Solved

How to tell which client computer inside my LAN is sending out spam emails?

Posted on 2009-06-30
6
943 Views
Last Modified: 2013-11-22
We suspect one of our client computers inside our LAN is SOMETIMES sending out spam emails. From time to time we have external users (such as auditors, sales persons, staff members from our other divisions) connecting to our LAN. Instead of virus-scanning one by one, I want to know if there is any way (like monitoring tools) to tell which computer is sending spam emails.  
0
Comment
Question by:Castlewood
6 Comments
 
LVL 11

Assisted Solution

by:techzter
techzter earned 200 total points
ID: 24747919
Do you have a firewall that all traffic passes through before hitting the internet? The easiest way to stop this would be to lock down TCP port 25 for all machines except for you mail server. That way your mail server is the only machine on the network sending messages.
0
 
LVL 6

Expert Comment

by:jesusrulesme
ID: 24748098
techzter is right.  that is a best practice and if you have some logging on your firewall then you can see what machines are trying to broadcast out spam on port 25.
0
 
LVL 13

Assisted Solution

by:shadowlesss
shadowlesss earned 100 total points
ID: 24748453
You can use a free Network Monitor like wireshark to look for SMTP traffic on your network from machines other than your email server.

http://www.wireshark.org/
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 11

Assisted Solution

by:techzter
techzter earned 200 total points
ID: 24748483
Thanks JRM.

I would agree with jrm that firewall logging would be a good way to find a machine trying to pass a lot of port 25 traffic. This will depend on the type of firewall you have and what monitoring capabilities it has.

Another option would be to use a port sniffing software on one of your machines. One that I have used in the past with good success has been Wireshark.

http://www.wireshark.org/

In order for a packet sniffing software to be effective you need to make the network traffic pass through it so this would require that you have a switch with a monitoring port, or the ability to turn the port on as a mirror port. Otherwise the only traffic you will see is the traffic passed to the particular port you are connected to.
0
 
LVL 11

Expert Comment

by:techzter
ID: 24748487
Sorry for the duplicate info shadow. I was typing while you posted.
0
 
LVL 15

Accepted Solution

by:
xmachine earned 200 total points
ID: 24751936
First of all, I would recommend blocking all outbound traffic to port 25 except your mail/antispam servers. Becuase there is no need to leave this big threat open.

You should use a combination of sniffers and port scanners to detect spam bots, Check the following

1) Wireshark, download it from (http://www.wireshark.org/download.html) as recommended by Shadowlesss & techzter

You need to connect it to a managed switch with the support of monitoring port (Cisco calls it SPAN). Or use a Hub. The last option is to use a network TAP (http://en.wikipedia.org/wiki/Network_tap) from some vendor like NetOptics (http://www.netoptics.com/products/product_family.asp?cid=1).


2) Another sniffing tool is Tcpick (linux based), download it from (https://sourceforge.net/projects/tcpick/).

Here how to sniff port 25:

#tcpick -i eth0 -C -bCU -T1 "port 25"

3) Nmap is the best port scanning tool, download it from (http://nmap.org/download.html)

here how to scan for port 25 (change 202.21.192.1/24 with your network range)

#nmap -sS 202.21.192.1/24 -p 25

4) TCPDump is another good sniffer, download it from (http://www.tcpdump.org/)

Here how to sniff port 25

#tcpdump -i eth0 port 25


A Symantec Certified Specialist @ your service
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now