Welcome to the MacNN Forums.

drwilliams · May 4, 2007, 12:55 PM

Hello All!

This is my first post here to the forum and I got a pretty odd problem.

I currently work at a school district and our ISP monitors our traffic, yesterday they contacted us reporting that there is a machine on our network sending out SPAM through SMTP. We used our filter to track down the machine and it was traced back to an iMac.

The iMac was connected via the Airport to a Cisco Wireless Access Point and had minimal permissions on the account the students use. I have ran Trendmicro's free anti virus scan and also Macscan 2.0 with nothing being found. I am pretty new to macs so I do not know where else to check on this machine. It is Version 10.4.9 with all the latest updates and has the Intel Core 2 Duo processor.

I am lost as to where to check next and any help would be appreciated.

Thanks Everyone!

Dr. Williams

Big Mac · May 4, 2007, 02:11 PM

OS X has sendmail built-in. I'm not sure how it's disabled, however.

besson3c · May 4, 2007, 02:30 PM

if spam was sent from this machine, it would have been sent via Unix Postfix (not Sendmail, although Postfix is very similar to Sendmail). Postfix can either be running constantly, or simply set to send mail on demand.

In the terminal, try doing the following:

mail -s "test email" you@youremailaddress.com

enter some text and then enter a "." on a line of its own. This will send a test message via Postfix to the provided email address (in this case, yours). If you get this email, that machine is setup to send mail via the included mail transport agent.

Another possibility is that some application is running its own mail process. To view all active processes on this machine, either do a:

ps -aux

or take a look at the process listing in Activity Monitor. If you see any applications that should not be running, let us know (not all running applications appear in the Dock).

Another way that this could have been executed is if the machine itself was compromised by a remote intruder. This may not be possible depending on your network setup, but it is possible that somebody inside your network may have done this.

To get a list of all network services that are open right now, in the terminal do a:

netstat -a

and take a look at the list under "Active Internet connections". Mind you, netstat does not provide historical information, but you can use this tool to get a sense as to whether the computer is currently vulnerable.

Depending on the nature of the compromise, if applicable to you, there may be activity logged that could be used to trace back to the original source.

I know I've given you a lot of information here, but hopefully some of it will be of use to you.

besson3c · May 4, 2007, 02:33 PM

Also, to test whether the machine is currently a SMTP server accepting remote connections, in your terminal try this:

telnet localhost 25

If you get a response, an SMTP server is running (the built in one is Postfix). However, it is possible that if an SMTP server is running, it would be running on an alternate port other than the default 25, but...

This is all assuming that your network is setup to accept connections from the outside world. If it isn't, if this attack was a remote exploit of some sort it would have occurred within your LAN.

drwilliams · May 7, 2007, 08:01 AM

thanks for the responses. I will give these tests a shot and see what happens.

thanks,

drwilliams

Sherman Homan · May 7, 2007, 08:48 AM

Don't waste your time with virus scans, that isn't the problem. There are no viruses that afflict Macs (for now!). Your situation is a human "virus" and in all probability was done in-house, not a remote attack. The tests that besson3c recommends are great, you are simply trying to see what program is running and what port it is using to send the spam. Let us know what you find, it is a very unusual event. Did your ISP tell you what sort of spam it was?