Link to home
Create AccountLog in
Avatar of djpoobah
djpoobahFlag for United States of America

asked on

How do I locate an internal spammer / zombie?

Hi!
One of my clients has a pc internally that is flooding our Exchange server with outbound spam.  How do I figure out which pc is causing the issue?  i.e. What would I use to track down the source?

Thanks
Paul T.
ASKER CERTIFIED SOLUTION
Avatar of michaelhooper
michaelhooper

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of djpoobah

ASKER

Thanks.  I've got wireshark running right now, but what type of traffic am I looking for?  There's a ton of packets that have been picked up.  I tried filtering by SMTP but that is only showing traffic between my Exchange server and other email servers out on the internet.
Avatar of michaelhooper
michaelhooper

smtp/port 25 is what youre looking for...also with outlook email you'll see dcerpc requests and replies

another thing i thought of is from exchange system manager/administrative groups/servers/queues....you can temporarily disable outbound mail.....which will cause it to queue up....you can then look to see who the sender is.....then reenable your outbound mail.....

also check your exchange logfile....
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of masnrock
As a preventative future measure, I would recommend looking into an enterprise spyware solution such as eTrust or Webroot AntiSpyware.