How can I scan a network for viruses or zombie bots using port 25 on infected computers?

Posted on 2007-10-01
Last Modified: 2013-11-22
After diggin into the problem of not being able to send email, I called Comcast to learn that Comcast has turned off outgoing Port 25 on a cable modem. The user got this email message " Dear Comcast Subscriber: ACTION REQUIRED: Comcast has determined that your computer(s) have been used to send unsolicited email ("spam"), which is generally an indicator of a virus. For your own protection and that of other Comcast customers, we have taken steps to prevent further transmission of spam from your computer(s).

There are several computers and a server on the network.  How can I Sniff the network and figure out which host is spamming over port 25?
Question by:itplatoon
    LVL 6

    Accepted Solution

    Go download Wireshark (Ethereal) and sniff traffic looking for port 25 opens or SMTP.  You can only see traffic from other computers on a hub or a SPAN port.  So get a plug and share the computer sniffing with the computer being sniffed and capture traffic or use your egress (the port that the cable modem/firewall/router is plugged into) port and plug that into a hub before going to the rest of the computers and plug your sniffer in there.  

    Additionally, you can see if any computers have open port 25 (SMTP) to see if they are relaying traffic for another computer.  Use something similiar to nmap to scan your network looking for computer with port 25 that's open.

    LVL 32

    Expert Comment

    If you have a firewall you can block outgoing port 25 for all computers except the mail server.

    Author Comment

    ok.  I found the site (not .com) and have the wireshark running on a Windows 2003 server; I replaced the ethernet switch with a 10Base-T  hub, which I have had new in the box for many years with no use for (I guess it pays to be a packrat). I see all the traffic now, even spanning tree from the wireless access point. This may take a couple days of watching to see if there is some BOTs trying to send email from a host on this network. All of the clients send POP mail, so the port blocking will not work in this case.  Good idea though.
    LVL 6

    Expert Comment

    POP3 uses port 110 to retrieve email.  All your clients probably use SMTP (Port 25)  to send it to their server for relaying or directly to the receiver's server.  So you are right, all your clients are probably using SMTP to send.

    I would watch for open relays, servers that don't have rules in place that are forwarding email thinking it is legitimate.  To find SPAM that's actually going out as legitimate email will be hard, particularly if you don't have an IDS sensor running.  You'll have to open every SMTP packet to see what kind of email is being sent.  

    I assume you have an email server on your network that is your primary email server.  Most SMTP servers can be setup so that they only relay from authorized users or that they don't relay at all.  Get strict with relaying and then watch the security logs for someone relaying that is not supposed to.  If it's a legitimate user then you just need to get a hold of one of the SPAM messages and the header will tell you who is doing the relaying.  There may be spoofed headers, but what your email server stamps will be the IP address/user ID it received the message from.  Or the SMTP server may log who is relaying excessively or to a particular destination, some kind of anomaly.  Make sure logging is enabled or turned up to a higher level of logging until you start seeing abnormal traffic.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now