So you have a server that is sending out spam. First thing you should do, is make sure you have IIS website logging enabled. If you don’t have logging enabled it’s going to be extremely hard to figure out who did what.
- Lets hope you have IIS website logging enabled first thing you will need to do is view the headers of the spam message and get the date and time stamp. Notice the date and time stamp is in UTC. You will likely notice the SMTP server also is -X:00 hours. Where X is the time zone you live in, for example if you live in AZ it will be -7:00.
- Take the time stamp and find any IIS log entries that are around that time frame. Lets say the time you found in the email was 2012-11-13 23:26:00. You could very easily search the logs for 2012-11-13 23:2.
- Spammers who use websites to spam are fairly obvious. You can usually figure out who is spamming by looking for POST commands instead of GET commands. If you are logging all aspects including time taken you can also use the time taken information to better match. The time taken is in milliseconds which means if you see 3000 it is really 3 seconds. So if your log time stamp shows 2012-11-13 23:29:00, take 3 seconds off and you may have the abusive script.
Just a few notes you should know about:
- Hackers use exploits in open sourced software to gain access into perfectly innocent websites.
- Remember IIS logs as well as headers show UTC time stamps.
- They make unix command line tools that work on windows, like grep.exe, gawk.exe, sed.exe, cat.exe, sort.exe, uniq.exe, tail.exe, and many more.