Topic: Host Spam

[[m364n0]]

Guys how to investigate which user is the root cause or host of the spam message?

[piran]

In such cases I find that a crystal ball suffices.

[brianr]

You have to use all sorts of cues to identify the culprit.

Some ideas:
1. Look at the central switch lights to see which one is creating a lot of traffic.
2. Which one is very slow,
3. Look at the lights on individual Network ports on the PCs
3. Disconnect them one by one until the spam stops (you could do this in batches if you have a lot of clients).
4 Use tshark on the server to track tcp traffic

Others may have other tricks.

Let us know how you do.

[janet]

[m364n0]

Surely you would look at the log files eg qpsmtpd

[CharlieBrady]

Guys how to investigate which user is the root cause or host of the spam message?

Google can find you lots of information about studying Received headers in mail messages to identify origin.

http://lmgtfy.com/?q=Received+headers+spam+origin

qpsmtpd log file is also a good place to look, especially if you don't have a copy of any of the spam messages.

[[m364n0]]

Thanks guys I really appreciate your reply...

My problem now is the date of log files in which the date that we encounter 300k more or less spam messages was erased already and I don't have support papers to make an Incidental Report to our MIS Manager thats why I am now so pressure....

I have a data retrieval software here called testdisk but I'm afraid to use that software on our mail server because our mail server has RAID and I would not take the risk...

[CharlieBrady]

I have a data retrieval software here called testdisk ...

It's very unlikely you would recover any already erased log files. The disk sectors are re-used.

If you have any of the spam email messages you can trace where they came from. If you don't, then you can't. If the problem has passed, it has passed.

[[m364n0]]

The spam messages are located in the Admin inbox. I empty the inbox and the trash as well but I thought that will end my responsibilities but when my boss ask me to investigate what's the root cause of that incidents so that we will prevent it from coming back I starting to scratch my head 

[cactus]

The spam messages are located in the Admin inbox. I empty the inbox and the trash as well

If you make backups it might be in there, if not you are unlikely to ever find out as Charlie already stated.

[CharlieBrady]

The spam messages are located in the Admin inbox. I empty the inbox and the trash as well but I thought that will end my responsibilities but when my boss ask me to investigate what's the root cause of that incidents so that we will prevent it from coming back I starting to scratch my head 

The root cause is likely to be use of an insecure operating system (e.g. Windows) and insecure applications (e.g. IE and Outlook) on a workstation. But without evidence, you will never know.

[piran]

Your boss has the right idea. So, after polishing up your crystal ball,
install http://wiki.contribs.org/Sme7admin and configure the emails
outgoing setting to something appropriate for your normal traffic.
When the spammers hit you again, they will as you haven't fixed
it, your server will then warn you of higher than normal traffic...