ISP says we have spam coming from our IP. How do I find which desktop/s have been zombied?

The company that I am helping has sent us an email saying they are detecting spam traffic from our IP.  How do I find which desktop/s are being used as spam zombies?
257RobertsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Netman66Commented:
Monitor all port 25 traffic at the router.

You should be able to see the IP that is responsible.

Ethereal, Netmon or Wireshark can be used.

0
hbustanCommented:
I would suggest to block all source port 25 coming from your internal network from accessing the Internet at the firewall (except for your mail servers).

This will not allow something like that from happening in the first place.

0
257RobertsAuthor Commented:
How would I monitor port 25?  It is used for SMTP mail isn't it? The company doesn't have a hardware firewall, but only relies on the built in software firewall that windows uses.  They use web based mail, no Exchange server.  Thanks.
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

257RobertsAuthor Commented:
I found out that Ethereal is a packet sniffer.  At my N+ class we only used it once, but I will download it and install it at the server?  I also have used AngryIP also.  I think I used it to find out who had what IP address on the network.
0
Netman66Commented:
You want to monitor traffic going out.  Then filter it based on port 25.

0
hbustanCommented:
If you don't have a firewall, then you should at least have a router which can handle access-lists.

You can use access-lists to create rules to only ports 25 to the Internet ONLY from your mail servers and nothing else.

If you don't have a router or firewall where you can place such rules, I strongly recommend investing in one (even if it is a lousy cheap-priced one).

The investment you make on something like this will save you a fortune from damages and losses.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
scuthberCommented:
How many computers do you have? Run a netstat -na and if you have a spamming pc, you will have loads of connection outbound on 25. Normally there are hundreds.
Depending on the router you have, you need to look at NAT sessions. Should be obvious from that too.
Sometimes you can even see which ports are most active on your switches and if there is one that is suspiciously busy, it can be a server, an uplink port, or somebody moving a lot of data, eg spam.
0
257RobertsAuthor Commented:
I found out from our ISP that the botnet was running a "IRC" attack.  They had me shut down ports 6667-7000 on our router.  Thank you for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.