How can I scan a network for viruses or zombie bots using port 25 on infected computers?

After diggin into the problem of not being able to send email, I called Comcast to learn that Comcast has turned off outgoing Port 25 on a cable modem. The user got this email message " Dear Comcast Subscriber: ACTION REQUIRED: Comcast has determined that your computer(s) have been used to send unsolicited email ("spam"), which is generally an indicator of a virus. For your own protection and that of other Comcast customers, we have taken steps to prevent further transmission of spam from your computer(s).

There are several computers and a server on the network.  How can I Sniff the network and figure out which host is spamming over port 25?
Who is Participating?
Galtar99Connect With a Mentor Commented:
Go download Wireshark (Ethereal) and sniff traffic looking for port 25 opens or SMTP.  You can only see traffic from other computers on a hub or a SPAN port.  So get a plug and share the computer sniffing with the computer being sniffed and capture traffic or use your egress (the port that the cable modem/firewall/router is plugged into) port and plug that into a hub before going to the rest of the computers and plug your sniffer in there.  

Additionally, you can see if any computers have open port 25 (SMTP) to see if they are relaying traffic for another computer.  Use something similiar to nmap to scan your network looking for computer with port 25 that's open.

If you have a firewall you can block outgoing port 25 for all computers except the mail server.
itplatoonAuthor Commented:
ok.  I found the site (not .com) and have the wireshark running on a Windows 2003 server; I replaced the ethernet switch with a 10Base-T  hub, which I have had new in the box for many years with no use for (I guess it pays to be a packrat). I see all the traffic now, even spanning tree from the wireless access point. This may take a couple days of watching to see if there is some BOTs trying to send email from a host on this network. All of the clients send POP mail, so the port blocking will not work in this case.  Good idea though.
POP3 uses port 110 to retrieve email.  All your clients probably use SMTP (Port 25)  to send it to their server for relaying or directly to the receiver's server.  So you are right, all your clients are probably using SMTP to send.

I would watch for open relays, servers that don't have rules in place that are forwarding email thinking it is legitimate.  To find SPAM that's actually going out as legitimate email will be hard, particularly if you don't have an IDS sensor running.  You'll have to open every SMTP packet to see what kind of email is being sent.  

I assume you have an email server on your network that is your primary email server.  Most SMTP servers can be setup so that they only relay from authorized users or that they don't relay at all.  Get strict with relaying and then watch the security logs for someone relaying that is not supposed to.  If it's a legitimate user then you just need to get a hold of one of the SPAM messages and the header will tell you who is doing the relaying.  There may be spoofed headers, but what your email server stamps will be the IP address/user ID it received the message from.  Or the SMTP server may log who is relaying excessively or to a particular destination, some kind of anomaly.  Make sure logging is enabled or turned up to a higher level of logging until you start seeing abnormal traffic.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.