• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 377
  • Last Modified:

How can I tell what pc on my network is sending spam?

I have an sbs 2003 server with about 50 users on it.  We have been blacklisted by spamhaus this week.  How can I tell what pc on my network is possibly compromised and spamming? Is there a utility that I can install to monitor email traffic? Can I do it in Exchange System Manager?  
0
degoodwin
Asked:
degoodwin
1 Solution
 
leegclystvaleCommented:
You could change to SMTP connector so that the message will just queue and thewn go through the queue list? Bit crude though!
0
 
lecafCommented:
probably you have a router or a firewall

even cheap soho ones have some logging features...use them :)

m a  r  c

PS If it was coming through the exchange you would have run out of disk space by now....
0
 
degoodwinAuthor Commented:
I have a sonic wall tz190. I have created an access rule that deny's any lan to wan on port 25 except for my exchange server. Actually it is 2 rules (my server is at 10.0.0.51) one that block 1-50 and one that blocks 52-254.  This should do it right? There is a rule that allows any to any though.  And it is enabled.  Does this overwrite the deny or do deny rules take priority, like in Windows.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
BitBurnerCommented:
You could use a packet sniffer and watch the raw network traffic. You could set a filter for only traffic on port 25.

http://www.etherdetect.com/

0
 
degoodwinAuthor Commented:
I have installed it and I am scanning ports but it only seems to be scanning port 25 on my exchange server. Any idea how to set it to scan the entire network?
0
 
BitBurnerCommented:
if you are using a switch on the network then you will not get any traffic except what is going directly to that interface.
If you have a managed switch then you can set one port to not filter and use that port. Or if its a nice switch it might even have a "monitor" port that is already set to not filter.. The alternative is to get a cheap hub (not switch) and put it in between router and switch letting you catch all traffic.
0
 
degoodwinAuthor Commented:
I have a 3Com Switch that is not a managed switch.  So I guess that this will not work then.  I have 50 users and 2 switches in the serer room and other swithces in various locations. Anything else I might be able to use.
0
 
BitBurnerCommented:
You could try actually running it on the exchange server...now before you do that this needs to be a last resort...(the hub trick is best in this case) Because it will install a WinPCAP on the servers network interface. WinPCAP is basicly pass through driver that sits in front of your network interface. So a restart would be needed. Take that into consideration. But since your outbound mail has to come there first then you should see all the port 25 traffic on that interface.:)
0
 
degoodwinAuthor Commented:
Looks like it cannot be done with my config. I changed my firewall to block access except from server and went pc by pc to clean them out. Old fashion sneaker net.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now