Spam on network

Hi our broad band service provider has informed me that one of the pc on my network is sending out spam, how can I find this pc without physically going to each pc and scanning them, (100 pcs on the site)
Trevor_CAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
If they are all on the same subnet, try using Wire Shark or Comm View (packet sniffers) to look at outgoing traffic packets. This may help you identify the computers sending excessive packets.

See if the ISP can identify an email address for you.
arnoldCommented:
What is your environment has?
You could as John pointed out mirror the switch port that has the router feed to another switch port into which you can plug a computer that will not have any network connectivity/functionality other than using wireshark/ms network monitor tool
You would need to capture port 25,465,587 packets and then see which ip has many .......



One option is to block outgoing access other than from internal mailservers and check which system has inordinate number of attempts.
Trevor_CAuthor Commented:
I asked the ISP but they could not identify the address
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

JohnBusiness Consultant (Owner)Commented:
So you now need to check traffic in your network with a packet sniffer and determine the internal IP with outbound traffic.
Trevor_CAuthor Commented:
I am downloading wire shark at the moment
Trevor_CAuthor Commented:
I have installed wire shark , how do I capture or rather what do i look for
arnoldCommented:
you are looking for inordinate traffic from one IP to ports 25,465,587 as those are the common ports for standard,ssl,off port replacement to the standard.

what is your environment like?
Do you have an internal mail server that each user sends through and the main server is sending to your ISP?
If so, check your SMTP server's logs.

Regarding wireshark, do you have a managed switch which supports port mirroring?

What firewall/router do you have?
Trevor_CAuthor Commented:
No mail server pop3 mail boxes, no I dont have a managed switch that supports port mirroring
Trevor_CAuthor Commented:
running firewall on  a microtik 750 router-board a
arnoldCommented:
on the microtik, do you have access to tcpdump command this is the network packet tool.

if you know the destination IPs
tcpdump -n tcp port \( 25 or 465 or 587 \)

what you are looking for is an IP that is for the duration is sending out.  but timing might be everything.

Presumably a user has to authenticate to send, they should be able through the logs to see which  they think is spamming.

Not all large amount of mailing is spam.
Does your organization have a mailing list that could appear as a large uncommon amount of outgoing emails?
JohnBusiness Consultant (Owner)Commented:
In addition to the above, see if you can filter/sort the Wire Shark traffic by IP address (you can with Comm View [tamosoft.com]) and look for inordinate traffic by IP address. That may help you narrow down the computers.
Trevor_CAuthor Commented:
Thanks
asavenerCommented:
With only a 100 PCs, just create a PSExec script that connects to each PC and runs netstat -ano | find ":25 ".  You'll have your answer in less than 30 minutes.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.Commented:
Possibly just look at your switches.

If you've got one link continuously active flashing more than the others then that quite possibly is the culprit.
Natty GregIn Theory (IT)Commented:
scan with McAfee enterprise antivirus you can do that from one central location preferable from a server
Trevor_CAuthor Commented:
I also used Avast Antivirus and Malware Bytes to scan and remove malware for the pcs
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.