Spam emails being sent from my company


I have been warned from my ISP that they have blocked my IPs because a lot of spamming is coming from my network.

How Can I check this ? I have a network of 50 Computers. I also have a firewall (Cyberoam).

Please advise.
Pierre AmmounIT ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mal OsborneAlpha GeekCommented:
Step 1: Block ports 25, 587 and 465 for any machine that should not be required to send email externally via SMTP. The only machines that may need to do this would be a mail server, (if you have one).  It is usually better to just specify the port that machines need, blocking all else.

I have seen this MANY times, usual root cause is a machine with Malware. Hackers LOVE to take over a PC and use it to send spam.

Once you have set the firewall up correctly, you will need to find the machine that is infected, and clear it up. Your firewall should be able to log traffic on port 25, 587 and 465 (it will nearly always be just port 25). Once you figure out the culprit, run your favourite antimalware app to get rid of it.
Pierre AmmounIT ConsultantAuthor Commented:
Step 1: Block ports 25, 587 and 465 for any machine that should not be required to send email externally via SMTP

How do i do this ? on my Firewall or on each PC ?
Dr. KlahnPrincipal Software EngineerCommented:
Ask the ISP if they can provide copies of the offending emails, with full routing headers, so that you can figure out where the problem is.  Without that information it will be much more difficult.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

Mal OsborneAlpha GeekCommented:
Ports are blocked on the firewall. Ideally, rather than blocking a few ports, you should block everything by default and just allow the ports required.  Web browsing will require port 80 and 443, most machines may only need those two ports open. Assuming you have a DNS server on site, it will need to see out on port 53. There are probably a few others you will need to open as well.
In addition to what has already been suggested....

You may want to review several things, including how your network is remotely accessed, your mail filter (possible that a malicious email was the root of the entire problem), as well as your virus and malware protection. There might be some gaps in those times that need to be addressed. Also, if you don't have it, you may want to look into implementing web filtering.

Is your email onsite or hosted? If onsite, that's going to introduce additional things to review...
Prabhin MPEngineer-TechOPSCommented:
Block all the smtp port from lan to wan, meanwhile ask your ISP to send the packet trace logs and check the logs with the firewall.
after correlating the both logs you will be able to get the IP address from which the spam mails are getting generated.
remove the machine from network and redo the assessment.
You running  Exchange or are these all individual Outlook accounts going through an ISP?
Pierre AmmounIT ConsultantAuthor Commented:
I am running mdaemon email server
Have you tried checking the logs of outgoing emails to see whether anything was sent through your mail server? And you're naturally going to have to at least allow mail related traffic to go through that. However, you should also be making sure you didn't inadvertently make your mail server an open relay.
look if these emails transit through mdaemon.
if they do, you probably already have the user(s) and/or ip(s) from the mdaemon logs.
if not, you probably let port 25 open on your firewall and should log that traffic ( and review your firewall policies )

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.