Network Email Monitor?

Axman

Axman

VP of Extreme Liberty
Joined
Jul 13, 2005
Messages
17,516
Somewhere in my building there is a machine that is spamming the fuck out of. . .well, everyone. It's bad to the point that our provider, Cbeyond, is blocking our IP addresses. Anyone know of a decent sniffing utility to help me kill the spammer in me?

Axman
 
Can you be more specific? Is the person using an in-house mail server to spam? Do you have an external mail server that they are using to spam? Or do you think there an SMTP server on the machine doing the spamming?
 
Use ethereal at your gateway if it's a machine running its own smtp server. If it's your smtp server, run it there.
 
You should only need to use ethereal if the machine is hosting its own SMTP engine locally. If you've got an in-house SMTP server that he's authenticating to, you'll have log files. Just look through the log files, if he's sending as much spam as it sounds like, you'll notice who it is.

The same goes for an external mail provider. They should be able to provide you with stats about how much mail a user sends.

If it's a rogue SMTP server, you can try looking at the SMTP connections at your firewall or router (if you're able to), or just stick ethereal on a SPAN port at your gateway (or put a hub between your gateway and your switch if it cant do SPAN ports) and filter for SMTP traffic.
 
this is a good example of why blocking outbound traffic at your firewall is important. like the others said- ethereal will show you who the spammer is unless they're sending it through your real email server. in that case though you should be able to see the activity in the logs.
 
In regards to above, you can't block all smtp but maybe only allow the outbound port from a specific mail server ip?
 
Thanks for the suggestions. I have started going through the documentation of Ethereal; it's dense.

Because it's weekend right now, I just shut off all the workstations and blocked SMTP outbound in case we have some kind of malware on any of the servers. I'll get back to the grind Monday, and I'll let you all know what I find out.
 
You must log in or register to reply here.
Back
Top