Possible Duplicate:
How do you detect a spambot on your network?
Our network of 120 windows machines has 1 or more computers sending spam. Is there an easy way to find that machine, without physically checking each one.
Possible Duplicate:
How do you detect a spambot on your network?
Our network of 120 windows machines has 1 or more computers sending spam. Is there an easy way to find that machine, without physically checking each one.
First of all, block all outgoing SMTP-traffic from machines that don't need it. Then you could check your firewall for hosts trying to access SMTP-servers.
Or you could turn on port mirroring on the border/edge-router and attach a PC with a packet-sniffer on it. Shouldn't be to hard to get the spammers with WireShark.
Do a packet capture, or setup some kind of logging filter on your perimeter equipment (firewall or border router). Watch for outgoing traffic destined for port 25. Once you find the IP of the traffic work backwards to find the machine. This may mean looking at the CAM tables on your switches to find out which port is associated with the MAC address the IP belongs to.
Unless you have a strong need for it, I suggest you simply block outbound requests to port 25 from all systems except your mail server.