[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1207
  • Last Modified:

How do I locate an internal spammer / zombie?

Hi!
One of my clients has a pc internally that is flooding our Exchange server with outbound spam.  How do I figure out which pc is causing the issue?  i.e. What would I use to track down the source?

Thanks
Paul T.
0
djpoobah
Asked:
djpoobah
2 Solutions
 
michaelhooperCommented:
put a hub between the exchange server and the network....plug a laptop into that hub as well and run a packet capture with ethereal/wireshark......you should be able to find out pretty quick where it is coming from .....
0
 
djpoobahAuthor Commented:
Thanks.  I've got wireshark running right now, but what type of traffic am I looking for?  There's a ton of packets that have been picked up.  I tried filtering by SMTP but that is only showing traffic between my Exchange server and other email servers out on the internet.
0
 
michaelhooperCommented:
smtp/port 25 is what youre looking for...also with outlook email you'll see dcerpc requests and replies

another thing i thought of is from exchange system manager/administrative groups/servers/queues....you can temporarily disable outbound mail.....which will cause it to queue up....you can then look to see who the sender is.....then reenable your outbound mail.....

also check your exchange logfile....
0
 
DPAITCommented:
Lock down your exchange server to not accept any SMTP traffic from your internal network.  It's not needed unless you have programs on servers that have to talk directly to the SMTP port.  Exchange clients are NOT using the smtp to send mail...

I am running exchange 2003 and you would find the setup for this option under exchange system manager\administrative groups\first administrative groups\servers\{servername}\protocols\smtp

right click on smtp and select access tab\relay restrictions relay button.  deny smtp relay by default.  Also uncheck the option to allow successfully authenticated computers to relay.  No computer or user on your network needs to be able to relay unless they specifically have program that needs smtp access to email such as a log monitoring program.  I only allow 2 servers to relay for that reason, everyone else is denied.

Once you have done this you should be able to easily find which machine is the culprit from the event logs with the failures this will create.  It will also stop you spam problem.

Hopefully your network firewall only allows SMTP out of the local network coming from the exchange server also.  Otherwise a user could just put an smtp server on the local workstation and get out.  Not uncommon for some bot nets to avoid detection.
0
 
masnrockCommented:
As a preventative future measure, I would recommend looking into an enterprise spyware solution such as eTrust or Webroot AntiSpyware.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now