How do I locate an internal spammer / zombie?

Posted on 2007-10-08
Last Modified: 2013-11-22
One of my clients has a pc internally that is flooding our Exchange server with outbound spam.  How do I figure out which pc is causing the issue?  i.e. What would I use to track down the source?

Paul T.
Question by:djpoobah
    LVL 2

    Accepted Solution

    put a hub between the exchange server and the network....plug a laptop into that hub as well and run a packet capture with ethereal/ should be able to find out pretty quick where it is coming from .....

    Author Comment

    Thanks.  I've got wireshark running right now, but what type of traffic am I looking for?  There's a ton of packets that have been picked up.  I tried filtering by SMTP but that is only showing traffic between my Exchange server and other email servers out on the internet.
    LVL 2

    Expert Comment

    smtp/port 25 is what youre looking for...also with outlook email you'll see dcerpc requests and replies

    another thing i thought of is from exchange system manager/administrative groups/servers/ can temporarily disable outbound mail.....which will cause it to queue can then look to see who the sender is.....then reenable your outbound mail.....

    also check your exchange logfile....
    LVL 3

    Assisted Solution

    Lock down your exchange server to not accept any SMTP traffic from your internal network.  It's not needed unless you have programs on servers that have to talk directly to the SMTP port.  Exchange clients are NOT using the smtp to send mail...

    I am running exchange 2003 and you would find the setup for this option under exchange system manager\administrative groups\first administrative groups\servers\{servername}\protocols\smtp

    right click on smtp and select access tab\relay restrictions relay button.  deny smtp relay by default.  Also uncheck the option to allow successfully authenticated computers to relay.  No computer or user on your network needs to be able to relay unless they specifically have program that needs smtp access to email such as a log monitoring program.  I only allow 2 servers to relay for that reason, everyone else is denied.

    Once you have done this you should be able to easily find which machine is the culprit from the event logs with the failures this will create.  It will also stop you spam problem.

    Hopefully your network firewall only allows SMTP out of the local network coming from the exchange server also.  Otherwise a user could just put an smtp server on the local workstation and get out.  Not uncommon for some bot nets to avoid detection.
    LVL 18

    Expert Comment

    As a preventative future measure, I would recommend looking into an enterprise spyware solution such as eTrust or Webroot AntiSpyware.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    As more computers now shipped with 64-bit version of Windows, more users are now using this Operating System.  So it's important to be aware how some 32-bit diagnostic tool works on these systems, so we know what to expect when analyzing the logs an…
    The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now