How to tell which client computer inside my LAN is sending out spam emails?

We suspect one of our client computers inside our LAN is SOMETIMES sending out spam emails. From time to time we have external users (such as auditors, sales persons, staff members from our other divisions) connecting to our LAN. Instead of virus-scanning one by one, I want to know if there is any way (like monitoring tools) to tell which computer is sending spam emails.  
CastlewoodAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

techzterCommented:
Do you have a firewall that all traffic passes through before hitting the internet? The easiest way to stop this would be to lock down TCP port 25 for all machines except for you mail server. That way your mail server is the only machine on the network sending messages.
0
jesusrulesmeCommented:
techzter is right.  that is a best practice and if you have some logging on your firewall then you can see what machines are trying to broadcast out spam on port 25.
0
shadowlesssCommented:
You can use a free Network Monitor like wireshark to look for SMTP traffic on your network from machines other than your email server.

http://www.wireshark.org/
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

techzterCommented:
Thanks JRM.

I would agree with jrm that firewall logging would be a good way to find a machine trying to pass a lot of port 25 traffic. This will depend on the type of firewall you have and what monitoring capabilities it has.

Another option would be to use a port sniffing software on one of your machines. One that I have used in the past with good success has been Wireshark.

http://www.wireshark.org/

In order for a packet sniffing software to be effective you need to make the network traffic pass through it so this would require that you have a switch with a monitoring port, or the ability to turn the port on as a mirror port. Otherwise the only traffic you will see is the traffic passed to the particular port you are connected to.
0
techzterCommented:
Sorry for the duplicate info shadow. I was typing while you posted.
0
xmachineCommented:
First of all, I would recommend blocking all outbound traffic to port 25 except your mail/antispam servers. Becuase there is no need to leave this big threat open.

You should use a combination of sniffers and port scanners to detect spam bots, Check the following

1) Wireshark, download it from (http://www.wireshark.org/download.html) as recommended by Shadowlesss & techzter

You need to connect it to a managed switch with the support of monitoring port (Cisco calls it SPAN). Or use a Hub. The last option is to use a network TAP (http://en.wikipedia.org/wiki/Network_tap) from some vendor like NetOptics (http://www.netoptics.com/products/product_family.asp?cid=1).


2) Another sniffing tool is Tcpick (linux based), download it from (https://sourceforge.net/projects/tcpick/).

Here how to sniff port 25:

#tcpick -i eth0 -C -bCU -T1 "port 25"

3) Nmap is the best port scanning tool, download it from (http://nmap.org/download.html)

here how to scan for port 25 (change 202.21.192.1/24 with your network range)

#nmap -sS 202.21.192.1/24 -p 25

4) TCPDump is another good sniffer, download it from (http://www.tcpdump.org/)

Here how to sniff port 25

#tcpdump -i eth0 port 25


A Symantec Certified Specialist @ your service
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.