Link to home
Start Free TrialLog in
Avatar of Gary Fuqua, CISSP
Gary Fuqua, CISSPFlag for United States of America

asked on

Tracking down a spam generating computer

I have a network that has at least one computer that is generating spam, per the ISP.     I have run multiple anti-virus scans on all the workstation and haven't been able to identify the source of my grief.   My latest line of thinking is to put some sort of a sniffer on the network and run it when everyone is off line to track down the rogue.     Does anyone have any suggestions to easily follow through with this idea?
ASKER CERTIFIED SOLUTION
Avatar of tigermatt
tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The above advice is a good first step

If you're using Outlook and an Exchange Server the above may or may not work because the client is sending email via Outlook client through the mail server.  If that is the case enable message tracking on Exchange and look for an IP address that is constantly sending out emails.
It's unusual to get a spam-sending virus/bot sending mail out using Outlook / an Exchange Server. These systems usually include their own SMTP engine for sending the spam directly out to the Internet.

And the reason why they do it this way? I guess it is because with so many users using web-based mail like Yahoo!, Windows Live Mail, Google Mail and whatever else there is out there, the sort of people's PCs spammers want to infiltrate are those who use these systems, thus making our job even harder.

I have known spambots to send out mail using an Exchange Server, but just thought I'd point out that it's unlikely. It isn't unusual though (i.e. quite usual) for them to search an Outlook/OE address book if it finds one.

-tigermatt
Avatar of khaledf
khaledf

do you have exchange server open to the internet?
is it configured as an open mail relay? if yes then restrict it to authenticated.

tigermatt: fully agree with what you state, the advice would be Plan B if a system couldn't be found sending out on port 25 other than the mail server.  I've seen spam kits use the internal mail server as a relay to send out thus avoiding detection.  

Of course, it certainly still is possible :)
Avatar of Gary Fuqua, CISSP

ASKER

OK.   Blocking port 25 didn't do anything.     But I did notice that one particular computer is sending packets to the router and the port count goes up 1 on each packet:

2113 through 2201  as of this moment it seems to be cycling upward.

I think this is the culprit.       Does this seem like the one to you?      Here is a piece of the log:  

Sun, 2008-09-14 14:39:43 - [Device Receive TCP Packet - Source:192.168.0.201,2189 - Destination:192.168.0.1,80 - [Receive]]
Sun, 2008-09-14 14:39:43 - [Device Receive TCP Packet - Source:192.168.0.201,2191 - Destination:192.168.0.1,80 - [Receive]]
Sun, 2008-09-14 14:39:43 - [Device Receive TCP Packet - Source:192.168.0.201,2192 - Destination:192.168.0.1,80 - [Receive]]
Sun, 2008-09-14 14:39:44 - [Device Receive TCP Packet - Source:192.168.0.201,2193 - Destination:192.168.0.1,80 - [Receive]]
Sun, 2008-09-14 14:39:44 - [Device Receive TCP Packet - Source:192.168.0.201,2194 - Destination:192.168.0.1,80 - [Receive]]
Sun, 2008-09-14 14:39:44 - [Device Receive TCP Packet - Source:192.168.0.201,2195 - Destination:192.168.0.1,80 - [Receive]]
Sun, 2008-09-14 14:39:44 - [Device Receive TCP Packet - Source:192.168.0.201,2196 - Destination:192.168.0.1,80 - [Receive]]
Sun, 2008-09-14 14:40:18 - [Device Receive TCP Packet - Source:192.168.0.201,2197 - Destination:192.168.0.1,80 - [Receive]]
Sun, 2008-09-14 14:40:19 - [Device Receive TCP Packet - Source:192.168.0.201,2198 - Destination:192.168.0.1,80 - [Receive]]
Sun, 2008-09-14 14:40:19 - [Device Receive TCP Packet - Source:192.168.0.201,2199 - Destination:192.168.0.1,80 - [Receive]]
Sun, 2008-09-14 14:40:19 - [Device Receive TCP Packet - Source:192.168.0.201,2200 - Destination:192.168.0.1,80 - [Receive]]
Sun, 2008-09-14 14:41:09 - [Device Receive TCP Packet - Source:192.168.0.201,2201 - Destination:192.168.0.1,80 - [Receive]]

BTW, this is a W2003 domain environment.   No Exchange server.
192.168.0.201 is a workstation and 192.168.0.1 is the router.  
From those log entries it would appear to be than PC 192.168.0.1 is simply connecting to the router's web interface on port 80 - it's not sending mail out on port 25 according to that small portion of the log.
maybe you will have to wait some time for the spam to start again then you can see it in the logs
Do a search for ",25 -" in your logs

If it comes from a machine that is not your server, it is likely the culprit.