Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Virus Sending out Spam

Posted on 2010-09-21
7
Medium Priority
?
1,041 Views
Last Modified: 2013-11-30
I've got a client that may have a virus on one of their PC's sending out Spam. They have an off-site Spam filtering service that generates reports and shows Spam outgoing every night from about 11:00 PM to 8:00 AM. All their log shows is it coming from their Outside interface not specifically which PC. It does block the outgoing Spam but we're concerned it may be a virus. I've run their Trend Antivirus and Malwarebytes scans on all PC's and didn't find anything.

I had this same problem with another client but they had a Watch Guard Firewall that had a realttime log you could watch and refresh and I just watched it for a  few minutes and saw traffic on port 25 from a specific IP address that wasn't their mail server and was able to find the PC that way.

This client doesn't have that. I waswondering if there is some simple program out there I could install that would monitor their network for SMTP traffic and generate some sort of log. I've looked at programs like PRTG but I don't have 3 weeks to learn how to interepret the data it appears to generate. I just want to isolate which PC is sending out email traffic in the middle of the night. Is there anything like that available?

Thanks
0
Comment
Question by:Axis52401
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 4

Expert Comment

by:HunterPine
ID: 33726771
Easiest way without spending a boatload of money would be to introduce a hub (not a switch, unless you have a manageable switch that does port mirroring) in between the network switch and internet router.

Hubs broadcast all traffic to all connected ports, so you can plug in any computer and run wireshark (free from www.wireshark.org) to sniff packets. It'll be pretty easy to narrow down your port 25 traffic from there.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 33726872
I don't see getting a hub as an option here, I'm not physically onsite and lm doing this remotely and I'd rather not have them putting in networking equip over the phone.
0
 
LVL 4

Expert Comment

by:HunterPine
ID: 33727003
Without either a hub or a mirror port, there's no way to monitor the traffic. Switches don't broadcast unicast traffic to all machines on the network, so you'll never get a full view of traffic without the right hardware.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 33728008
DO you have exchange server and firewall in place?

Does all the spam messages are routing from Exchange?

I mean does the infected PC sending email to Exchange and Exchange routing them to Internet?

Sudeep
0
 
LVL 2

Author Comment

by:Axis52401
ID: 33728220
SS,

   The only reason I know about it is that the offsite SPAM filter they use sends out a report each day with what it blocked and we keep getting reports that Spam starts to get sent out about 11PM and stops about 8AM. They do use Exchange but I can't tell if it's routing through the server or going directly out from one of the workstations (I have seen both in the past)
    I'm trying to find a way of narrowing down which PC or server it may be coming from.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 33728233
Oh and their only 'firewall' is a DSL modem with limited firewall abilities.
0
 
LVL 30

Accepted Solution

by:
Sudeep Sharma earned 2000 total points
ID: 33728368
And what Anti-Virus solution they are using?

Is logging enabled on Exchange server?

You could check the logs if emails are being send out from exchange, that would include the IP address of the host machine (system sending out spam)

Or if their SPAM Filter could send the details report of the emails which are sent, if you could get the headers of any of the spam email you woluld be able to know which machine actually connected to the exchange to send the email.

Sudeep
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question