys helping me and giving me a tremendous learning curve. Without your knowledge and tips I wouldn’t have learned so much about pfSense already. We probably will see each other in another topic as I have so many more questions.

    Thanks guys, @chpalmer @Derelict @Grimson @johnpoz 👍

    Regards,
    Herman