ISP says we have spam coming from our IP. How do I find which desktop/s have been zombied?

The company that I am helping has sent us an email saying they are detecting spam traffic from our IP.  How do I find which desktop/s are being used as spam zombies?
257RobertsAsked:
Who is Participating?
 
hbustanConnect With a Mentor Commented:
If you don't have a firewall, then you should at least have a router which can handle access-lists.

You can use access-lists to create rules to only ports 25 to the Internet ONLY from your mail servers and nothing else.

If you don't have a router or firewall where you can place such rules, I strongly recommend investing in one (even if it is a lousy cheap-priced one).

The investment you make on something like this will save you a fortune from damages and losses.
0
 
Netman66Commented:
Monitor all port 25 traffic at the router.

You should be able to see the IP that is responsible.

Ethereal, Netmon or Wireshark can be used.

0
 
hbustanCommented:
I would suggest to block all source port 25 coming from your internal network from accessing the Internet at the firewall (except for your mail servers).

This will not allow something like that from happening in the first place.

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
257RobertsAuthor Commented:
How would I monitor port 25?  It is used for SMTP mail isn't it? The company doesn't have a hardware firewall, but only relies on the built in software firewall that windows uses.  They use web based mail, no Exchange server.  Thanks.
0
 
257RobertsAuthor Commented:
I found out that Ethereal is a packet sniffer.  At my N+ class we only used it once, but I will download it and install it at the server?  I also have used AngryIP also.  I think I used it to find out who had what IP address on the network.
0
 
Netman66Commented:
You want to monitor traffic going out.  Then filter it based on port 25.

0
 
scuthberConnect With a Mentor Commented:
How many computers do you have? Run a netstat -na and if you have a spamming pc, you will have loads of connection outbound on 25. Normally there are hundreds.
Depending on the router you have, you need to look at NAT sessions. Should be obvious from that too.
Sometimes you can even see which ports are most active on your switches and if there is one that is suspiciously busy, it can be a server, an uplink port, or somebody moving a lot of data, eg spam.
0
 
257RobertsAuthor Commented:
I found out from our ISP that the botnet was running a "IRC" attack.  They had me shut down ports 6667-7000 on our router.  Thank you for your help.
0
All Courses

From novice to tech pro — start learning today.