detect programs sending silent email

Is there a program or command line script, etc.. that will take and scan the computer to see if any program is using email to send out malware?  I have a user who got a mass email from his contacts and wanted to make sure he/they are not spreading the virus/trojan via email.
Thanks!
bbimisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

EirmanChief Operations ManagerCommented:
Wireshark is very well known and free. There is a fairly steep learning curve.

From the website .....
Wireshark is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It has a rich and powerful feature set and is world's most popular tool of its kind. It runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2

https://www.wireshark.org/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bbimisAuthor Commented:
thanks!
0
Dave HoweSoftware and Hardware EngineerCommented:
Microsoft Network Monitor might be a better choice - while Wireshark is superior in it's packet analysis, MNM identifies which program traffic belongs to - so helping identify where a given email is coming from on the machine.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

EirmanChief Operations ManagerCommented:
You could be right there Dave, however, according to this Network Monitor
has been replaced by Microsoft Message Analyzer

What do you think?
0
Dave HoweSoftware and Hardware EngineerCommented:
MMA is a nightmare to get started - It can clearly do a lot more than MNM could, but while an unskilled user could get MNM up and running in seconds, it took me nearly half an hour to get traces reliably (I had to install intercept providers separately), and they lacked the per-program itemization that MNM gave. Your experience could be different of course; but I still recommend using the last (3.4) MNM from microsoft's archive for people who just want to hit the ground running, and wireshark if you want the in-depth dissectors that are still superior to those shipping with MMA.

MMA comes into it's own if you are analyzing non-network traffic - it is a much more general protocol-analysis tool than either MNM or Wireshark, which are very IP-centric, but because of that, not very approachable for a non-expert in the field (and clearly given my struggles with it, I am not expert enough :D )
0
EirmanChief Operations ManagerCommented:
Thanks - good advise me and the OP.
0
bbimisAuthor Commented:
if possible i would like to award dave some points. His solution is more "spot on" thanks!
0
EirmanChief Operations ManagerCommented:
if possible i would like to award dave some points. His solution is more "spot on" thanks!
That's easy to do. Just click on ! Request Attention (near the top) and ask a moderator to re-open the question. Then assign points as you see fit.
0
Dave HoweSoftware and Hardware EngineerCommented:
No, don't worry about it - I do these things because I want to - if I were obsessed with points, I would have ignored the question as it was already "closed". Thanks for thinking about it though :D
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Outlook

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.