Solved

How can I tell what pc on my network is sending spam?

Posted on 2008-10-22
9
343 Views
Last Modified: 2012-05-05
I have an sbs 2003 server with about 50 users on it.  We have been blacklisted by spamhaus this week.  How can I tell what pc on my network is possibly compromised and spamming? Is there a utility that I can install to monitor email traffic? Can I do it in Exchange System Manager?  
0
Comment
Question by:degoodwin
9 Comments
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22781061
You could change to SMTP connector so that the message will just queue and thewn go through the queue list? Bit crude though!
0
 
LVL 5

Expert Comment

by:lecaf
ID: 22781085
probably you have a router or a firewall

even cheap soho ones have some logging features...use them :)

m a  r  c

PS If it was coming through the exchange you would have run out of disk space by now....
0
 

Author Comment

by:degoodwin
ID: 22781371
I have a sonic wall tz190. I have created an access rule that deny's any lan to wan on port 25 except for my exchange server. Actually it is 2 rules (my server is at 10.0.0.51) one that block 1-50 and one that blocks 52-254.  This should do it right? There is a rule that allows any to any though.  And it is enabled.  Does this overwrite the deny or do deny rules take priority, like in Windows.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 3

Accepted Solution

by:
BitBurner earned 500 total points
ID: 22781659
You could use a packet sniffer and watch the raw network traffic. You could set a filter for only traffic on port 25.

http://www.etherdetect.com/

0
 

Author Comment

by:degoodwin
ID: 22782100
I have installed it and I am scanning ports but it only seems to be scanning port 25 on my exchange server. Any idea how to set it to scan the entire network?
0
 
LVL 3

Expert Comment

by:BitBurner
ID: 22782134
if you are using a switch on the network then you will not get any traffic except what is going directly to that interface.
If you have a managed switch then you can set one port to not filter and use that port. Or if its a nice switch it might even have a "monitor" port that is already set to not filter.. The alternative is to get a cheap hub (not switch) and put it in between router and switch letting you catch all traffic.
0
 

Author Comment

by:degoodwin
ID: 22782371
I have a 3Com Switch that is not a managed switch.  So I guess that this will not work then.  I have 50 users and 2 switches in the serer room and other swithces in various locations. Anything else I might be able to use.
0
 
LVL 3

Expert Comment

by:BitBurner
ID: 22783091
You could try actually running it on the exchange server...now before you do that this needs to be a last resort...(the hub trick is best in this case) Because it will install a WinPCAP on the servers network interface. WinPCAP is basicly pass through driver that sits in front of your network interface. So a restart would be needed. Take that into consideration. But since your outbound mail has to come there first then you should see all the port 25 traffic on that interface.:)
0
 

Author Closing Comment

by:degoodwin
ID: 31508952
Looks like it cannot be done with my config. I changed my firewall to block access except from server and went pc by pc to clean them out. Old fashion sneaker net.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question