Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1747
  • Last Modified:

Spam Botnet on my LAN - How can I use the Sonicwall to identify the culprit?

I have a Sonicwall TZ100 configured as a network edge device, and I was just blacklisted because my Firewall IP is shown sending SPAM messages.  I have setup a rule blocking all SMTP out with the copiers and Servers as exceptions and we have not been re-listed.

The infection persists on the network, however, and I am unable to track down where it is coming from.

How can I use the Sonicwall to see which host(s) are sending email now that the rule is blocking?  I cannot figure out how to see this with the log settings, it's pretty awful.

Thanks!
0
jkeegan123
Asked:
jkeegan123
  • 3
  • 2
  • 2
1 Solution
 
Ned RamsayCommented:
If you look in the firewalls logs you should see that the "block" rule you set up is being hit a lot by a specific host.

Downloading wireshark network analyser and then filtering the protocol by SMTP may help locate the PC

Alternatively if the reporting on that device isnt great and you cant find it with wireshark then add an "allow" rule above the deny rule for a small selection of IP addresses on your network.

e.g. if you have 100 devices on your network then allow 1-25 and see if it still spams. Then 26-50 etc. That will narrow it down to one section.

Edit: On my Sonicwall (larger version), I go to Dashboard then Connection Monitor. I can filter by destination port (25 for SMTP) and it shows a list of hosts using that.
0
 
jkeegan123Author Commented:
What should I look at in the log to see the BLOCK rule?  The new Sonicwall log is broken up into sections and it's not very friendly....to say the least!
0
 
jkeegan123Author Commented:
(ALSO Wireshark is not really an option since it's TCP, not a broadcast protocol, and we do not have a managed switch to port mirror the inside firewall interface.  We just wouldn't get the SMTP traffic showing up).
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
Ned RamsayCommented:
If you filter wireshark using: tcp.port == 25 then it will show SMTP traffic on your network (I just tested on mine with no port mirroring)
0
 
Blue Street TechLast KnightsCommented:
Hi jkeegan123,

You can do this by looking at the logs. What version of SonicOS are you running?

You don't need wireshark you have a solid packet capture within your TZ 100 under System > Packet Monitor if you need that. If you have the logs setup correctly (mark All Categories selected and Logging Level set to Debug, click Accept to save) you should be able to see the LAN IP being blocked by the LAN > WAN Access Rule #.

Let me know if you have any other questions!
0
 
Ned RamsayCommented:
Good answer by DiverseIT ^^ sorry I dont have a tz100 available to me.
0
 
Blue Street TechLast KnightsCommented:
Glad I could help...thanks for the points!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now