Network Email Monitor?

Axman

[H]F Junkie
Joined
Jul 13, 2005
Messages
12,873
Somewhere in my building there is a machine that is spamming the fuck out of. . .well, everyone. It's bad to the point that our provider, Cbeyond, is blocking our IP addresses. Anyone know of a decent sniffing utility to help me kill the spammer in me?

Axman
 

Boscoh

[H]ard|Gawd
Joined
Nov 25, 2003
Messages
1,159
Can you be more specific? Is the person using an in-house mail server to spam? Do you have an external mail server that they are using to spam? Or do you think there an SMTP server on the machine doing the spamming?
 

LittleMe

2[H]4U
Joined
Feb 20, 2001
Messages
2,977
Use ethereal at your gateway if it's a machine running its own smtp server. If it's your smtp server, run it there.
 

Boscoh

[H]ard|Gawd
Joined
Nov 25, 2003
Messages
1,159
You should only need to use ethereal if the machine is hosting its own SMTP engine locally. If you've got an in-house SMTP server that he's authenticating to, you'll have log files. Just look through the log files, if he's sending as much spam as it sounds like, you'll notice who it is.

The same goes for an external mail provider. They should be able to provide you with stats about how much mail a user sends.

If it's a rogue SMTP server, you can try looking at the SMTP connections at your firewall or router (if you're able to), or just stick ethereal on a SPAN port at your gateway (or put a hub between your gateway and your switch if it cant do SPAN ports) and filter for SMTP traffic.
 
Joined
Aug 10, 2001
Messages
2,312
this is a good example of why blocking outbound traffic at your firewall is important. like the others said- ethereal will show you who the spammer is unless they're sending it through your real email server. in that case though you should be able to see the activity in the logs.
 

DragonNOA1

Supreme [H]ardness
Joined
Aug 15, 2004
Messages
4,301
In regards to above, you can't block all smtp but maybe only allow the outbound port from a specific mail server ip?
 

Axman

[H]F Junkie
Joined
Jul 13, 2005
Messages
12,873
Thanks for the suggestions. I have started going through the documentation of Ethereal; it's dense.

Because it's weekend right now, I just shut off all the workstations and blocked SMTP outbound in case we have some kind of malware on any of the servers. I'll get back to the grind Monday, and I'll let you all know what I find out.
 
Top