Introduction

If a device behind your public IP address is sending spam, then potentially there are two outcomes that can happen.

1. You get a letter from Virgin Media stating that spam has been seen coming from your IP address.
2. Your public IP address ends up listed on an SBL most notably the CSS but possibly others.

The problem is:

1. Spambots can exist on ANY internet capable device, not just PC's
2. Malware makers are getting clever at hiding their programs from antivirus/anti malware software.

What they can't do is hide their traffic though.

This post looks at a way of identifying devices hosting spambots by sniffing network traffic. using the free packet sniffing tool Wireshark and a Windows 10 computer.  When I was looking at this technique, I wanted to be able to use what was already in the home with minimal to no outlay on additional hardware.

How you end up on an SBL

It's important to understand how you end up on an SBL.

When you send email normally this is the normal path:

1. You compose an email to an email program.
2. The mail is sent to your email providers outbound SMTP server - NORMALLY over port 587 or 465 with encryption.
3. Your email provider sends to the recipient domains inbound server ALWAYS over port 25 (encrypted and unencrypted)
4. The recipients email provider delivers the mail to their inbox.

This is a slimmed down version of what happens, but sums up the critical parts of the relay.

Normally stage 2 is protected by some means of authentication while stage 3 can't be.

Spambots attempt to go straight to step 3 - delivering the mail directly from your IP address to a domains inbound server over port 25.  This traffic CANNOT be sent to any other port, and under normal circumstances SHOULD not be seen coming from a residential address.

So why doesn't Virgin Media block port 25

While most outbound traffic uses ports 587 and 465 encrypted, some email providers are still living in the dark ages for example if one looks at PlusNet's email settings pages they currently have Port 587 (recommended) or 25 unencrypted for outgoing mail

https://www.plus.net/help/email-guides/how-to-set-up-plusnet-email/

Other providers still use port 25 unencrypted, and while Virgin Media's recommended settings no longer use the legacy servers on port 25, there are still people who use old (pre 2010) settings.

All these people would be adversely affected by such a change, although all users should check to see that they are all using the latest settings for their email provider IMHO.

Detecting Spambot traffic

Even if the user is using port 25 to send mail.  It is still possible to detect spambot traffic on the network.

• Spambot traffic will ALWAYS use port 25 TCP
• Spambot traffic will be visible at times when you are not using a mail client to send mail.
• No other protocol legitimately uses Port 25 TCP

Thus if we sniff for network traffic on port 25 we should be able to find the culprit device.

The testing plan.

1. Install Wireshark on a Windows 10 PC, preferably with both a wireless and an ethernet connection.
2. Test the PC for signs of sending packets using port 25 TCP  by sniffing the network adaper connected to the internet.
3. Enable Wifi Hotspot
4. Sniff for packets using port 25 TCP on the virtual wifi adapter that the hotspot uses

The above enables us to test wifi enabled devices.  However if we still do not see traffic then it may be necessary to test ethernet connected devices by connecting the PC to the router via wireless and then setting up a network bridge, allowing us to connect ethernet only devices to router THROUGH the PC's ethernet port.

I should stress that the idea behind the process, is that before continuing - we MUST eliminate the PC to begin with.  THEN move on to test other devices via the PC.  It's not a good idea to short circuit the testing plan.

Before you begin you should also enable telnet in order to test you can see the port 25 traffic when you have set up Wireshark while not absolutely necessary, it is all to easy to monitor the wrong network adapter, testing using telnet can give us confidence that everything is working properly.

Advice on installing Telnet can be found here:

https://www.technipages.com/windows-10-enable-telnet

Stage 1 - Install Wireshark

Wireshark can be downloaded from here:

https://www.wireshark.org/

When installing you'll be asked to install NpCap and WinUSBcap - the former is used for any integrated wifi or ethernet devices, whilst the latter is used if you have things like USB wifi adapters.

Needless to say.

• Always install NpCap
• Only install WinUSB cap if you are using USB wifi or ethernet devices.

Stage 2 - Test for packets on the PC

1. Open Wireshark.  You'll be greeted with something similar to the following screen:
   
   Most people will find they are connected via Wifi or Ethernet connections.  You should be able to see traffic on the currently connected adapter, in this case I am using the Wifi adapter.
   
   
2. Highlight the adapter with a single click and then type the following into the capture filter box
   tcp port 25  The wireshark screen will now appear as below - note how the filter box is green.
   
3. Press return and the packet capture will start.
   
   Note how the title bar shows both the interface you are capturing on and the capture filter.  Currently there are no packets captured.
   
   Lets test to make sure it's working.
4. Enter telnet smtp.blueyonder.co.uk 25 into the windows search bar and press enter, provided you installed telnet earlier you should see the window open as below:
   
   If you look at the wireshark trace you'll see something similar to this.:
   
   This shows that the capture is working.  So now we can stop the capture by clicking the stop icon in the top left and then restart it by clicking the blue fin.  You'll see a message warning that the existing capture will be lost.  Select Continue without saving.
5. Leave the capture running for a few hours.  If there are no packets captured then we can move on to testing the rest of the network.  If packets are captured, then you've found the infected device and need to disinfect it.

Stage 3 - turn on Wifi Hostpot and identify hotspot interface.

Windows 10 supports a wireless hotspot feature which allows you to connect up to 8 wireless devices to your PC and it will work in a similar way to you current NAT router.  While this means that devices you connect will be double NAT'ed, for the purposes of outgoing connections this will not be an issue.

1.  Type hotspot into the windows search bar and select Mobile Hotspot
2. Select share my Internet connection over Wifi
3. Turn the wifi hotspot on.  You'll see the password visible on the settings screen.  As well as the network name.  Make a note of both.
4. Type control panel into the search bar and press enter.
5. Type view network into the control panel search
   
   Click view network connections.
6. You'll see the following screen note the adapter with the Hotspot name in this case is Local Area Connection*5
   
7. This is the adapter we will use next. Open up wireshark and select the relevant connection and type in the same capture filter tcp port 25
   
   
8. Connect any and all wireless devices to the wireless hotspot.  Remember that the hotspot will only let you test up to 8 devices at a time.  Now leave wireshark listening.
9. If packets are captured we'll see them appear on the trace.  Note that the following was set up for the purposes of this post, but normally such packets would be malicious.
   
10. The address we are interested in is the local address - in this case 192.168.137.213 this is where the traffic is being sent from.  So this is the device we would need to investigate/reset 

Note that the above can be adapted for Ethernet devices.  In such circumstances we could connect the PC to the internet via Wifi and then bridge the ethernet and wifi connections:

https://www.windowscentral.com/how-set-and-manage-network-bridge-connection-windows-10

We would then connect any ethernet only devices to the PC and it would actually get a DHCP address from your router and connect to the internet via the bridge.  This would enable us to sniff the ethernet connection to look for signs of spam activity.  Please read the warning about the device running the bridge losing internet connectivity and how to fix this.

Findings so far.

Currently we've found a PC transmitting spam that otherwise shows no signs of malware infection.  We've also found a modified Amazon Firestick doing the same.

It should be stressed that what we see is signs of the malware connecting to different mail servers and trying to send messages.  There are also other signs in the traffic as well, but I don't want to go into that on a public Forum.

Finally

Be aware that if you are on the CSS or receive a letter and you do nothing then you are at risk.

If you have a spambot on your network, you may have other malware that could capture passwords or other data.

If you need any help please start a thread either here in Security or the Email section and we'll try and help further.