I help manage a small network of about 40 computers. We are running an Exchange 2003 mail server.
What is the best way to find which machine is infected by a spambot? I've tried installing anti-virus and anti-malware programs on each computer. After scanning the computers I did find a few that had lots of malicious programs and thought that our problem was solved. However our domain keeps getting blocked by DNS Blacklists and I have to remove them daily for our clients to receive our e-mail.
Note: We are being attacked by Directory Harvest and Backscatter tactics.
edit: Our e-mail server doubles as a DNS server. Could this possibly open up vulnerabilities for spam attacks?
First, you need to stop the spam.
a- set your firewall to not allow outbound SMTP/POP except from the email server.
b- set your mail server to not allow outbound relay.
Then, you need to find the problem machine(s).
1- Look at the firewall logs to see which machine(s) are actually trying to do outbound mail and getting blocked. Those machines are infected.
2- Make sure each machine has current A/V, and do a thorough scan on each machine.
3- You may want to implement the Windows Firewall on each machine.
4- If still not found you will need to use a sniffer.
Note: I don't think that DNS and email on the same server is an issue.
The problem could be that that your exchange server is allowing RELAY. Make sure that setting is turned off or set only the IPs which are allowed to relay via that server. Your network design should only allow the exchange server to send traffic out of your network via port 25.
Most spambots use port 25. Once you have setup like that, then if any other machine try to send via port 25 it will show up in the firewall logs.
Good Luck!
If you have a firewall, a simple solution is to block all outbound port 25 traffic except for your Exchange server. Individual machines are likely trying to send spam on their own. Once you've put the block in place, check the firewall logs to see which IP is trying, and failing, to hit port 25 outbound.
Where is your data stored? Is the hardware mostly identical? It might be easiest to reimage the lot of them.
I have used a program called Showtraf before now which monitors traffic on the network. We had a similar problem before and it showed the ip that was sending out vasts amounts of data on port 25.
Available here - http://demosten.com/showtraf/