Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 210
  • Last Modified:

Spam mails from a compromised internal computer

Dear All,

Would like to know your ideas on how to find out if we have a compromised internal computer , responsible for infecting other computers and sending spam.

Are there any methods for monitoring this?

Thanks,
T
0
TiazfaD
Asked:
TiazfaD
  • 2
  • 2
3 Solutions
 
Sajid Shaik MSr. System AdminCommented:
you have to monitor netwok through network analyzers and monitor outgoing traffice and SMTP port traffic on the network ...

for ex: http://freenetworkanalyzer.com/
http://www.colasoft.com/capsa/

these tools will give you the comple idea of the network traffic flow...

so follow the installation instruction and monitor the traffic on the machines ... and check the traffic type ..or monitor specific protocol ..i.e smtp... thats it...

just u have to cath the suspect...
0
 
TiazfaDAuthor Commented:
Dear Shaikh,

Thanks so much for your input. Will try the same. I was wondering, whether any Anti-virus running on these Pcs would be able to detect or inform any such suspicious behaviour?

Regards,
T
0
 
Sajid Shaik MSr. System AdminCommented:
antivirus should have centralized with reporting and monitoring option to monitor this but thats too all the clients should be up to date ... with antivirus updates ... and not in a compramise mode...

antivirus cannot monitor network traffic ....  just it can give you the report of the virus activity ... lets say you are selected a suspicious e-mail as not spam then,,,

so the best is to monitor using the network monitoring tools ... above are graphical tools easy to use and monitor ...

all the best.
0
 
btanExec ConsultantCommented:
Commonly it is via the email gateway to trace down the source machine that is sending out SPAM

e.g. Create an ACL on the inside interface of your firewall to only accept port 25 traffic from the IP of your mail server, then monitor hits to the ACL to determine the IP address from which the spam is originating. Also run "netstat" to show you all the open connections on the exchange server.  It'll list the IP address and the computer name of each connection.

Another is one from the ISP "warning"

e.g. You received an alert from ISP that there is a certain pc on your network behind your firewall sending out an lots of spam, which your domain name is in jeopardy of being blacklisted.

As a whole, the norm or more direct practice is
-block anything sending out emails on port 25 apart from the internal email server.
-block smtp to everything but the valid external email server.
-check your firewall logs and look for anything sending out on smtp to places it's not supposed to

See one example -
if your users are using the ISP's SMTP server, you should easily be able to block port 25 traffic vby configuring the users to use SMTP submission on port 587. This is an authenticated session and is FAR better to use anyway than generic SMTP.

I've gone ahead and blocked port 25 on the linksys router for outgoing traffic, and then setup Outlook to send through port 587. Thanks for Barrulus for that suggestion. I've also used NETSTAT on each machine to locate the offender. For future use i've gone ahead and downloaded pfsense to monitor outgoing traffic
https://www.experts-exchange.com/questions/26275359/How-do-I-identify-which-computer-on-my-network-is-sending-spam.html
0
 
TiazfaDAuthor Commented:
Dear Shaik and btan,

Thanks again !! Lots of help.

Regards,
T
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now