How to tell which client computer inside my LAN is sending out spam emails?

We suspect one of our client computers inside our LAN is SOMETIMES sending out spam emails. From time to time we have external users (such as auditors, sales persons, staff members from our other divisions) connecting to our LAN. Instead of virus-scanning one by one, I want to know if there is any way (like monitoring tools) to tell which computer is sending spam emails.  
Who is Participating?
xmachineConnect With a Mentor Commented:
First of all, I would recommend blocking all outbound traffic to port 25 except your mail/antispam servers. Becuase there is no need to leave this big threat open.

You should use a combination of sniffers and port scanners to detect spam bots, Check the following

1) Wireshark, download it from ( as recommended by Shadowlesss & techzter

You need to connect it to a managed switch with the support of monitoring port (Cisco calls it SPAN). Or use a Hub. The last option is to use a network TAP ( from some vendor like NetOptics (

2) Another sniffing tool is Tcpick (linux based), download it from (

Here how to sniff port 25:

#tcpick -i eth0 -C -bCU -T1 "port 25"

3) Nmap is the best port scanning tool, download it from (

here how to scan for port 25 (change with your network range)

#nmap -sS -p 25

4) TCPDump is another good sniffer, download it from (

Here how to sniff port 25

#tcpdump -i eth0 port 25

A Symantec Certified Specialist @ your service
techzterConnect With a Mentor Commented:
Do you have a firewall that all traffic passes through before hitting the internet? The easiest way to stop this would be to lock down TCP port 25 for all machines except for you mail server. That way your mail server is the only machine on the network sending messages.
techzter is right.  that is a best practice and if you have some logging on your firewall then you can see what machines are trying to broadcast out spam on port 25.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

shadowlesssConnect With a Mentor Commented:
You can use a free Network Monitor like wireshark to look for SMTP traffic on your network from machines other than your email server.
techzterConnect With a Mentor Commented:
Thanks JRM.

I would agree with jrm that firewall logging would be a good way to find a machine trying to pass a lot of port 25 traffic. This will depend on the type of firewall you have and what monitoring capabilities it has.

Another option would be to use a port sniffing software on one of your machines. One that I have used in the past with good success has been Wireshark.

In order for a packet sniffing software to be effective you need to make the network traffic pass through it so this would require that you have a switch with a monitoring port, or the ability to turn the port on as a mirror port. Otherwise the only traffic you will see is the traffic passed to the particular port you are connected to.
Sorry for the duplicate info shadow. I was typing while you posted.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.