Zombies on my network? It's more likely than you think.

Just a quick link to John Levine's blog post Yes, you really have a zombie on your network. The article covers a discussion we had on a technical mailing list involving someone who was having a hard time believing that his network was really infected by spam-bots.

In the post, John forwards a good summary of the problem and what to do about it, written by Steve Champeon.

The key points in the article:

• Don't look for clues in your mailserver's logs; chances are the spam is coming from infected machines with their own SMTP engines and aren't using your servers to relay in the first place. And even if they are, you won't find anything useful in the headers.
  
• Shut down unauthorized port 25 outbound connections, and put a sniffer on your network to find out where they're coming from. In fact, do it now, before you find yourself listed somewhere.
  
• Don't assume the blocklists have made a mistake; look to yourself first.

Remember, for every well-known published blocklist which will remove you once the problem is solved, there are a thousand privately-managed blocklists whose admins won't be bothered to periodically re-check to see if you should be removed. Entry into one of those blocklists is for life. So don't wait until you find out you've been listed somewhere before you take action to prevent outgoing spam.