Find out out how easily detect and stop a hidden spammer. These methods will protect you and your company from spam and will keep you from getting flagged as a spammer.

1. HOW TO FIND A
HIDDEN SPAMMER
By Andrew Brandt
Solera Networks

2. HOW IT STARTS
The typical spam campaign starts
with a social engineering hook,
which attempts to convince the
reader to click a link in the
message body.

3. SAY HELLO TO MALWARE
These links can lead to pages
hosting malware .EXE files inside
of .ZIP folders.
They can also use browser exploits
to force and install on the
victims computer.

4. THESE ARE STEPPING STONES
These specialized Trojans retrieve
instructions from a command-and-
control server that include the
body of the spam message, and a
list of mail servers and victim
email addresses to which the
Trojan sends the messages.

5. HOW THEY WORK
These Trojans retrieve instructions
from a server that include the
body of the spam message, and a
list of mail servers and victim
email addresses to which the
Trojan sends the messages.

6. THE GOOD NEWS / THE BAD NEWS
GOOD NEWS
Easy to identify and segregate the
offending machines.
BAD NEWS
Thousands more people could end
up receiving malicious messages
— which might result in your own
network ending up on a spam
blacklist

7. USING THE RIGHT TOOLS
Using Solera's DeepSee, it detected that in just
20 seconds the Trojan dispatched 181 identical
messages.

8. USING DEEPSEE
Using DeepSee, you can take note of the
IP address(es) of your usual mail
servers, then create a Favorite with
queries.
ipv4_address!=your_mail_server
application_id=SMTP
That will bring to the fore all non-
mailservers that are sending email using
the SMTP protocol.

9. SETTING UP ALERTS
Once you’ve created that Favorite, you
can set up alerts to watch for traffic
matching the rule. Typical malicious
behavior might involve a large volume of
mail being sent by machines meeting
these criteria in a short period of time.
The most obvious standouts will be
sending messages at odd hours, such as
when nobody should be at work
(holidays/weekends).

10. CATCHING THE SLOWER ONES
Look at the traffic generated
by a much more low-key
spam relay Trojan. The
Trojan responsible sent
these Canadian pharmacy,
knockoff watch, and “dating
site” spams, transmitted at
a much slower rate of about
two messages per minute.
While the volume may keep
the messages under the
radar, you might consider
setting up alerts looking for
the subject matter of the
messages.

11. CATCHING THE SLOWER ONES
Detect and extract the
command-and-control
traffic between the infected
host and its botnet HQ.
Spam relay Trojans must
receive instructions, or they
can’t do their job. Check
out this extraction of traffic
generated by just such a
Trojan.

12. CATCHING THE SLOWER ONES
The CnC traffic is made
even more obvious by its
inclusion of a second,
extraneous port number"
(Hint: Search for
http_uri~:8080:80 in the
Path Bar.)

13. MORE DISCOVERIES
Once you find the CnC traffic, extraction
can lead to more discoveries, but in this
case, the traffic seems to be unreadable.

14. IS IT REALLY UNREADABLE?
Well, unreadable but not indecipherable. A little bit-
shifting of the binary data in this artifact reveals the
true contents of the CnC message. The first set of
CnC exchanges usually include all the instructions
the bot needs, such as…

15. HOW TO DECODE
…the message body of the spam it will send…

16. HOW TO DECODE
…the link to the site hosting the malicious code,
which will be embedded in the message…

17. HOW TO DECODE
…and, to my utterly astonished amusement, a list of
CnC server IP addresses the botmaster will use to
control the Trojan.

18. THE LAST EXERCISE
This last one really makes the whole exercise
worthwhile:
The bot itself downloads these IPs every time it
checks in with the CnC server. In essence, it’s
keeping us updated with a list of who the bot can
talk to.

19. Read the full article here