Solved

Spam Botnet on my LAN - How can I use the Sonicwall to identify the culprit?

Posted on 2014-01-22
7
1,644 Views
Last Modified: 2014-01-23
I have a Sonicwall TZ100 configured as a network edge device, and I was just blacklisted because my Firewall IP is shown sending SPAM messages.  I have setup a rule blocking all SMTP out with the copiers and Servers as exceptions and we have not been re-listed.

The infection persists on the network, however, and I am unable to track down where it is coming from.

How can I use the Sonicwall to see which host(s) are sending email now that the rule is blocking?  I cannot figure out how to see this with the log settings, it's pretty awful.

Thanks!
0
Comment
Question by:jkeegan123
  • 3
  • 2
  • 2
7 Comments
 
LVL 7

Expert Comment

by:Ned Ramsay
ID: 39800728
If you look in the firewalls logs you should see that the "block" rule you set up is being hit a lot by a specific host.

Downloading wireshark network analyser and then filtering the protocol by SMTP may help locate the PC

Alternatively if the reporting on that device isnt great and you cant find it with wireshark then add an "allow" rule above the deny rule for a small selection of IP addresses on your network.

e.g. if you have 100 devices on your network then allow 1-25 and see if it still spams. Then 26-50 etc. That will narrow it down to one section.

Edit: On my Sonicwall (larger version), I go to Dashboard then Connection Monitor. I can filter by destination port (25 for SMTP) and it shows a list of hosts using that.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39800753
What should I look at in the log to see the BLOCK rule?  The new Sonicwall log is broken up into sections and it's not very friendly....to say the least!
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39800756
(ALSO Wireshark is not really an option since it's TCP, not a broadcast protocol, and we do not have a managed switch to port mirror the inside firewall interface.  We just wouldn't get the SMTP traffic showing up).
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 7

Expert Comment

by:Ned Ramsay
ID: 39800784
If you filter wireshark using: tcp.port == 25 then it will show SMTP traffic on your network (I just tested on mine with no port mirroring)
0
 
LVL 25

Accepted Solution

by:
Diverse IT earned 500 total points
ID: 39800841
Hi jkeegan123,

You can do this by looking at the logs. What version of SonicOS are you running?

You don't need wireshark you have a solid packet capture within your TZ 100 under System > Packet Monitor if you need that. If you have the logs setup correctly (mark All Categories selected and Logging Level set to Debug, click Accept to save) you should be able to see the LAN IP being blocked by the LAN > WAN Access Rule #.

Let me know if you have any other questions!
0
 
LVL 7

Expert Comment

by:Ned Ramsay
ID: 39800900
Good answer by DiverseIT ^^ sorry I dont have a tz100 available to me.
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39805078
Glad I could help...thanks for the points!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Is this network design suitable? 3 80
Sonicwall multiple ISP configuration 5 58
Pfsense - and other email Servers 8 37
VPN tunnel between Watchguard and OpenVPN? 1 36
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question