How can I find a computer on my network that is doing mass mailings?

spam-prevention smtp
13,448

Solution 1

It's been a long time since I played with DD-WRT, but on most business-level routers they have the ability to write a log each time a firewall rule is matched.

I would create a firewall rule for Port 25 (assuming that the mass mailer is using the standard SMTP port) and get it to write a log with the source IP every time it happens. It should then be pretty easy to locate the culprit.

Solution 2

You could connect a hub in between the router and your LAN and then plug a computer into the hub and install a traffic monitor on it such as Microsoft network monitor or wire shark

http://www.wireshark.org/

You will then be able to monitor all that goes on and set up filters etc

Solution 3

I am also not sure how to track without netflow or SNMP logging. But would recommend you just restrict outbound SMTP traffic to your mail server(s)

Below assumes a mail server IP of 192.168.1.2 on the network 192.168.1.0/24 

iptables -I FORWARD 1 -p tcp -s 192.168.1.2 --dport 25 -j ACCEPT
iptables -I FORWARD 2 -p tcp -s 192.168.1.1/24 --dport 25 -j REJECT
Share:
13,448
Admin
Author by

Admin

Updated on September 17, 2022

Comments

  • Admin
    Admin over 1 year

    I was notified by my isp that one of my machines is sending out spam. This happened about 3 months ago on windows machine running cygwin that was hacked due to an SSH vuln.

    The hackers setup IIS and SMTP. I cleared out the machine and all the services are disabled so I think that machine is okay

    I am wondering if there is any other way to identify which machine it could be coming from?

    The ISP has NO useful information such as source port, destination port, destination IP... nothing.

    I am running DD-WRT on my router, Windows 7 PC and a Windows XP PC.

  • Zoredache
    Zoredache about 14 years
    It's the only way to be sure.
  • Franz Wong
    Franz Wong about 14 years
    @Zoredache, absolutally. And when you guage the price of rebuilding a machine after a nuke and the time taken to fix it, it makes much more economic sense to just re-image it. Especially once you factor in the potential cost to the company by letting an infected machine onto a corporate network.
  • Zypher
    Zypher about 14 years
    +1 nuke that sucka :) ... and something constructive: If DD-WRT can do netflow that would be an alternative way to see who is sending a whole bunch of SMTP traffic
  • James
    James about 14 years
    +1, and you should be blocking outgoing port 25 from any machine except your mail server!
  • Franz Wong
    Franz Wong about 14 years
    @James, I don't know if I agree with that rule - a lot of companies permit personal mail accounts (or at the very least, don't have a policy denying it). This kills sending out through anything but the company server. It's just as annoying when ISP's deny you access port 25 access to anywhere off their network.
  • Charles Gargent
    Charles Gargent about 14 years
    On my DD-WRT router I have a default outgoing deny policy and then open up specific ports from specific IP addresses, and obviously I open up common ports to all IPs such as 80, 443 etc
  • James
    James about 14 years
    Annoying, for sure, but I'd rather be a little bit annoying than have spam coming from my network. I don't have a problem with personal email accounts - they can either relay through the corporate server or use port 587 to their provider's SMTP server
  • mpez0
    mpez0 about 14 years
    After you've sealed off port 25 except for your mail servers, check them to ensure they are neither infected nor acting as a relay. Also, get back to the ISP and try to get more info, like source IP trail.
  • Joe Taylor
    Joe Taylor about 14 years
    +1 for wireshark. monitoring the network traffic would be the way i'd set about it.
  • Charles Gargent
    Charles Gargent about 14 years
    there is also MS network monitor 3 which has much the same functionality, I couldnt post the link to it as I didnt have enough points :(

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SPF record - does not designate permitted sender hosts
python: correct method verify if email exists
PHP PEAR Mail Error
Swiftmailer Gmail Connection timed out #110
Sending Email to Gmail's SMTP server using TLS and Plain Authentication
Google Gmail SMTP settings not allowing me to send emails with PHPMailer
Laravel error when sending custom email address using smtp server
SMTP mail error in CodeIgniter : server might not be configured to send mail
Why there are no sent mails after the Jenkins ext. mail step?
(perl Net::SMTP) authentication failure using gmail smtp server