Solved

How can I tell what pc on my network is sending spam?

Posted on 2008-10-22
9
323 Views
Last Modified: 2012-05-05
I have an sbs 2003 server with about 50 users on it.  We have been blacklisted by spamhaus this week.  How can I tell what pc on my network is possibly compromised and spamming? Is there a utility that I can install to monitor email traffic? Can I do it in Exchange System Manager?  
0
Comment
Question by:degoodwin
9 Comments
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22781061
You could change to SMTP connector so that the message will just queue and thewn go through the queue list? Bit crude though!
0
 
LVL 5

Expert Comment

by:lecaf
ID: 22781085
probably you have a router or a firewall

even cheap soho ones have some logging features...use them :)

m a  r  c

PS If it was coming through the exchange you would have run out of disk space by now....
0
 

Author Comment

by:degoodwin
ID: 22781371
I have a sonic wall tz190. I have created an access rule that deny's any lan to wan on port 25 except for my exchange server. Actually it is 2 rules (my server is at 10.0.0.51) one that block 1-50 and one that blocks 52-254.  This should do it right? There is a rule that allows any to any though.  And it is enabled.  Does this overwrite the deny or do deny rules take priority, like in Windows.
0
 
LVL 3

Accepted Solution

by:
BitBurner earned 500 total points
ID: 22781659
You could use a packet sniffer and watch the raw network traffic. You could set a filter for only traffic on port 25.

http://www.etherdetect.com/

0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:degoodwin
ID: 22782100
I have installed it and I am scanning ports but it only seems to be scanning port 25 on my exchange server. Any idea how to set it to scan the entire network?
0
 
LVL 3

Expert Comment

by:BitBurner
ID: 22782134
if you are using a switch on the network then you will not get any traffic except what is going directly to that interface.
If you have a managed switch then you can set one port to not filter and use that port. Or if its a nice switch it might even have a "monitor" port that is already set to not filter.. The alternative is to get a cheap hub (not switch) and put it in between router and switch letting you catch all traffic.
0
 

Author Comment

by:degoodwin
ID: 22782371
I have a 3Com Switch that is not a managed switch.  So I guess that this will not work then.  I have 50 users and 2 switches in the serer room and other swithces in various locations. Anything else I might be able to use.
0
 
LVL 3

Expert Comment

by:BitBurner
ID: 22783091
You could try actually running it on the exchange server...now before you do that this needs to be a last resort...(the hub trick is best in this case) Because it will install a WinPCAP on the servers network interface. WinPCAP is basicly pass through driver that sits in front of your network interface. So a restart would be needed. Take that into consideration. But since your outbound mail has to come there first then you should see all the port 25 traffic on that interface.:)
0
 

Author Closing Comment

by:degoodwin
ID: 31508952
Looks like it cannot be done with my config. I changed my firewall to block access except from server and went pc by pc to clean them out. Old fashion sneaker net.
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now