How to set up logging for port 25 to find a virus on network

Posted on 2009-02-11
Last Modified: 2013-11-16
I have a virus on the network some place that keeps sending out .zip files and causing the email server to be blacklisted.  How do I set up logging  on ISA server 2004 for logging of port 25.  All directions I have found on this venue have not worked.   I do not have an SBS server - I have windows 2003 server, exchange 2003, isa server 2004 - all windows xp pro clients.  For example:

Doesn't have to be from a source port of 25 - it is the destination port you need to be more concerned over.

open the ISA gui
select - monitoring - logging
On the right, click edit query  (I do not have Edit query)  I have Edit Filter and followed the directions with that
Change the action to destination port  =  25
Click update
Change the time value to past 7 days  (I do not see a change the time value to past 7 days)
clicl uypdate
click start query  - I start query - but it just keeps "fetching results" forever

is any device listed as the source that is other than your SBS server?
Question by:manch03
    LVL 1

    Accepted Solution

    TCPDUMP is generally useful anytime you need to find out where traffic is coming from on a network. If you don't have much Linux-fu you can also try WinDUMP. You'll need WinPcap as well. learn more here:

    There are elegant ways to deploy this in your network, but a straight forward, albeit ham fisted way is to have a PC with at least two network interfaces on it configured as bridge interfaces. This effectively lets your monitoring PC running TCPDUMP to sit on the wire between your server and the switch port it connects to.

    There are all kinds of rules you could apply to match and log traffic of interest. For example
    # tcpdump -vv src or and dst port 25

    This would log all traffic that originated from either of the specified network address ranges if that traffic was going anywhere with a destination port of 25.  Really, any combination of protocols and network source and destinations can be used as matching criteria, so if you want more targeted logging of network traffic, TCPDUMP is a great choice.

    Author Comment

    I went to the site, downloaded the tcpdump - let it run - but it only takes me to a web page when I click on it.  There is nothing there.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now