Solved

How to tell which client computer inside my LAN is sending out spam emails?

Posted on 2009-06-30
6
942 Views
Last Modified: 2013-11-22
We suspect one of our client computers inside our LAN is SOMETIMES sending out spam emails. From time to time we have external users (such as auditors, sales persons, staff members from our other divisions) connecting to our LAN. Instead of virus-scanning one by one, I want to know if there is any way (like monitoring tools) to tell which computer is sending spam emails.  
0
Comment
Question by:Castlewood
6 Comments
 
LVL 11

Assisted Solution

by:techzter
techzter earned 200 total points
ID: 24747919
Do you have a firewall that all traffic passes through before hitting the internet? The easiest way to stop this would be to lock down TCP port 25 for all machines except for you mail server. That way your mail server is the only machine on the network sending messages.
0
 
LVL 6

Expert Comment

by:jesusrulesme
ID: 24748098
techzter is right.  that is a best practice and if you have some logging on your firewall then you can see what machines are trying to broadcast out spam on port 25.
0
 
LVL 13

Assisted Solution

by:shadowlesss
shadowlesss earned 100 total points
ID: 24748453
You can use a free Network Monitor like wireshark to look for SMTP traffic on your network from machines other than your email server.

http://www.wireshark.org/
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 
LVL 11

Assisted Solution

by:techzter
techzter earned 200 total points
ID: 24748483
Thanks JRM.

I would agree with jrm that firewall logging would be a good way to find a machine trying to pass a lot of port 25 traffic. This will depend on the type of firewall you have and what monitoring capabilities it has.

Another option would be to use a port sniffing software on one of your machines. One that I have used in the past with good success has been Wireshark.

http://www.wireshark.org/

In order for a packet sniffing software to be effective you need to make the network traffic pass through it so this would require that you have a switch with a monitoring port, or the ability to turn the port on as a mirror port. Otherwise the only traffic you will see is the traffic passed to the particular port you are connected to.
0
 
LVL 11

Expert Comment

by:techzter
ID: 24748487
Sorry for the duplicate info shadow. I was typing while you posted.
0
 
LVL 15

Accepted Solution

by:
xmachine earned 200 total points
ID: 24751936
First of all, I would recommend blocking all outbound traffic to port 25 except your mail/antispam servers. Becuase there is no need to leave this big threat open.

You should use a combination of sniffers and port scanners to detect spam bots, Check the following

1) Wireshark, download it from (http://www.wireshark.org/download.html) as recommended by Shadowlesss & techzter

You need to connect it to a managed switch with the support of monitoring port (Cisco calls it SPAN). Or use a Hub. The last option is to use a network TAP (http://en.wikipedia.org/wiki/Network_tap) from some vendor like NetOptics (http://www.netoptics.com/products/product_family.asp?cid=1).


2) Another sniffing tool is Tcpick (linux based), download it from (https://sourceforge.net/projects/tcpick/).

Here how to sniff port 25:

#tcpick -i eth0 -C -bCU -T1 "port 25"

3) Nmap is the best port scanning tool, download it from (http://nmap.org/download.html)

here how to scan for port 25 (change 202.21.192.1/24 with your network range)

#nmap -sS 202.21.192.1/24 -p 25

4) TCPDump is another good sniffer, download it from (http://www.tcpdump.org/)

Here how to sniff port 25

#tcpdump -i eth0 port 25


A Symantec Certified Specialist @ your service
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now