Detecting computer sending spam on network

Posted on 2009-02-11
Medium Priority
Last Modified: 2012-05-06
We currently have a computer somewhere on our network infected with either a virus or trojan that is sending spam to the internet. Our antivirus software has not detected it. (Trend Micro OfficeScan 8).
We have approxemetly 50 workstations and a dozen servers.
Is there a utility we could use that could monitor or scan the network for smtp traffic to track down the infected computer?
Or what is the easiest way to accomplish this?
Also, to clarify, this is not our Exchange server sending the spam, the infected computer appearently is using it's own smtp client installed by the malware.
Question by:summitMIS
LVL 65

Accepted Solution

Mestha earned 1200 total points
ID: 23613948
The quick and dirty way is to simply block port 25 on your firewall. If you cannot control the IP addresses that can send out on port 25 then stop SMTP on the Exchange server, then watch the logs. A compromised machine will quickly fill the logs.


Assisted Solution

API_NOC earned 800 total points
ID: 23614147
On your firewall, allow your Exchange server ip to send out via port 25 and block all others from using port 25.  Then check your logs to see who is sending.

Author Closing Comment

ID: 31545665
I was actually not able to change any settings on the firewall as it is handeled by an outside contractor and only they actually have access to it, however I was able to read the logs. By going over them very carefully, I did fingd a computer that was communicating with an outside server that it should not have been. That gave me the clue to track it down and kill off the infection. Thanks for pointing me in the right direction. Sometin=mes you just can't see the forest for the trees.

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question