This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

We have been black listed a few times this year due to spam. I am trying to help figure out the cause of the issue. We have blocked communications on port 25. We operate a groupwise mail server, and we have blackhole routed the ip address that has been provided to us from the ISP. 172.22.218.222

I am curious how I go about finding the culprit machine in my network. Since we have blocked the transmission on port 25 and we are not operating as an open relay, what should I be looking for exactly? I see in my spam filter that a large amount of email from a specific user is being differed because of our rate control. I can't see where the mail came from or originating ip. I can see who the end user is suppose to be, and the messages that are being sent are blank, at least when I view the email documents in the Barracuda spam filter, there is no content. We have changed the password of the offending user to something complicated but the intrusion still occurs. We have tried removing the account and setting up a new one for the user. This solves the issue for the user, but the spammer soon finds a new user and begins using that account.

Any help and insight is greatly appreciated!

My current set up is a wireshark machine and my mail server on a hub together, I am packet capturing everything at the moment, I would like to set up some filters that may help me, or some kind of expression to filter my results. Filtering port 25, has no affect as the port is blocked.

My next thought is to capture between gateway and firewall, or to port mirror on the main switch, but given that this is a network for education, there is ALWAYS a large amount of traffic to sift through.

To be honest, I am not sure if the offender is using the server as a relay, or if the machine is located locally, or accessing a machine locally to do it's bidding, this is what I would like to find.

asked 15 May '14, 12:12

Jaymes%20Driver's gravatar image

Jaymes Driver
11113
accept rate: 0%

edited 15 May '14, 12:17

Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×69
×5
×2
×2

question asked: 15 May '14, 12:12

question was seen: 1,017 times

last updated: 15 May '14, 12:17

p​o​w​e​r​e​d by O​S​Q​A