degoodwin
asked on
How can I tell what pc on my network is sending spam?
I have an sbs 2003 server with about 50 users on it. We have been blacklisted by spamhaus this week. How can I tell what pc on my network is possibly compromised and spamming? Is there a utility that I can install to monitor email traffic? Can I do it in Exchange System Manager?
leegclystvale
You could change to SMTP connector so that the message will just queue and thewn go through the queue list? Bit crude though!
probably you have a router or a firewall
even cheap soho ones have some logging features...use them :)
m a r c
PS If it was coming through the exchange you would have run out of disk space by now....
even cheap soho ones have some logging features...use them :)
m a r c
PS If it was coming through the exchange you would have run out of disk space by now....
ASKER
I have a sonic wall tz190. I have created an access rule that deny's any lan to wan on port 25 except for my exchange server. Actually it is 2 rules (my server is at 10.0.0.51) one that block 1-50 and one that blocks 52-254. This should do it right? There is a rule that allows any to any though. And it is enabled. Does this overwrite the deny or do deny rules take priority, like in Windows.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have installed it and I am scanning ports but it only seems to be scanning port 25 on my exchange server. Any idea how to set it to scan the entire network?
if you are using a switch on the network then you will not get any traffic except what is going directly to that interface.
If you have a managed switch then you can set one port to not filter and use that port. Or if its a nice switch it might even have a "monitor" port that is already set to not filter.. The alternative is to get a cheap hub (not switch) and put it in between router and switch letting you catch all traffic.
If you have a managed switch then you can set one port to not filter and use that port. Or if its a nice switch it might even have a "monitor" port that is already set to not filter.. The alternative is to get a cheap hub (not switch) and put it in between router and switch letting you catch all traffic.
ASKER
I have a 3Com Switch that is not a managed switch. So I guess that this will not work then. I have 50 users and 2 switches in the serer room and other swithces in various locations. Anything else I might be able to use.
You could try actually running it on the exchange server...now before you do that this needs to be a last resort...(the hub trick is best in this case) Because it will install a WinPCAP on the servers network interface. WinPCAP is basicly pass through driver that sits in front of your network interface. So a restart would be needed. Take that into consideration. But since your outbound mail has to come there first then you should see all the port 25 traffic on that interface.:)
ASKER
Looks like it cannot be done with my config. I changed my firewall to block access except from server and went pc by pc to clean them out. Old fashion sneaker net.