?
Solved

How to tell which client computer inside my LAN is sending out spam emails?

Posted on 2009-06-30
6
Medium Priority
?
950 Views
Last Modified: 2013-11-22
We suspect one of our client computers inside our LAN is SOMETIMES sending out spam emails. From time to time we have external users (such as auditors, sales persons, staff members from our other divisions) connecting to our LAN. Instead of virus-scanning one by one, I want to know if there is any way (like monitoring tools) to tell which computer is sending spam emails.  
0
Comment
Question by:Castlewood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Assisted Solution

by:techzter
techzter earned 800 total points
ID: 24747919
Do you have a firewall that all traffic passes through before hitting the internet? The easiest way to stop this would be to lock down TCP port 25 for all machines except for you mail server. That way your mail server is the only machine on the network sending messages.
0
 
LVL 6

Expert Comment

by:jesusrulesme
ID: 24748098
techzter is right.  that is a best practice and if you have some logging on your firewall then you can see what machines are trying to broadcast out spam on port 25.
0
 
LVL 13

Assisted Solution

by:shadowlesss
shadowlesss earned 400 total points
ID: 24748453
You can use a free Network Monitor like wireshark to look for SMTP traffic on your network from machines other than your email server.

http://www.wireshark.org/
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 11

Assisted Solution

by:techzter
techzter earned 800 total points
ID: 24748483
Thanks JRM.

I would agree with jrm that firewall logging would be a good way to find a machine trying to pass a lot of port 25 traffic. This will depend on the type of firewall you have and what monitoring capabilities it has.

Another option would be to use a port sniffing software on one of your machines. One that I have used in the past with good success has been Wireshark.

http://www.wireshark.org/

In order for a packet sniffing software to be effective you need to make the network traffic pass through it so this would require that you have a switch with a monitoring port, or the ability to turn the port on as a mirror port. Otherwise the only traffic you will see is the traffic passed to the particular port you are connected to.
0
 
LVL 11

Expert Comment

by:techzter
ID: 24748487
Sorry for the duplicate info shadow. I was typing while you posted.
0
 
LVL 15

Accepted Solution

by:
xmachine earned 800 total points
ID: 24751936
First of all, I would recommend blocking all outbound traffic to port 25 except your mail/antispam servers. Becuase there is no need to leave this big threat open.

You should use a combination of sniffers and port scanners to detect spam bots, Check the following

1) Wireshark, download it from (http://www.wireshark.org/download.html) as recommended by Shadowlesss & techzter

You need to connect it to a managed switch with the support of monitoring port (Cisco calls it SPAN). Or use a Hub. The last option is to use a network TAP (http://en.wikipedia.org/wiki/Network_tap) from some vendor like NetOptics (http://www.netoptics.com/products/product_family.asp?cid=1).


2) Another sniffing tool is Tcpick (linux based), download it from (https://sourceforge.net/projects/tcpick/).

Here how to sniff port 25:

#tcpick -i eth0 -C -bCU -T1 "port 25"

3) Nmap is the best port scanning tool, download it from (http://nmap.org/download.html)

here how to scan for port 25 (change 202.21.192.1/24 with your network range)

#nmap -sS 202.21.192.1/24 -p 25

4) TCPDump is another good sniffer, download it from (http://www.tcpdump.org/)

Here how to sniff port 25

#tcpdump -i eth0 port 25


A Symantec Certified Specialist @ your service
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
New style of hardware planning for Microsoft Exchange server.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question