Detecting computer sending spam on network

Posted on 2009-02-11
Last Modified: 2012-05-06
We currently have a computer somewhere on our network infected with either a virus or trojan that is sending spam to the internet. Our antivirus software has not detected it. (Trend Micro OfficeScan 8).
We have approxemetly 50 workstations and a dozen servers.
Is there a utility we could use that could monitor or scan the network for smtp traffic to track down the infected computer?
Or what is the easiest way to accomplish this?
Also, to clarify, this is not our Exchange server sending the spam, the infected computer appearently is using it's own smtp client installed by the malware.
Question by:summitMIS
    LVL 65

    Accepted Solution

    The quick and dirty way is to simply block port 25 on your firewall. If you cannot control the IP addresses that can send out on port 25 then stop SMTP on the Exchange server, then watch the logs. A compromised machine will quickly fill the logs.

    LVL 8

    Assisted Solution

    On your firewall, allow your Exchange server ip to send out via port 25 and block all others from using port 25.  Then check your logs to see who is sending.

    Author Closing Comment

    I was actually not able to change any settings on the firewall as it is handeled by an outside contractor and only they actually have access to it, however I was able to read the logs. By going over them very carefully, I did fingd a computer that was communicating with an outside server that it should not have been. That gave me the clue to track it down and kill off the infection. Thanks for pointing me in the right direction. Sometin=mes you just can't see the forest for the trees.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Suggested Solutions

    Read about achieving the basic levels of HRIS security in the workplace.
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now