ISP says we have spam coming from our IP. How do I find which desktop/s have been zombied?

Monitor all port 25 traffic at the router.

You should be able to see the IP that is responsible.

Ethereal, Netmon or Wireshark can be used.

I would suggest to block all source port 25 coming from your internal network from accessing the Internet at the firewall (except for your mail servers).

This will not allow something like that from happening in the first place.

How would I monitor port 25?  It is used for SMTP mail isn't it? The company doesn't have a hardware firewall, but only relies on the built in software firewall that windows uses.  They use web based mail, no Exchange server.  Thanks.

I found out that Ethereal is a packet sniffer.  At my N+ class we only used it once, but I will download it and install it at the server?  I also have used AngryIP also.  I think I used it to find out who had what IP address on the network.

You want to monitor traffic going out.  Then filter it based on port 25.

I found out from our ISP that the botnet was running a "IRC" attack.  They had me shut down ports 6667-7000 on our router.  Thank you for your help.