Are You Becoming a Spammer?

October 27th, 2008 | by Andraz Piletic |

In my previous post, I wrote about the importance of monitoring trends in your network. Now it’s time to show you the first one in a series of interesting examples that the NIL Monitor group has come across in recent weeks.

Memory usage is normally very stable on routers. An alarm brought my attention to a customer’s small SOHO router the other day, RAM instability was obvious. In addition to the memory issue, the CPU graph revealed that something unusual was clearly going on.


Increasing CPU consumption overnight and high process usage in the morning clearly indicates unusual behavior at the customer’s remote location.

Users at the remote location didn’t report any serious inconvenience while working with servers at headquarters. There was some traffic present, but too little to be raise suspicions about peer-to-peer applications. I logged into the router, and the command line was slower than usual for devices in that part of the network. The #show ip nat translations printout revealed that more than 2,000 different network address translations were present. All of them had different outside global IP addresses and the destination port 25. All translations were done for a client PC from the local LAN. I resolved the memory and CPU consumption issues by blocking all these connections since the user had no need for direct outgoing SMTP sessions. But let’s take a closer look at what was really going on.

An infected PC from a local LAN made thousands of connection attempts to different mail servers around the world. The only thing that came to my mind was spam. I surfed over to SenderBase, which is a great resource to check online reputations. It gathers data from IronPort appliances from all around the world, making it my preferred reputation information source. An inquiry about the public IP address of the remote SOHO site revealed that the whole world was seeing the company’s IP as one of the sources of worldwide spam.

Using IronPort would definitely protect you against receiving such spam messages. Also, the chances of your PCs being infected would be greatly reduced. A complementary monitoring service such as NIL Monitor can make sure that you really have your network under control. Getting your company’s public IPs blacklisted is one of the last things an engineer wishes, isn’t it?

  1. 2 Trackback(s)

  2. Dec 10, 2008: Fragments » Blog Archive » Catching the torrent guy
  3. Jan 7, 2009: Fragments » Blog Archive » Proactive monitoring

You must be logged in to post a comment.