How to identify spam-sending workstations, and block outgoing (smtp) non-company email?

The IP address of the company I work for has been added to a spam blacklist (bl.spamcop.net). I've determined that the cause is almost certainly one or more workstations somewhere in the company that are infected with a virus or trojan and sending out this spam. We've received bounced emails from other email servers informing us about the blacklist, which show the primary company IP as the one which is blacklisted.

A brief overview of how we are setup:
- Internet and email traffic for all of the company's offices are routed through a central server, and pass through a "Sonicwall Pro 2040 Enhanced" firewall.
- We have NOD32 anti-virus installed on all workstations, laptops, and servers.
- Email is not handled on-site. Our mail server is actually on an external dedicated server (which runs the company website), running Linux, cPanel, etc. The mail is a simple pop3/smtp setup (no Exchange server), using standard ports 25 and 110. Employees are setup with Outlook. The external mail server's IP is not blacklisted, only the company's outward facing IP.

What I'm seeking is advice on how to 1) Use the Sonicwall or another tool if needed to pin down the responsible workstations that are sending out the spam email so they can be cleaned, and 2) In a way that won't interrupt normal company email usage, block all email from being sent out through the network that does not go through our own mail server (which as mentioned, is on a server that is external to the company network). I've spent several hours carefully looking through all of the settings and options for the Sonicwall, and have not yet discovered how to proceed. I'd like to correctly address the source of the problem before requesting to be removed from the blacklist.

Thanks in advance for your assistance! :)
cacomputerguyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BBRazzCommented:
1. You can monitor active connections on the Sonicwall so you should be able to determind the source of the SMTP outbreak.
     Firewall > Connections Monitor
2. Create a ZONE for your external providers SMTP server and then create an access rule to only allow SMTP traffic to that destination. IP

-BBRazz
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cacomputerguyAuthor Commented:
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AntiSpam

From novice to tech pro — start learning today.