Greetings,
I have an issue regarding a Macintosh running OS X sending tremendous amounts of SMTP email.
This issue is believed to be viral. (Please read this entire post before you comment on this statement.)
Facts:
I come in to work to find our Exchange servers being blacklisted by CBL, SpamCop, Ironport, etc.
After inspection I find that a computer within my network is sending SMTP traffic
I begin sniffing packets and investigation and all fingers point to a statically-assigned iMac.)
This mac has been on the network for an extended period of time.
This mac was here before I ever started, so I cannot say for certain what all configuration has been done.
According to the cbl, "This is the Cutwail BOT"
Every bit of research I do on Cutwail bot states very clearly this infects PCs, not MAC.
This mac does not run Windows at all. Not in paralelles, bootcamp, crossover or any of the other methods out there.
I am concerned that someone somewhere has malformed Cutwail and devised a method to get it running on Mac OSX without WINE or other emulation.
This speculation again comes from the fact that this mac has been running happily on this network for over a year now, and is just now getting this problem.
The operator of this machine stated he has not installed any new software recently. Nor has this machine had any noteworthy changes made to it.
In the PC side of business you could say I've got more than my fair share of experiences.
However in the Mac world, I rate nothing more than a pup.
I know this OS runs a variant of 'nix, but without a shell to start checking things, I'm aptly helpless.
What steps can I take to troubleshoot this? What methods or tools exist that I am simply ignorant to? What is the IT standard for diagnosing Macs?
I've googled myself blue in the face and keep coming up with answers that aren't really helpful.
I have found a fair amount of tools, but as a support technician I certainly don't want to buy software that very likely will do me no good.
(on a side note, I did contact Apple for support, and they were far from helpful. They referred me to something called "truecrypt" stating that it was used for this sort of issue... It's not even closely related to this issue.)
Start Free Trial
