SPAM, or is that spam, I’m sure Hormel will correct me

My morning got kick-started when I noticed that over the weekend a Venezuelan ISP had passed along an abuse complaint from one of their users. Apparently an IP on our network is spamming. The complaint included full headers of the original message so I was able to determine that the IP was in the DHCP range for the network outside the firewall. Servers would normally have static addresses. Guests should be on the guest wireless. But on the rare occasion we do approve direct access to the Internet outside the firewall, and in most of those cases the client computers are set up with DHCP.
It would have been better if a static address were assigned. Then I would have known who I was dealing with immediately. Instead I had to do some investigating. A trusty nmap scan revealed that the box was likely windows. It was running VNC and it had all the typical windows ports opened. A “nbtstat -a ” reveals the hostname and domain name of the computer. The computer belonged to the employees credit union. ( or rather the mammoth credit union that bought our employees credit union).
There were not any credit union personnel on-sight, but we were able to verify that the computer in their office was the computer in question. It was quickly removed from the network.
A scathing email was sent to the credit union and they called me late this afternoon to find out what could be done to get their computer back with Internet access of some sort.
Lessons learned:
-Having a dhcp range for this section of the network makes it difficult to track down computers. Perhaps I need to have access to the dhcp server for this range.
– We need to have an IDS covering this segment. You dont want to find out about badness from strangers.
– When you approve an access request and include a stipulation that a personal firewall be used followup and make sure one is used.
This access request as approval memo number 419. I thought that was kind of funny since it lead to spamming.